Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
On Sat, Oct 29, 2016 at 11:21:37AM +0200, Jean-Pierre André wrote: > Hi again, > > Eric Biggers wrote: > > Hi Jean-Pierre, > > > > Sorry for the late response. > > No problem. I also did not do much about it. > > The intent of ntfs_valid_descr() was to guard against > processing security descriptors with invalid or unknown > features, but your need is to check whether a descriptor > is valid for Windows. The purpose of ntfs-3g is to map > Unix concepts to an ntfs file system, which is somehow > different from emulating the Windows behavior (a moving > target, Windows 8 and Windows 10 brought significant > changes). > > The translations of Windows ACLs to Posix ones rely on > heuristics which will be defeated if the ACEs are not > as expected. > > Maybe having two variants of ntfs_valid_descr() would > be the way to go, as you do not need translations, > inheritance, etc. > > Jean-Pierre Maybe. I suppose that would mean callers would be updated to specify whether they want the stricter validation or not, and ntfs_get_ntfs_acl() and ntfs_set_ntfs_acl() wouldn't require the stricter validation? Would the stricter validation apply to the SACL as well as the DACL? It seems that it shouldn't, i.e. having entries in the SACL, such as system audit entries or integrity labels or whatever, shouldn't prevent NTFS-3G from attempting to map the DACL to UNIX permissions. Eric -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
Hi again, Eric Biggers wrote: > Hi Jean-Pierre, > > Sorry for the late response. No problem. I also did not do much about it. The intent of ntfs_valid_descr() was to guard against processing security descriptors with invalid or unknown features, but your need is to check whether a descriptor is valid for Windows. The purpose of ntfs-3g is to map Unix concepts to an ntfs file system, which is somehow different from emulating the Windows behavior (a moving target, Windows 8 and Windows 10 brought significant changes). The translations of Windows ACLs to Posix ones rely on heuristics which will be defeated if the ACEs are not as expected. Maybe having two variants of ntfs_valid_descr() would be the way to go, as you do not need translations, inheritance, etc. Jean-Pierre > > On Mon, Sep 26, 2016 at 01:52:36PM +0200, Jean-Pierre André wrote: >>> 1. "Object" ACEs are mentioned as only being used for Active Directory >>> objects >>> [source: Windows Internals 6th edition]. On Windows, trying to use >>> SetFileSecurity() to set an object ACE in the DACL of an NTFS >>> directory fails >>> with ERROR_INVALID_ACL. This is different from how Windows treats >>> truly >>> unknown ACE types (see below). But I think it would be fine for >>> NTFS-3G to >>> simplify things by treating object ACEs like any other unknown ACE >>> type. >> >> Just for me to understand : Unix stores special objects >> (such as pipes, sockets, etc.) as file system objects with >> access control attached. Does Windows also records special >> objects as file system objects ? If so, how are these >> objects distinguished from files and directories ? > > Active Directory objects are stored in a database, not directly on the > filesystem. They just happen to both use the security descriptor format. > >> The purpose of ntfs_valid_descr() is to reject descriptors >> which ntfs-3g cannot process properly. I am not keen on >> letting special ACEs leaking into translations to Linux. >> >> Inheritance is of particular concern, because this is rather >> complex and there are undocumented special cases which have >> to be found by trials and errors. Moreover the result is >> generally not satisfactory for Linux users who have >> expectations different from Windows ones (typical example : >> inheritance of execute permissions). >> >> Also : if objects can inherit special ACEs from their parent >> directory, what prevents them to be inherited to plain files >> created in the same directory ? >> >> Cannot these specific needs be implemented within wimlib ? > > I am not sure what you mean regarding the purpose of ntfs_valid_descr(), but > the > existing behavior is that it allows unknown ACEs in both the DACL and SACL > except in certain cases. And in those certain cases, such as a callback ACE > that is not the last ACE in the list, it is broken for backup/restore > applications like wimlib which expect to be able to set security descriptors > that were created on Windows. > > Note that as a backup/restore application, wimlib does not want ACE > inheritance > at all, nor does it want translation of Windows ACLs to POSIX or Linux > permissions. It simply wants to stamp a security descriptor on each file or > directory. It can be assumed that the security