[patch] sec_desc for cvs HEAD

Alexey Kotovich a.kotovich at sam-solutions.net
Wed Feb 20 12:58:03 GMT 2002 

Hi all!

This is sec_desc patch.
There is a problem regarding ACE parsing. I've got one after I had a test with ADS security descriptor. Let me follow you into this problem:
NT security descriptor consists from the next parts:
sec_desc_header;
sec_desc_acl;
sec_desc_ace (actually it belongs to sec_desc_acl).
All of them can be parsed w/o any problem excluding sec_desc_ace.
I've found out some difficulty with one. First of all I'd like explain you that before we had ACE which contains sec_ace_header and SID of an object has access to our account (take a look at old version of sec_io_ace()). It turned out that ACE can include not SID only but some extra info (let's call it 'object ID') wich depends on sec_ace_type. (i.e. SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT, SEC_ACE_TYPE_ACCESS_DENIED_OBJECT, SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT, SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT).
Some ACEs contain one more extra data (let's name it 'GUID') which depends on nothing! It follows after 'object ID'. Here are problem appears! I don't know wether ACE containts it or not. Take a look at hex dump:
ACE contains 'object ID', GUID an SID:
type | flag | size | access mask | object ID | GUID | SID
05 | 1a | 3c 00 | 10 00 00 00 | 03 00 00 00 10 20 20 5f a5 79 d0 11 90 20 00 c0 4f c2 d4 cf | ba 7a 96 bf e6 0d d0 11 a2 85 00 aa 00 30 49 e2  | 01 02 00 00 00 00 00 05 20 00 00 00 2a 02 00 00
next ACE contains 'object ID' and SID:
type | flag | size | access mask | object ID | SID
05 | 1a | 2c 00 | 94 00 02 00 | 02 00 00 00 9c 7a 96 bf e6 0d d0 11 a2 85 00 aa 00 30 49 e2 | 01 02 00 00 00 00 00 05 20 00 00 00 2a 02 00 00
If I suppose that SID follows after 'object ID' and if sid_size() returns me right size of one, it would mean that my supposition is right. Otherwise, I got GUID after 'object ID'. That is why I do smb_io_dom_sid() twice.

This issue connects to rpc_parse/parse_sec.c:sec_io_ace().
If someone have any thoughts about such situation let me know please.

Thanks,
Alexey Kotovich.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: disp_sec.c
Type: text/x-c
Size: 4239 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020220/cdc20742/disp_sec.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sec_desc.patch
Type: text/x-diff
Size: 20285 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020220/cdc20742/sec_desc.bin

More information about the samba-technical mailing list