Max number of ACEs in an SD ...

Richard Sharpe realrichardsharpe at gmail.com
Wed May 29 11:06:05 MDT 2013 

On Wed, May 29, 2013 at 6:41 AM, Scott Lovenberg
<scott.lovenberg at gmail.com> wrote:
> On 5/24/2013 10:43 AM, Richard Sharpe wrote:
>> On Fri, May 24, 2013 at 7:41 AM, Scott Lovenberg
>> <scott.lovenberg at gmail.com> wrote:
>>> On Fri, May 24, 2013 at 9:57 AM, Richard Sharpe
>>> <realrichardsharpe at gmail.com> wrote:
>>>> On Fri, May 24, 2013 at 5:19 AM, Simo <idra at samba.org> wrote:
>>>>> On 05/23/2013 11:49 PM, Richard Sharpe wrote:
>>>>>> Hi folks,
>>>>>>
>>>>>> It seems that the IDL for SDs limits the number of ACEs to 1,000. It
>>>>>> also seems that Windows maxes out at around 1,820 ACEs.
>>>>>>
>>>>>> That is a ridiculous number of ACEs, but has anyone tried anything
>>>>>> larger than 1,000?
>>>>>>
>>>>> Keep in mind number of ACEs is also often limited by the size of xattrs
>>>>> on Linux (many file systems have only 4k xattrs, some have 64k xattrs)
>>>> Yes, that is true, however, 1,000 ACEs is around 28kiB of XATTR space.
>>>> We don't have that limitation in ZFS. We can go up to 128kiB.
>>>
>>> As I understand it, Windows will only allow up to 64KB (or KiB if you're
>>> into that) of ACEs per ACL.  I'm not sure if Windows clients would truncate
>>> the entries after that.
>> They do, it seems. I have some results that I need to look at around that.
>>
> Interesting. That could lead to some undefined behavior.
>
> I'm trying to think of some way that could be exploited, but everything
> I come up with requires enough permission to just remove an ACL. I guess
> if you wanted to override an explicit deny and you didn't have
> permission to remove ACLs, but you did have permission to add them, you
> could push ACEs into the ACL until the permission you want removed was
> more than 64KB deep. I don't think that actual circumstance can exist
> though.
>
> I'm curious about your results if you've looked into them.

OK, now I have the correct info.

It seems that Windows clients police this. They will not submit an SD
that is larger than 64kiB as far as we can see. This sometimes has
1800 ACEs in the ACL, sometimes 1818 ACEs, because some SIDs are
shorter than others.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list