A NetApp test, aclfunc.exe seems to think that DACLs with unneeded zeros should not be resized

Tue Apr 3 16:10:29 MDT 2012

On 4/3/12, ronnie sahlberg <ronniesahlberg at gmail.com> wrote:
> Richard
>
>
> There are applications in the enterprise space that abuses the ACL and
> stores binary data inside an ACE.

Well, it struck me that people might be hiding stuff in the DACL.

Note, however, that in this case the NetApp tool is not abusing ACEs,
but rather they are abusing the DACL. The DACL correctly states that
there are 5 ACEs in it, and each are the correct size (20, 36, 20, 24,
24 bytes respectively) howevr, the DACL is stated to contain 1000
bytes, with the remainder being zeros.

> I.e.  storing things that are not the usual mask/sid thing at all but
> just pure applicationspecific binjary data.
>
> Sometimes seen in enterprise class backup and ilm applications.
>
>
> This is from the patch to wireshark when I had to add this to stop
> these "not-an-ACE-at-all-really" from segv wireshark.
> Wireshark naively assumed everything in the ACL was a genuine ACE and
> got "surprised" :-)
>
>
>
> sahlberg at sahlberg-laptop:/shared/tmp$ cat  naugthy-ace.txt
> ------------------------------------------------------------------------
> r16881 | sahlberg | 2005-12-22 19:51:50 +1100 (Thu, 22 Dec 2005) | 10 lines
>
> some ACEs are not used for authorization and thus do NOT contain an
> access mask and a SID.
>
> make the dissection of the ACL check the type for each individual ACE
> and only dissect  as access mask and sid  those ACEs we know how to
> handle.
>
>
> this prevents ethereal from dumping on w32 if we encounter any of
> these "special" ACE entries,   such as the ones used for storing
> location data for offline files.
>
>
>
>
> ...
> +	
> +	/* some ACE types we not yet handle store other things than access mask
> +	 * and SID in here.
> +	 * sometimes things that are not related at all to access control.
> +	 *    naughty naughty.    -- ronnie
> +	 */
> +	switch(type){
> +	case ACE_TYPE_ACCESS_ALLOWED:
> +	case ACE_TYPE_ACCESS_DENIED:
> +	case ACE_TYPE_SYSTEM_AUDIT:
> +	case ACE_TYPE_SYSTEM_ALARM:
> ...
>
>
>
> Guess you dont encounter these apps all that often.
> Since you can store up to 64kb of binary data there in each one, that
> is quite a lot of space to hide things.
>
> regards
> ronnie sahlberg
>
>
>
> On Wed, Apr 4, 2012 at 6:14 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> Hi,
>>
>> One of our QA staff is using a NetApp Windows app called aclfunc.exe.
>>
>> One of those the tests, the Resize ACL Test fails when run against
>> Samba (3.5.12+).
>>
>> What this precious little test does is to read the DACL from a
>> directory, pad it out to around 1000 bytes with zeros (the size field
>> in the DACL becomes 1000 or 1004) and then write it back to the
>> directory. It subsequently reads the DACL back, and if it is not the
>> correct, padded size, it declares the test as failed.
>>
>> So, does it matter? Is there anything in Windows which says that you
>> must store exactly the DACL that you were handed? Why would that be
>> needed?
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂？唯有杜康。--曹操)
>

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)