descriptors are valid in the > sense that Windows would accept them. As part of this, it can be assumed that > the ACEs in each ACL have the common ACE_HEADER. But it can *not* be assumed > that every ACE is of a known type. The expected behavior is that unknown ACEs > are settable but are then skipped during access evalution. This would match > the > Windows behavior. I think Windows users might actually find it quite annoying > for Windows to do otherwise because then people could not, for example, > restore > security descriptors intended for a later version of Windows from a live > system > running an older version of Windows. Essentially the same argument applies to > NTFS-3G. > > With regards to inheritance, as I pointed out Windows simply performs the > standard inheritance algorithm on unknown ACEs per the standard ACE_HEADER > flags. It's true that there could be special rules that it is missing, but it > seems like the most logical behavior and probably the easiest to implement > too. > Of course, this isn't currently relevant to wimlib which as I mentioned does > not > care about inheritance. I just thought I'd suggest it as an improvement > (though > it's still not clear to me what the current behavior is "supposed" to be, and > that's part of the problem). > > Eric > -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ n
Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
Hi Jean-Pierre, Sorry for the late response. On Mon, Sep 26, 2016 at 01:52:36PM +0200, Jean-Pierre André wrote: > > 1. "Object" ACEs are mentioned as only being used for Active Directory > > objects > > [source: Windows Internals 6th edition]. On Windows, trying to use > > SetFileSecurity() to set an object ACE in the DACL of an NTFS directory > > fails > > with ERROR_INVALID_ACL. This is different from how Windows treats truly > > unknown ACE types (see below). But I think it would be fine for > > NTFS-3G to > > simplify things by treating object ACEs like any other unknown ACE type. > > Just for me to understand : Unix stores special objects > (such as pipes, sockets, etc.) as file system objects with > access control attached. Does Windows also records special > objects as file system objects ? If so, how are these > objects distinguished from files and directories ? Active Directory objects are stored in a database, not directly on the filesystem. They just happen to both use the security descriptor format. > The purpose of ntfs_valid_descr() is to reject descriptors > which ntfs-3g cannot process properly. I am not keen on > letting special ACEs leaking into translations to Linux. > > Inheritance is of particular concern, because this is rather > complex and there are undocumented special cases which have > to be found by trials and errors. Moreover the result is > generally not satisfactory for Linux users who have > expectations different from Windows ones (typical example : > inheritance of execute permissions). > > Also : if objects can inherit special ACEs from their parent > directory, what prevents them to be inherited to plain files > created in the same directory ? > > Cannot these specific needs be implemented within wimlib ? I am not sure what you mean regarding the purpose of ntfs_valid_descr(), but the existing behavior is that it allows unknown ACEs in both the DACL and SACL except in certain cases. And in those certain cases, such as a callback ACE that is not the last ACE in the list, it is broken for backup/restore applications like wimlib which expect to be able to set security descriptors that were created on Windows. Note that as a backup/restore application, wimlib does not want ACE inheritance at all, nor does it want translation of Windows ACLs to POSIX or Linux permissions. It simply wants to stamp a security descriptor on each file or directory. It can be assumed that the security descriptors are valid in the sense that Windows would accept them. As part of this, it can be assumed that the ACEs in each ACL have the common ACE_HEADER. But it can *not* be assumed that every ACE is of a known type. The expected behavior is that unknown ACEs are settable but are then skipped during access evalution. This would match the Windows behavior. I think Windows users might actually find it quite annoying for Windows to do otherwise because then people could not, for example, restore security descriptors intended for a later version of Windows from a live system running an older version of Windows. Essentially the same argument applies to NTFS-3G. With regards to inheritance, as I pointed out Windows simply performs the standard inheritance algorithm on unknown ACEs per the standard ACE_HEADER flags. It's true that there could be special rules that it is missing, but it seems like the most logical behavior and probably the easiest to implement too. Of course, this isn't currently relevant to wimlib which as I mentioned does not care about inheritance. I just thought I'd suggest it as an improvement (though it's still not clear to me what the current behavior is "supposed" to be, and that's part of the problem). Eric -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
Hi Eric, Eric Biggers wrote: > On Wed, Sep 21, 2016 at 12:01:23PM +0200, Jean-Pierre André wrote: >> >> I have never met an object ACE and they might be irrelevant >> for a file system which only deals with files and directories. >> >> Is there a point in ntfs-3g accepting ACE types controlling >> entities which are not emulated on Linux (callbacks, labels, >> policies, etc.) ? > > Yes, because it should be --- and already is, except in certain cases --- > possible to use NTFS-3G to restore security descriptors that were created > under > Windows. This can be done by using wimlib to extract a WIM image to a NTFS > volume (for example). > > I think the emulation of ACEs under Linux is a separate concern which for some > of the new ACE types isn't really possible or meaningful. > > I also did some research, and some experiments on Windows: > > 1. "Object" ACEs are mentioned as only being used for Active Directory objects > [source: Windows Internals 6th edition]. On Windows, trying to use > SetFileSecurity() to set an object ACE in the DACL of an NTFS directory > fails > with ERROR_INVALID_ACL. This is different from how Windows treats truly > unknown ACE types (see below). But I think it would be fine for NTFS-3G > to > simplify things by treating object ACEs like any other unknown ACE type. Just for me to understand : Unix stores special objects (such as pipes, sockets, etc.) as file system objects with access control attached. Does Windows also records special objects as file system objects ? If so, how are these objects distinguished from files and directories ? > 2. "Callback" ACEs, also known as "conditional" ACEs, are mentioned as only > existing for use by the AuthZ API, which is a userspace API for access > control. The Windows kernel does *not* evaluate such ACEs when performing > access checks [source: Windows Internals 6th edition]. However, I *was* > able > to set such an ACE in the DACL of an NTFS directory using > SetFileSecurity(). > In addition, on Windows such an ACE is inherited per the standard ACE > header > flags, and the generic rights and SID mapping is performed. Still, I > don't > yet know exactly *why* recent Windows 10 builds have been observed to use > such ACEs. > > 3. Truly unknown ACE types are accepted by SetFileSecurity(). They also are > inherited per the standard ACE header flags. However, they are not > evaluated > during access checks. In addition, SetFileSecurity() does no validation > of > the ACCESS_MASK or SID fields of unknown ACEs --- which makes sense > because > the format of such ACEs is actually unknown beyond the ACE_HEADER. > Instead, > the ACE size field simply required to be at least sizeof(ACE_HEADER) and a > multiple of 4. No generic rights or SID mapping is performed during > inheritance of unknown ACEs. > > So, given the requirements and these observations, I'd like to propose that > NTFS-3G handle unknown ACE types as follows: > > * ntfs_valid_descr() accepts them and check the size only (like Windows) > * ntfs_inherit_acl() performs inheritance on unknown ACE types per the ACE >header flags but without the generic mapping (like Windows). Optionally, >generic rights and SID mapping can be done for callback ACEs. > * NTFS-3G otherwise ignores unknown ACEs (like Windows) > > Any thoughts on this? The purpose of ntfs_valid_descr() is to reject descriptors which ntfs-3g cannot process properly. I am not keen on letting special ACEs leaking into translations to Linux. Inheritance is of particular concern, because this is rather complex and there are undocumented special cases which have to be found by trials and errors. Moreover the result is generally not satisfactory for Linux users who have expectations different from Windows ones (typical example : inheritance of execute permissions). Also : if objects can inherit special ACEs from their parent directory, what prevents them to be inherited to plain files created in the same directory ? Cannot these specific needs be implemented within wimlib ? Jean-Pierre -- ___ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
