[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingI
From: Obaid Farooqi via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2023-05-25 19:19:32
Message-ID: MN2PR21MB13904C34158F0E7F72F0610AC646A () MN2PR21MB1390 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Douglas:
In addition to what I said below, I confirmed with product group that the % with 4 \
hex digits is only applicable for attribute name. This is correctly documented in \
MS-DTYP as follows: attr-name = attr-name1 / attr-name2
attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2
attr-char2 = attr-char1 / lit-char
lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / \
"[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / ( "%" 4HEXDIG) ; \
4HEXDIG can have any value except 0000 (NULL)
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Thursday, May 11, 2023 1:14 PM
To: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Cc: cifs-protocol@lists.samba.org; Microsoft Support <supportmail@microsoft.com>
Subject: RE: [EXTERNAL] Re: [MS-DTYP] Conditional ACE Unicode literal SDDL format - \
TrackingID#2302240040001164
Hi Douglas:
I researched the code for classSchema object and the default security descriptor in \
SDDL is only converted to binary SD when an object of that class is instantiated. And \
guess what, the same API is used to convert default SD that I have already \
communicated to you.
I can say with great confidence that there is no support for escape sequences and hex \
strings as escape sequences in conditional expressions in DACL in SDDL.
If you can make escaping or hex strings as escaping work, let me know.
I'll file a bug to fix MS-DTYP.
Please let me know if this does not answer your question
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Sent: Wednesday, April 26, 2023 6:53 PM
To: Obaid Farooqi <obaidf@microsoft.com>
Cc: cifs-protocol@lists.samba.org; Microsoft Support <supportmail@microsoft.com>
Subject: [EXTERNAL] Re: [MS-DTYP] Conditional ACE Unicode literal SDDL format - \
TrackingID#2302240040001164
Thanks Obaid,
The way I have been testing SDDL using a protocol is setting \
defaultSecurityDescriptor on a classSchema object. This has some downsides -- the \
server schema fills up with useless objects, and the SDDL is not entirely resolved \
until a new object is created, at which point it gets merged with other defaults and \
it is often hard to see what happened.
It sometimes seems to differ a little from the \
ConvertSecurityDescriptorToStringSecurityDescriptorA API but so far only in \
inconsequential ways, like upper/lower case in hex digits.
I haven't yet got very far with testing conditional ACES, as I have been finding \
enough issues in our ordinary SDDL, and working on getting the basic conditional ACE \
code going.
As you can probably guess, I really care more about getting conditional ACEs right \
for Samba client tools than at the protocol level, but the same code will be used for \
both.
I will test some of these escapes and let you know.
cheers,
Douglas
On 26/04/23 04:23, Obaid Farooqi wrote:
> Hi Douglas:
>
> I want to add some nuance to my previous reply.
>
> I used an API directly to test the escaping of double quote or 4 hex
> numbers representing the Unicode of double quote. It did not work at all.
>
> Having said that, the document is not for API. There is a possibility
> that the receiving node where the object resides may perform some
> preprocessing before invoking the API. The preprocessing may take care
> of escaping.
>
> Do you have a set up where you can modify the security descriptor of
> an object using a protocol that you are planning to implement (from
> Windows-to-Windows) and use the escape sequence?
>
> Regards,
>
> Obaid Farooqi
>
> Escalation Engineer | Microsoft
>
> *From:*Obaid Farooqi
> *Sent:* Friday, April 14, 2023 12:13 PM
> *To:* douglas.bagnall@catalyst.net.nz
> *Cc:* cifs-protocol@lists.samba.org; Microsoft Support
> <supportmail@microsoft.com>
> *Subject:* [MS-DTYP] Conditional ACE Unicode literal SDDL format -
> TrackingID#2302240040001164
>
> Hi Douglas:
>
> After much code browsing, my impression was that " is not allowed in
> the attribute values. I asked the PG if there is an escape sequence
> and answer was "maybe". The person who wrote the code did it 15 years
> ago and does not work with it anymore.
>
> So, I tried to test it and it confirmed my finding that " is not
> allowed, escaped or otherwise.
>
> I'll file a bug to correct ABNF.
>
> PS: if you want to test various SDDL conditional expressions, you can
> compile and run the following code:
>
> Creating a DACL - Win32 apps | Microsoft Learn
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
> rn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecbp%2Fcreating-a-dacl&d
> ata=05%7C01%7Cobaidf%40microsoft.com%7C42c431e76fa7431a2aed08db46b16b5
> 0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638181500076583684%7CUn
> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0yoQHS6gYN4Z%2F9NL92FhkjYbv9W0p
> POBdnrpugEHdbg%3D&reserved=0>
>
> In this code, a DACL is created from SDDL, a directory is crated and
> DACL is applied to it. You can see the DACL is correctly applied in
> the "Advanced" windows in the security tab of properties of the directory.
>
> I added the following ACE to the already present ACE's in the code
>
> (XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))
>
> Note: the escaping of quotes around PM is for C++, not SDDL.
>
> The resulting DACL looks like
>
> D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;
> AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)
>
> The result can be verified in the properties->security->Advanced as
> follows (the following is a picture and if you did not get it, let me
> know)
>
> A screenshot of a computer Description automatically generated
>
> Notice the 3^rd column "Condition".
>
> For the same condition, when I introduced a " in PM as part of the
> value (escaped or otherwise), the code errored out when creating DACL from SDDL.
>
> Regards,
>
> Obaid Farooqi
>
> Escalation Engineer | Microsoft
>
> ===================================
>
> From: Douglas Bagnall douglas.bagnall@catalyst.net.nz
> <mailto:douglas.bagnall@catalyst.net.nz>
>
> Sent: Thursday, February 23, 2023 6:10 PM
>
> To: cifs-protocol@lists.samba.org
> <mailto:cifs-protocol@lists.samba.org>; Interoperability Documentation
> Help dochelp@microsoft.com <mailto:dochelp@microsoft.com>
>
> Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL
> format
>
> hi Dochelp,
>
> I am interested in the details of the format for conditional ACE SDDL
> format, which is not really described in [MS-DTYP] (unlike the wire format).
>
> From the examples, it is clear that it involves double-quote delimiters:
>
> (Title=="VP")
>
> But how are escapes handled -- how would it handle a string that
> itself contained a double quote?
>
> In the ABNF there is a thing called "char-string":
>
> char-string = DQUOTE *(CHAR) DQUOTE
>
> which we can deduce applies to Unicode strings due to the definition
> of value-array, but this doesn't answer the question. Rather, it
> expands it, since
>
> RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values,
> so there must be an escaping mechanism for these characters too
> (unless the use of CHAR is mistaken).
>
> My guess is that Unicode strings the same %hhhh sequence as attr-char2
> (encoding the double quote as %0022), but there is no mention of that.
>
> cheers,
>
> Douglas
>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic