[cifs-protocol] [Pfif] [REG:110052070326491] MS_RRP: Question on Symbolic Links

Hongwei Sun hongweis at microsoft.com
Wed Jun 9 16:35:55 MDT 2010


Michael,

  I will keep you posted when the updated version of document is available.

Thanks!

Hongwei

-----Original Message-----
From: Michael Adam [mailto:obnox at samba.org] 
Sent: Wednesday, June 09, 2010 5:34 PM
To: Hongwei Sun
Cc: Andreas Schneider; pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [Pfif] [REG:110052070326491] [cifs-protocol] MS_RRP: Question on Symbolic Links

Hello Hongwei,

Thank you very much for your investigation and confirmation!
I am curious about the updated version of the MS-RRP doc.

Best regards,

Michael

Hongwei Sun wrote:
> Michael/Andreas,
> 
> We completed the investigation and confirmed that functionality of 
> deleting symbolic link's source key is not available in Windows 
> registry remote service(MS-RRP).
> Unfortunately, there is no way for a remote client to delete
> a symbolic link source key on the server.   Does Samba
> actually uses this feature ?  I would like to know the impact of this 
> undesirable behavior on Samba's implementation.  We will update this 
> behavior in MS-RRP.
> 
> We also confirmed that the kernel mode format should be used
> for "SymbolicLinkValue" value.   We will update the
> corresponding section of MS-RRP to reflect the change.  Thanks for 
> bringing  this into our attention and help us improve the 
> documentation.
> 
> Please let me know if you have any more questions on this subject and 
> I will follow it up.
> 
> Thanks!
> 
> Hongwei
> 
> 
> -----Original Message-----
> From: Michael Adam [mailto:obnox at samba.org]
> Sent: Wednesday, June 02, 2010 4:17 AM
> To: Hongwei Sun
> Cc: Michael Adam; Andreas Schneider; pfif at tridgell.net; 
> cifs-protocol at samba.org; MSSolve Case Email
> Subject: Re: [Pfif] [REG:110052070326491] [cifs-protocol] MS_RRP: 
> Question on Symbolic Links
> 
> Hi Hongwei,
> 
> Hongwei Sun wrote:
> > Michael/Andreas,
> > 
> > I just want to give you an update.   I have reproduced locally
> > the problem with deleting the symbolic link key after the 
> > "SymbolicLinkValue" value has been deleted.  I also changed the 
> > function kernel_mode_registry_path() in smbtorture to return FQN to 
> > duplicate the behavior of following symbolic link target key in FQN.
> > I have everything I need to do further debugging and provide the 
> > clarification.  I will let you know when I am done.
> 
> Thanks for the update!
> 
> Please bear in mind that the original question was if one can delete the symbolic link's source key via the remote registry protocol (and how to do so if the answer is yes).
> We did not find the procedure for deletion documented.
> 
> The procedure to first remove the value "SymbolicLinkValue"
> was just an attempt to get it done. There may be other ways, but we could not think of one. It seemed the obvious attempt too, because any access on the source key with present value will always work on the target, and there is no way to delete the opened key handle via the RRP.
> 
> Thanks - Michael
> 
> > Thanks!
> > 
> > Hongwei
> > 
> >  
> > 
> > -----Original Message-----
> > From: Michael Adam [mailto:obnox at samba.org]
> > Sent: Friday, May 28, 2010 9:17 AM
> > To: Hongwei Sun; Andreas Schneider
> > Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
> > Subject: Re: [Pfif] [REG:110052070326491] [cifs-protocol] MS_RRP: 
> > Question on Symbolic Links
> > 
> > Hi Hongwei,
> > 
> > Andreas Schneider wrote:
> > > On Monday 24 May 2010 23:58:34 Hongwei Sun wrote:
> > > > Andreas,
> > > 
> > > Hello Hongwei,
> > >  
> > > >    When you open the key with REG_OPTION_LINK flag set, the 
> > > > server will return the handle to the source key.  With a valid 
> > > > handle, client should be able to update the target of the 
> > > > symbolic link by changing the value of SymbolicLinkValue and also delete the key that is referenced by the
> > > > handle.   As explicitly pointed out in 3.1.1.11, the SymbolicLinkValue for
> > > > target link should contain Fully Qualified Name(3.1.1.1.1), which is
> > > > something like HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices.   It is not in
> > > > the kernel mode string such as \registry\machine\system\MountedDevice.
> > > > 
> > > >    How do you delete the value "SymbolocLinkVallue" ?  using 
> > > > BaseRegDeleteValue as per 3.1.5.9 MS-RRP?  What do you mean by "it didn't
> > > > work" ?    Do you mean that the value is not deleted or any error is
> > > > returned ?
> > > 
> > > I'm able to delete the value but not the key.
> > 
> > Yes, this is the main question here:
> > How to delete source key of the symlink.
> > 
> > There seems to be no way to do that using the remote registry protocol, since I can find no (documented) call to delete an opened key (i.e. operating on a key handle).
> > 
> > The internal libraries document the ZwDeleteKey / NtDeleteKey routines that operate on an opened KeyHandle for this purpose:
> > http://msdn.microsoft.com/en-us/library/ff566437%28VS.85%29.aspx
> > 
> > But I can't find acorresponding call in the RRP doc.
> > And, as you stated, when you access the symlink source key without opening it with the REG_OPTION_LINK flag, then you will operate on the target of the symlink. Or else if the special value SymbolicLinkValue is not present, access simply seems to fail.
> > 
> > The only other means of deleting a symlink source key I could 
> > imagine would be to change the type of the sourcekey first, removing 
> > the LINK type flag (3.1.1.2, 
> > http://msdn.microsoft.com/en-us/library/cc244886%28PROT.10%29.aspx ) 
> > which was set when creating the key. But this does not seem to be 
> > achievable, at least not with calling CreateKey with different 
> > options on the existing key (which was the only way I could 
> > imagine), since the description
> > "3.1.5.7 BaseRegCreateKey (Opnum 6)" reads:
> > "If the key already exists, the dwOptions parameter in the client request MUST be ignored."
> > 
> > Could you please confirm this behaviour or else (preferred! :-) tell us how to delete the source key of a symlink using the remote registry?
> > 
> > Cheers - Michael
> > 
> > > I'm running this test against
> > > Windows 2008. Here is some pseudo code.
> > > 
> > > /* create link */
> > > 
> > > CreateKey("SOFTWARE\torture_test\target")
> > > CloseKey("SOFTWARE\torture_test\target")
> > > 
> > > CreateKey("SOFTWARE\torture_test\link", REG_OPTION_CREATE_LINK |
> > > REG_OPTION_VOLATILE)
> > > SetValue("SymbolicLinkValue", "SOFTWARE\torture_test\target")
> > > CloseKey("SOFTWARE\torture_test\link")
> > > 
> > > /* delete link */
> > > OpenKey("SOFTWARE\torture_test\link", REG_OPTION_OPEN_LINK |
> > > REG_OPTION_VOLATILE)
> > > DeleteValue("SymbolicLinkValue")
> > > CloseKey("SOFTWARE\torture_test\link")
> > > DeleteKey("SOFTWARE\torture_test\link") --> fails with 
> > > WERR_ACCESS_DENIED
> > > 
> > > 
> > > Regards,
> > > 
> > > 
> > > 	-- andreas
> > > 
> > > _______________________________________________
> > > Pfif mailing list
> > > Pfif at mail.tridgell.net
> > > http://lists.tridgell.net/cgi-bin/mailman/listinfo/pfif



More information about the cifs-protocol mailing list