Re: [ntfs-3g-devel] Swapping order of ACEs significally changes permissions

Sat, 20 Feb 2016 20:02:32 -0800 

Hi Jean-Pierre,

much thanks for the tests.


Am 20.02.2016 um 08:43 schrieb Jean-Pierre André:

Ulf Zibis wrote:

Hi Jean-Pierre,

much thanks for the valuable links.

So I now understand:
1.) Windows security management relies on the canonical order of the
ACEs. The tools are not designed to configure the order as a choice of
the user, even from the C APIs, so the resulting ACL should always
fulfill the canonicl order.
Quoting from:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379576%28v=vs.85%29.aspx

    /"The //*SetEntriesInAcl*//function places any new access-denied
    ACEs at the beginning of the list of ACEs for the new //*ACL*
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa374931%28v=vs.85%29.aspx>//.
    This function places any new access-allowed ACEs just before any
    existing access-allowed ACEs.//"
    /


2.) Windows AccessCheck depends on the order of the ACEs. If the order
is not canonical, it calculates the permissions in a way, which emulates
POSIX modes, which are not officially provided by Windows, but as a side


No it does not emulate Posix mode,

I should have better written:
... which emulates permission combinations, e.g. 745, known and valid for POSIX modes, which are not possible with the canonical ACE order, hence not officially provided by Windows ... 
I guess, we mean the same.


on the contrary, the Posix mode has to use the officially defined rules

Hm, which rule do you mean? I only see the ACE canonical order rule.


supported by Windows in a way which the Windows administration
tools dislike.
Also C functions dislike it (as I read from the mentioned *SetEntriesInAcl* function), so what is wrong, when Windows administration 
tools use them.


It does not pass the "secaudit -t" test (which you
have), at least when Posix ACLs are in use.

[linux@dimension acls]$ ./secaudit -t

I'm still not able to run this. I tried:
ich@ThinkPad-T500:~/Projects/Tuxera/ntfs-3g_ntfsprogs-2015.3.14AR.3$ 
./configure --enable-posix-acls
...
ich@ThinkPad-T500:~/Projects/Tuxera/ntfs-3g_ntfsprogs-2015.3.14AR.3$ make
...
ich@ThinkPad-T500:~/Projects/Tuxera/ntfs-3g_ntfsprogs-2015.3.14AR.3$ 
src/ntfs-3g.secaudit -t
secaudit 1.4.6 : NTFS security data auditing
Invalid option -t
Usage:
...
ich@ThinkPad-T500:~/Projects/Tuxera/ntfs-3g_ntfsprogs-2015.3.14AR.3$ ./secaudit 
-t
bash: ./secaudit: File or directory not found



And it is a recommended pratice not to send a full test
database to a developer, in order to prevent him from
trying to pass the test instead of solving the
requirement (there is a recent case about a manufacturer
who solved passing the tests instead of complying with
the regulations).

From the OpenJDK and NetBeans projects I'm used to have access to the test 
patterns.
It works fine, as the patches are always reviewed by several developers before they get committed to the repository. 


Note : if removing the firstapply solve your issue,
that is good for you....

Well, this would be a temporary solution, but not for long term.
Every time after Ubuntu updates I would have to check, if my custom version has been overwritten, and then I should reinstall it for any future. 
So I would prefer to find a fix, which could go into the release.

I've updated the patch to make it dependent from:
#ifdef POSIXACLS
(Maybe it helps to pass the tests.)

Regards,

Ulf


# HG changeset patch
# User Ulf Zibis
# Date 1456026065 -3600
#      Sun Feb 21 04:41:05 2016 +0100
# Node ID f78f7e78a639900c3538fb058a5a027b65281781
# Parent  279afc6a6d38c31a4a82b7d9fbe787b602c839f9
Removed ACE order dependency with firstapply if not POSIXACLS

diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c
--- a/libntfs-3g/acls.c
+++ b/libntfs-3g/acls.c
@@ -3204,10 +3204,10 @@
 	int offace;
 	int acecnt;
 	int nace;
-	BOOL noown;
 	le32 special;
 	le32 allowown, allowgrp, allowall;
 	le32 denyown, denygrp, denyall;
+	BOOL noown;
 
 	phead = (const SECURITY_DESCRIPTOR_RELATIVE*)securattr;
 	offdacl = le32_to_cpu(phead->dacl);
@@ -3293,10 +3293,10 @@
 	int acecnt;
 	int nace;
 	le32 special;
-	BOOL grppresent;
-	BOOL ownpresent;
 	le32 allowown, allowgrp, allowall;
 	le32 denyown, denygrp, denyall;
+	BOOL ownpresent;
+	BOOL grppresent;
 
 	phead = (const SECURITY_DESCRIPTOR_RELATIVE*)securattr;
 	offdacl = le32_to_cpu(phead->dacl);
@@ -3482,11 +3482,13 @@
 	int offace;
 	int acecnt;
 	int nace;
-	BOOL firstapply;
-	int isforeign;
 	le32 special;
 	le32 allowown, allowgrp, allowall;
 	le32 denyown, denygrp, denyall;
+#if POSIXACLS
+	BOOL firstapply;
+#endif /* POSIXACLS */
+	int isforeign;
 
 	phead = (const SECURITY_DESCRIPTOR_RELATIVE*)securattr;
 	offdacl = le32_to_cpu(phead->dacl);
@@ -3501,7 +3503,9 @@
 		acecnt = 0;
 		offace = 0;
 	}
+#if POSIXACLS
 	firstapply = TRUE;
+#endif /* POSIXACLS */
 	isforeign = 3;
 	for (nace = 0; nace < acecnt; nace++) {
 		pace = (const ACCESS_ALLOWED_ACE*)&securattr[offace];
@@ -3509,7 +3513,11 @@
 		   && !(~pace->mask & (ROOT_OWNER_UNMARK | ROOT_GROUP_UNMARK))) {
 			if ((ntfs_same_sid(usid, &pace->sid)
 			   || ntfs_same_sid(ownersid, &pace->sid))
-			     && (((pace->mask & WRITE_OWNER) && firstapply))) {
+#if POSIXACLS
+			     && ((pace->mask & WRITE_OWNER) && firstapply)) {
+#else
+			     && (pace->mask & WRITE_OWNER)) {
+#endif /* POSIXACLS */
 				if (pace->type == ACCESS_ALLOWED_ACE_TYPE) {
 					allowown |= pace->mask;
 					isforeign &= ~1;
@@ -3532,7 +3540,9 @@
 							if (pace->type == ACCESS_DENIED_ACE_TYPE)
 								denyall |= pace->mask;
 					}
+#if POSIXACLS
 			firstapply = FALSE;
+#endif /* POSIXACLS */
 			} else
 				if (!(pace->flags & INHERIT_ONLY_ACE))
 					if ((ntfs_same_sid((const SID*)&pace->sid,nullsid))

# HG changeset patch
# User Ulf Zibis
# Date 1456022578 -3600
#      Sun Feb 21 03:42:58 2016 +0100
# Node ID bf33c717fa782fa85d54f5f79d9640d8e10d755e
# Parent  279afc6a6d38c31a4a82b7d9fbe787b602c839f9
Added ATTENTION for testing without installing

diff --git a/README b/README
--- a/README
+++ b/README
@@ -121,6 +121,9 @@
 And, to end the test, unmount the usual way :
 	umount /dev/sda1
 
+ATTENTION: Don't do "cd src" and run from there !!
+           This invokes the existing installed version.
+
 
 PRELINKED BINARY VERSION
 ========================

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
ntfs-3g-devel mailing list
ntfs-3g-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel

Reply via email to