A NetApp test, aclfunc.exe seems to think that DACLs with unneeded zeros should not be resized

ronnie sahlberg ronniesahlberg at gmail.com
Tue Apr 3 16:05:41 MDT 2012


There are applications in the enterprise space that abuses the ACL and
stores binary data inside an ACE.

I.e.  storing things that are not the usual mask/sid thing at all but
just pure applicationspecific binjary data.

Sometimes seen in enterprise class backup and ilm applications.

This is from the patch to wireshark when I had to add this to stop
these "not-an-ACE-at-all-really" from segv wireshark.
Wireshark naively assumed everything in the ACL was a genuine ACE and
got "surprised" :-)

sahlberg at sahlberg-laptop:/shared/tmp$ cat  naugthy-ace.txt
r16881 | sahlberg | 2005-12-22 19:51:50 +1100 (Thu, 22 Dec 2005) | 10 lines

some ACEs are not used for authorization and thus do NOT contain an
access mask and a SID.

make the dissection of the ACL check the type for each individual ACE
and only dissect  as access mask and sid  those ACEs we know how to

this prevents ethereal from dumping on w32 if we encounter any of
these "special" ACE entries,   such as the ones used for storing
location data for offline files.

+	/* some ACE types we not yet handle store other things than access mask
+	 * and SID in here.
+	 * sometimes things that are not related at all to access control.
+	 *    naughty naughty.    -- ronnie
+	 */
+	switch(type){

Guess you dont encounter these apps all that often.
Since you can store up to 64kb of binary data there in each one, that
is quite a lot of space to hide things.

ronnie sahlberg

On Wed, Apr 4, 2012 at 6:14 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi,
> One of our QA staff is using a NetApp Windows app called aclfunc.exe.
> One of those the tests, the Resize ACL Test fails when run against
> Samba (3.5.12+).
> What this precious little test does is to read the DACL from a
> directory, pad it out to around 1000 bytes with zeros (the size field
> in the DACL becomes 1000 or 1004) and then write it back to the
> directory. It subsequently reads the DACL back, and if it is not the
> correct, padded size, it declares the test as failed.
> So, does it matter? Is there anything in Windows which says that you
> must store exactly the DACL that you were handed? Why would that be
> needed?
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list