On Wed, Sep 21, 2016 at 12:01:23PM +0200, Jean-Pierre André wrote: > > I have never met an object ACE and they might be irrelevant > for a file system which only deals with files and directories. > > Is there a point in ntfs-3g accepting ACE types controlling > entities which are not emulated on Linux (callbacks, labels, > policies, etc.) ? Yes, because it should be --- and already is, except in certain cases --- possible to use NTFS-3G to restore security descriptors that were created under Windows. This can be done by using wimlib to extract a WIM image to a NTFS volume (for example). I think the emulation of ACEs under Linux is a separate concern which for some of the new ACE types isn't really possible or meaningful. I also did some research, and some experiments on Windows: 1. "Object" ACEs are mentioned as only being used for Active Directory objects [source: Windows Internals 6th edition]. On Windows, trying to use SetFileSecurity() to set an object ACE in the DACL of an NTFS directory fails with ERROR_INVALID_ACL. This is different from how Windows treats truly unknown ACE types (see below). But I think it would be fine for NTFS-3G to simplify things by treating object ACEs like any other unknown ACE type. 2. "Callback" ACEs, also known as "conditional" ACEs, are mentioned as only existing for use by the AuthZ API, which is a userspace API for access control. The Windows kernel does *not* evaluate such ACEs when performing access checks [source: Windows Internals 6th edition]. However, I *was* able to set such an ACE in the DACL of an NTFS directory using SetFileSecurity(). In addition, on Windows such an ACE is inherited per the standard ACE header flags, and the generic rights and SID mapping is performed. Still, I don't yet know exactly *why* recent Windows 10 builds have been observed to use such ACEs. 3. Truly unknown ACE types are accepted by SetFileSecurity(). They also are inherited per the standard ACE header flags. However, they are not evaluated during access checks. In addition, SetFileSecurity() does no validation of the ACCESS_MASK or SID fields of unknown ACEs --- which makes sense because the format of such ACEs is actually unknown beyond the ACE_HEADER. Instead, the ACE size field simply required to be at least sizeof(ACE_HEADER) and a multiple of 4. No generic rights or SID mapping is performed during inheritance of unknown ACEs. So, given the requirements and these observations, I'd like to propose that NTFS-3G handle unknown ACE types as follows: * ntfs_valid_descr() accepts them and check the size only (like Windows) * ntfs_inherit_acl() performs inheritance on unknown ACE types per the ACE header flags but without the generic mapping (like Windows). Optionally, generic rights and SID mapping can be done for callback ACEs. * NTFS-3G otherwise ignores unknown ACEs (like Windows) Any thoughts on this? Eric -- ___ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
Hi again, Eric Biggers wrote: > Hmm, I think I messed up the "object" ACEs slightly (assuming they ever > actually > exist). According to > https://msdn.microsoft.com/en-us/library/windows/desktop/aa374857(v=vs.85).aspx, > the SID is actually at a variable offset. > > Another problem is that NTFS-3G interprets ACLs in other places, so if there > really are ACEs with a new format, they would need to be handled there too... I have never met an object ACE and they might be irrelevant for a file system which only deals with files and directories. Is there a point in ntfs-3g accepting ACE types controlling entities which are not emulated on Linux (callbacks, labels, policies, etc.) ? Regards Jean-Pierre -- ___ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
Re: [ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
Hmm, I think I messed up the "object" ACEs slightly (assuming they ever actually exist). According to https://msdn.microsoft.com/en-us/library/windows/desktop/aa374857(v=vs.85).aspx, the SID is actually at a variable offset. Another problem is that NTFS-3G interprets ACLs in other places, so if there really are ACEs with a new format, they would need to be handled there too... -- ___ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
[ntfs-3g-devel] [PATCH 2/2] ACE validation fixes
- Allow extra data after the SID. Recent Windows 10 images have been
reported to contain DACLs with an ACCESS_ALLOWED_CALLBACK_ACE with
extra data after the SID. The ACE is not necessarily at the end of
the DACL, so the recent fix to allow extra data for the last ACE only
was insufficient. I also suspect extra data is sometimes used by
other ACE types. In fact, SetFileSecurity() on Windows permits extra
data for all ACE types. So make NTFS-3G do the same.
- Validate the SID at the correct offset for "object" ACEs. (Most
likely this bug wasn't noticed because object ACEs are rarely used.)
- Only validate the SID for recognized ACE types. The placement or
presence of the SID should not be assumed for future ACE types.
