[cifs-protocol] [Pfif] [REG:110052070326491] MS_RRP: Question on Symbolic Links

Hongwei Sun hongweis at microsoft.com
Tue Jun 1 15:48:04 MDT 2010 

Michael/Andreas,

  I just want to give you an update.   I have reproduced locally the problem with deleting the symbolic link key after the "SymbolicLinkValue" value has been deleted.  I also changed the function kernel_mode_registry_path() in smbtorture to return FQN to duplicate the behavior of following symbolic link target key in FQN.  I have everything I need to do further debugging and provide the clarification.   I will let you know when I am done.

Thanks!

Hongwei 

 

-----Original Message-----
From: Michael Adam [mailto:obnox at samba.org] 
Sent: Friday, May 28, 2010 9:17 AM
To: Hongwei Sun; Andreas Schneider
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [Pfif] [REG:110052070326491] [cifs-protocol] MS_RRP: Question on Symbolic Links

Hi Hongwei,

Andreas Schneider wrote:
> On Monday 24 May 2010 23:58:34 Hongwei Sun wrote:
> > Andreas,
> 
> Hello Hongwei,
>  
> >    When you open the key with REG_OPTION_LINK flag set, the server 
> > will return the handle to the source key.  With a valid handle, 
> > client should be able to update the target of the symbolic link by 
> > changing the value of SymbolicLinkValue and also delete the key that is referenced by the
> > handle.   As explicitly pointed out in 3.1.1.11, the SymbolicLinkValue for
> > target link should contain Fully Qualified Name(3.1.1.1.1), which is
> > something like HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices.   It is not in
> > the kernel mode string such as \registry\machine\system\MountedDevice.
> > 
> >    How do you delete the value "SymbolocLinkVallue" ?  using 
> > BaseRegDeleteValue as per 3.1.5.9 MS-RRP?  What do you mean by "it didn't
> > work" ?    Do you mean that the value is not deleted or any error is
> > returned ?
> 
> I'm able to delete the value but not the key.

Yes, this is the main question here:
How to delete source key of the symlink.

There seems to be no way to do that using the remote registry protocol, since I can find no (documented) call to delete an opened key (i.e. operating on a key handle).

The internal libraries document the ZwDeleteKey / NtDeleteKey routines that operate on an opened KeyHandle for this purpose:
http://msdn.microsoft.com/en-us/library/ff566437%28VS.85%29.aspx

But I can't find acorresponding call in the RRP doc.
And, as you stated, when you access the symlink source key without opening it with the REG_OPTION_LINK flag, then you will operate on the target of the symlink. Or else if the special value SymbolicLinkValue is not present, access simply seems to fail.

The only other means of deleting a symlink source key I could imagine would be to change the type of the sourcekey first, removing the LINK type flag (3.1.1.2, http://msdn.microsoft.com/en-us/library/cc244886%28PROT.10%29.aspx ) which was set when creating the key. But this does not seem to be achievable, at least not with calling CreateKey with different options on the existing key (which was the only way I could imagine), since the description
"3.1.5.7 BaseRegCreateKey (Opnum 6)" reads:
"If the key already exists, the dwOptions parameter in the client request MUST be ignored."

Could you please confirm this behaviour or else (preferred! :-) tell us how to delete the source key of a symlink using the remote registry?

Cheers - Michael

> I'm running this test against
> Windows 2008. Here is some pseudo code.
> 
> /* create link */
> 
> CreateKey("SOFTWARE\torture_test\target")
> CloseKey("SOFTWARE\torture_test\target")
> 
> CreateKey("SOFTWARE\torture_test\link", REG_OPTION_CREATE_LINK |
> REG_OPTION_VOLATILE)
> SetValue("SymbolicLinkValue", "SOFTWARE\torture_test\target")
> CloseKey("SOFTWARE\torture_test\link")
> 
> /* delete link */
> OpenKey("SOFTWARE\torture_test\link", REG_OPTION_OPEN_LINK |
> REG_OPTION_VOLATILE)
> DeleteValue("SymbolicLinkValue")
> CloseKey("SOFTWARE\torture_test\link")
> DeleteKey("SOFTWARE\torture_test\link") --> fails with 
> WERR_ACCESS_DENIED
> 
> 
> Regards,
> 
> 
> 	-- andreas
> 
> _______________________________________________
> Pfif mailing list
> Pfif at mail.tridgell.net
> http://lists.tridgell.net/cgi-bin/mailman/listinfo/pfif

More information about the cifs-protocol mailing list