Forwarding here again as it bounced the first time. From: Nadezhda Ivanova
Sent: Friday, July 10, 2009 2:09 PM To: [email protected] Cc: [email protected]; [email protected] Subject: Help regarding the security descriptor creation algorithms Hi, I have been working on implementing correct nTSecurityDeascriptor creation in the directory service of Samba 4, and have come upon a problem in the ComputeInheritedACLfromParent subroutine described in MS-DTYP 2.5.2.6. The way the algorithm is described, the purpose of this algorithm is to determine which ACE’s from an object’s parent are to be inherited by the new object actively, and which are to be inherited only. The ComputeInheritedACLfromParent as described, walks the parent ACL twice. The first time it determines the active inherited ACE’s, the second time the ones that are inherited but inactive. I have been testing our implementation with the CN=Schema partition, as the attributes and objects by default are not given a security descriptor during creation, and the defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL. So, they inherit all their DACL ACE’s from their parent, CN=Schema. In a Win2008R2, CN=Schema has three inheritable DACL ACE’s: (A;CI;RPLCLORC;;;AU) (A;CI;RPWPCRCCLCLORCWOWDSW;;;SA) (A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) ComputeInheritedACLfromParent has the following arguments: ACL: ACL that contains the parent's ACEs from which to compute the inherited ACL. IsContainerObject: TRUE if the object is a container, FALSE otherwise. ObjectTypes: Array of GUIDs for the object type being created. So if we invoke the ComputeInheritedACLfromParent with the above DACL,and isConatinerObject = true (According to MS-ADTS 7.1.3, true is always the value), the first walk of the input Initialize ExplicitACL to Empty ACL FOR each ACE in ACL DO IF ACE.Flags contains INHERIT_ONLY THEN CONTINUE ENDIF IF(((ACE.Flags contains CONTAINER_INHERIT) AND (IsContainerObject = TRUE))OR ((ACE.Flags contains OBJECT_INHERIT) AND (IsContainerObject = FALSE))) THEN CASE ACE.Type OF ALLOW: DENY: Set NewACE to ACE Set NewACE.Flags to INHERITED Append NewACE to ExplicitACL OBJECT_ALLOW: OBJECT_DENY: IF (ObjectTypes contains ACE.ObjectGUID) THEN Set NewACE to ACE Set NewACE.Flags to INHERITED Append NewACE to ExplicitACL ENDIF ENDCASE ENDIF END FOR Will give: D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) Which is as expected, as this is the DACL of all attributes and classes in Win 2008. However, the algorithm then walks the input a second time: Initialize InheritableACL to Empty ACL IF (IsContainerObject = TRUE) THEN //In our case this is always true FOR each ACE in ACL DO IF ACE.Flags contains NO_PROPAGATE THEN //This flag is not set CONTINUE ENDIF IF((ACE.Flags contains CONTAINER_INHERIT) OR (ACE.Flags contains OBJECT_INHERIT)) THEN Set NewACE to ACE Add INHERITED to NewACE.Flags Add INHERIT_ONLY to NewACE.Flags Append NewACE to InheritableACL ENDIF END FOR ENDIF This second loop yields: (A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) Which after: RETURN concatenation of ExplicitACL and InheritableACL Makes the final DACL look like: D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) So ACE’s are duplicated. However, an attribute’s DACL in Win2008 does not have these last three ACE’s, so I am obviously missing something. How should the flow actually go with this same example in order to avoid this duplication? Or am I providing the wrong argument? Best Regards, Nadezhda Ivanova Nadezhda Ivanova Software EngineerSoftware Development [email protected] CISCO SYSTEMS BULGARIA EOOD 18 Macedonia Blvd. Sofia 1606 Bulgaria Think before you print.
<<image001.gif>>
<<image002.gif>>
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