Signed-off-by: Eric Biggers
---
libntfs-3g/acls.c | 114 +++---
1 file changed, 82 insertions(+), 32 deletions(-)
diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c
index b91e041..06c44d9 100644
--- a/libntfs-3g/acls.c
+++ b/libntfs-3g/acls.c
@@ -536,45 +536,95 @@ gid_t ntfs_find_group(const struct MAPPING* groupmapping,
const SID * gsid)
}
/*
+ * Does the ACE have the same format as ACCESS_ALLOWED_ACE?
+ */
+
+static BOOL is_regular_ace(const ACE_HEADER *pace)
+{
+ switch (pace->type) {
+ case ACCESS_ALLOWED_ACE_TYPE:
+ case ACCESS_DENIED_ACE_TYPE:
+ case SYSTEM_AUDIT_ACE_TYPE:
+ case ACCESS_ALLOWED_CALLBACK_ACE_TYPE:
+ case ACCESS_DENIED_CALLBACK_ACE_TYPE:
+ case SYSTEM_AUDIT_CALLBACK_ACE_TYPE:
+ case SYSTEM_MANDATORY_LABEL_ACE_TYPE:
+ case SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE:
+ case SYSTEM_SCOPED_POLICY_ID_ACE_TYPE:
+ case SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE:
+ return TRUE;
+ default:
+ return FALSE;
+ }
+}
+
+/*
+ * Does the ACE have the same format as ACCESS_ALLOWED_OBJECT_ACE?
+ */
+
+static BOOL is_object_ace(const ACE_HEADER *pace)
+{
+ switch (pace->type) {
+ case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
+ case ACCESS_DENIED_OBJECT_ACE_TYPE:
+ case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
+ case ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE:
+ case ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE:
+ case SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE:
+ return TRUE;
+ default:
+ return FALSE;
+ }
+}
+
+/*
* Check the validity of the ACEs in a DACL or SACL
+ *
+ * If an ACE is recognized, we validate its SID.
+ * Otherwise, we validate its size only.
*/
static BOOL valid_acl(const ACL *pacl, unsigned int end)
{
- const ACCESS_ALLOWED_ACE *pace;
- unsigned int offace;
- unsigned int acecnt;
- unsigned int acesz;
- unsigned int nace;
- unsigned int wantsz;
- BOOL ok;
+ unsigned int ace_count;
+ unsigned int ace_offset;
+ unsigned int ace_size;
+ unsigned int sid_offset;
+ const ACE_HEADER *pace;
+ const SID *psid;
- ok = TRUE;
- acecnt = le16_to_cpu(pacl->ace_count);
- offace = sizeof(ACL);
- for (nace = 0; (nace < acecnt) && ok; nace++) {
- /* be sure the beginning is within range */
- if ((offace + sizeof(ACCESS_ALLOWED_ACE)) > end)
- ok = FALSE;
- else {
- pace = (const ACCESS_ALLOWED_ACE*)
- &((const char*)pacl)[offace];
- acesz = le16_to_cpu(pace->size);
- if (((offace + acesz) > end)
- || !ntfs_valid_sid(&pace->sid))
-ok = FALSE;
- else {
- /* Win10 may insert garbage in the last ACE */
- wantsz = ntfs_sid_size(&pace->sid) + 8;
- if (((nace < (acecnt - 1))
- && (wantsz != acesz))
- || (wantsz > acesz))
- ok = FALSE;
- }
- offace += acesz;
- }
+ for (ace_count = le16_to_cpu(pacl->ace_count), ace_offset = sizeof(ACL);
+ace_count != 0;
+ace_count--, ace_offset += ace_size)
+ {
+ if (sizeof(ACE_HEADER) > end - ace_offset)
+ return FALSE;
+
+ pace = (const ACE_HEADER *)((char *)pacl + ace_offset);
+ ace_size = le16_to_cpu(pace->size);
+ if (ace_size < sizeof(ACE_HEADER) ||
+ ace_size > end - ace_offset)
+ return FALSE;
+
+ if (is_regular_ace(pace))
+ sid_offset = offsetof(ACCESS_ALLOWED_ACE, sid);
+ else if (is_object_ace(pace))
+ sid_offset = offsetof(ACCESS_ALLOWED_OBJECT_ACE, sid);
+ else
