RE: Creating a directory with security attributes.
From: Kevin Burton (KevinBurton_at_discussions.microsoft.com)
Date: 11/22/04
- Previous message: Kevin Burton: "RE: Creating a directory with security attributes."
- In reply to: Steve Friedl [MVP]: "RE: Creating a directory with security attributes."
- Next in thread: Kevin Burton: "RE: Creating a directory with security attributes."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Nov 2004 08:47:07 -0800
When I set a directory with access to Domain Users and I query the directory
for the security descriptor I get:
(A;OICI;0x1701da;;;DU)
So apparently there is a bug as converting from a security descriptor to an
SDDL string produces DU but going the other way produces an error.
Kevin
"Steve Friedl [MVP]" wrote:
> "Kevin Burton" wrote:
>
> > TCHAR * szSD = TEXT("D:") // Discretionary ACL
> > TEXT("(D;OICI;GA;;;BG)") // Deny access to built-in guests
> > TEXT("(D;OICI;GA;;;AN)") // Deny access to anonymous logon
> > TEXT("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to authenticated users
> > TEXT("(A;OICI;GA;;;BA)") // Allow full control to administrators
> > TEXT("(A;OICI;GA;;;DU)"); // Allow full control to domain users
>
> It seems that the problem is with the "AN" and "DU" tokens that specify
> "Anonymous users" and "Domain Users" - I'm not sure why this is the case. You
> can see for yourself by making a small test program that comments these lines
> out:
>
> When these tokens are converted to the the S-format, it seems to work:
>
> #define _WIN32_WINNT 0x0500
> #include <windows.h>
> #include <sddl.h>
> #include <stdio.h>
> #include <tchar.h>
>
> int __cdecl _tmain(void)
> {
> SECURITY_ATTRIBUTES sa;
>
> ZeroMemory(&sa, sizeof sa);
>
> sa.nLength = sizeof sa;
> sa.bInheritHandle = FALSE;
>
> const TCHAR * szSD =
> _T("D:") // Discretionary ACL
> _T("(D;OICI;GA;;;BG)") // Deny access to built-in guests
> // _T("(D;OICI;GA;;;AU)") // Deny access to anonymous logon
> _T("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to domain users
> _T("(A;OICI;GA;;;BA)") // Allow full control to administrators
> // _T("(A;OICI;GA;;;DU)") // Allow full control to domain users
> ;
>
> if ( ! ConvertStringSecurityDescriptorToSecurityDescriptor(
> szSD,
> SDDL_REVISION_1,
> &sa.lpSecurityDescriptor,
> NULL) )
> {
> printf("failed: err#%ld\n", GetLastError() );
> }
> else
> {
> printf("created OK\n");
> }
>
> return 0;
> }
>
> With this more limited string, it works (I figured it out by trial-and-error).
>
> Replacing these tokens for the ACE trustee (ref:
> http://msdn.microsoft.com/library/en-us/secauthz/security/sid_strings.asp )
> with the S-format seems to help:
>
> // deny access to anonymous logins
> > TEXT("(D;OICI;GA;;;AN)") // doesn't seem to work
> > TEXT("(D;OICI;GA;;;S-1-5-7)") // seems to work OK
>
> Finding the SID for the domain users is left as an exercise to the reader.
> Not sure if this is a bug or not...
>
> Steve
- Previous message: Kevin Burton: "RE: Creating a directory with security attributes."
- In reply to: Steve Friedl [MVP]: "RE: Creating a directory with security attributes."
- Next in thread: Kevin Burton: "RE: Creating a directory with security attributes."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
