ACL / SDs

[Michael Stockman]

Hello,

> Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
>
> > > > > Well, even NT has banned them from ACLs. Don't let the fact
that the
> > > > > code is the same in NT hide the fact that the bitmask in
ACLs is a
> > > > > different bitmask from that by which you request a set of
permissions.
> > >
> > > Actually, this isn't true; they're not banned at all, AFAICS.
At the
> > > very least, the SDs for lots of registry keys in NT5 definitely
> > > contain ACEs with some of the GENERIC_* bits set.  They're
primarily
> > > in inherit-only ACEs, but they're there, none the less.

I can't see what they would mean. Surely, not even NT would allow
security on an object to be set to some generic value that noone can
more than guess what it evaluates to when access is evaluated.

> > See GenericPermissions arg of SeAccessCheck.  this is different
from bits
> > 16 to 32 in an ACE.
> >
>
> No, the top four bits of an access_mask are GENERIC_READ,
> GENERIC_WRITE, GENERIC_EXECUTE, and GENERIC_ALL.  The GenericMapping
> arg tells how those things map into specific access rights.  e.g.,
> for LsaPolicy, GENERIC_EXECUTE -> (POLICY_VIEW_LOCAL_INFORMATION
>                                    | POLICY_LOOKUP_NAMES
>                                    | STANDARD_RIGHTS_EXECUTE)
> (STANDARD_RIGHTS_EXECUTE == READ_CONTROL)
>
> I'm not sure how this plays out in practice.  I had thought that the
> generic mapping was mainly a UI mechanism, so the ACL editor could
> hide details.  However, I've seen ACEs in NT5 that have some of the
> GENERIC_* bits set.  Usually, they're for inherit-only ACEs, though.
> I've never seen any place that uses the GENERIC_* bits in a
> DesiredAccess.  I wonder what would happen if you did?

Probably nothing. AccessCheck does explicitly say (in the Win32 API
documentation) that the generic bits must not be set in the
desired_access field.

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se