[cifs-protocol] [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Apr 26 23:53:17 UTC 2023
Thanks Obaid,
The way I have been testing SDDL using a protocol is setting
defaultSecurityDescriptor on a classSchema object. This has some
downsides -- the server schema fills up with useless objects, and the
SDDL is not entirely resolved until a new object is created, at which
point it gets merged with other defaults and it is often hard to see
what happened.
It sometimes seems to differ a little from the
ConvertSecurityDescriptorToStringSecurityDescriptorA API but so far only
in inconsequential ways, like upper/lower case in hex digits.
I haven't yet got very far with testing conditional ACES, as I have been
finding enough issues in our ordinary SDDL, and working on getting the
basic conditional ACE code going.
As you can probably guess, I really care more about getting conditional
ACEs right for Samba client tools than at the protocol level, but the
same code will be used for both.
I will test some of these escapes and let you know.
cheers,
Douglas
On 26/04/23 04:23, Obaid Farooqi wrote:
> Hi Douglas:
>
> I want to add some nuance to my previous reply.
>
> I used an API directly to test the escaping of double quote or 4 hex
> numbers representing the Unicode of double quote. It did not work at all.
>
> Having said that, the document is not for API. There is a possibility
> that the receiving node where the object resides may perform some
> preprocessing before invoking the API. The preprocessing may take care
> of escaping.
>
> Do you have a set up where you can modify the security descriptor of an
> object using a protocol that you are planning to implement (from
> Windows-to-Windows) and use the escape sequence?
>
> Regards,
>
> Obaid Farooqi
>
> Escalation Engineer | Microsoft
>
> *From:*Obaid Farooqi
> *Sent:* Friday, April 14, 2023 12:13 PM
> *To:* douglas.bagnall at catalyst.net.nz
> *Cc:* cifs-protocol at lists.samba.org; Microsoft Support
> <supportmail at microsoft.com>
> *Subject:* [MS-DTYP] Conditional ACE Unicode literal SDDL format -
> TrackingID#2302240040001164
>
> Hi Douglas:
>
> After much code browsing, my impression was that “ is not allowed in the
> attribute values. I asked the PG if there is an escape sequence and
> answer was “maybe”. The person who wrote the code did it 15 years ago
> and does not work with it anymore.
>
> So, I tried to test it and it confirmed my finding that “ is not
> allowed, escaped or otherwise.
>
> I’ll file a bug to correct ABNF.
>
> PS: if you want to test various SDDL conditional expressions, you can
> compile and run the following code:
>
> Creating a DACL - Win32 apps | Microsoft Learn
> <https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl>
>
> In this code, a DACL is created from SDDL, a directory is crated and
> DACL is applied to it. You can see the DACL is correctly applied in the
> “Advanced” windows in the security tab of properties of the directory.
>
> I added the following ACE to the already present ACE’s in the code
>
> (XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))
>
> Note: the escaping of quotes around PM is for C++, not SDDL.
>
> The resulting DACL looks like
>
> D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;
> AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)
>
> The result can be verified in the properties->security->Advanced as
> follows (the following is a picture and if you did not get it, let me know)
>
> A screenshot of a computer Description automatically generated
>
> Notice the 3^rd column “Condition”.
>
> For the same condition, when I introduced a “ in PM as part of the value
> (escaped or otherwise), the code errored out when creating DACL from SDDL.
>
> Regards,
>
> Obaid Farooqi
>
> Escalation Engineer | Microsoft
>
> ===================================
>
> From: Douglas Bagnall douglas.bagnall at catalyst.net.nz
> <mailto:douglas.bagnall at catalyst.net.nz>
>
> Sent: Thursday, February 23, 2023 6:10 PM
>
> To: cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>; Interoperability Documentation
> Help dochelp at microsoft.com <mailto:dochelp at microsoft.com>
>
> Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL format
>
> hi Dochelp,
>
> I am interested in the details of the format for conditional ACE SDDL
> format, which is not really described in [MS-DTYP] (unlike the wire format).
>
> From the examples, it is clear that it involves double-quote delimiters:
>
> (Title=="VP")
>
> But how are escapes handled -- how would it handle a string that itself
> contained a double quote?
>
> In the ABNF there is a thing called "char-string":
>
> char-string = DQUOTE *(CHAR) DQUOTE
>
> which we can deduce applies to Unicode strings due to the definition of
> value-array, but this doesn't answer the question. Rather, it expands
> it, since
>
> RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values,
> so there must be an escaping mechanism for these characters too (unless
> the use of CHAR is mistaken).
>
> My guess is that Unicode strings the same %hhhh sequence as attr-char2
> (encoding the double quote as %0022), but there is no mention of that.
>
> cheers,
>
> Douglas
>
More information about the cifs-protocol
mailing list