Fwd: [REG : 112040380892433]: Is there any requirement when handling an NT_TRANSACT_SET_SECURITY_DESCRIPTOR to store the DACL exactly as presented on the wire?
jra at samba.org
Mon Apr 16 10:38:17 MDT 2012
On Mon, Apr 16, 2012 at 07:47:26AM -0700, Richard Sharpe wrote:
> Hi folks,
> This seems to be the answer. Now I am off to look at MS-FSA.
> ---------- Forwarded message ----------
> From: Tarun Chopra <Tarun.Chopra at microsoft.com>
> Date: Mon, Apr 16, 2012 at 7:41 AM
> Subject: RE: [REG : 112040380892433]: Is there any requirement when
> handling an NT_TRANSACT_SET_SECURITY_DESCRIPTOR to store the DACL
> exactly as presented on the wire?
> To: Richard Sharpe <realrichardsharpe at gmail.com>
> Cc: MSSolve Case Email <casemail at microsoft.com>
> Hi Richard
> Per our analysis, Yes, there is a requirement mentioned in section
> 220.127.116.11 of MS-FSA to store DACL (passed in InputBuffer parameter)
> presented by higher-layer protocol as-is without any modification.
> Excerpt is as follows:
> The object store MUST set Open.File.SecurityDescriptor to InputBuffer.
> As a result, NTFS volume will store the extraneous zeros passed in
> DACL and returns the same DACL in Query Security Information
> Kindly let me know if this answers your query or if you require
> further assistance/clarification on below issue.
Ouch. That's really bad - and is essentially an additional
meta-data store on Windows people can hide *anything* inside.
More information about the samba-technical