Re: SECURITY_DESCRIPTOR Equality

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 04/24/05


Date: Sun, 24 Apr 2005 13:51:25 -0400

A byte compare probably won't work since the ordering of ACEs is not fixed.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Robert DiFalco wrote:
> You think a byte compare on the PACL memory will work? I had assumed I would
> have to get the ACE's individually and then compare their flags and use
> EqualSid to compare the SID of each ace. I can try the byte compare, but how
> do I find the size of the PACL buffer?
> 
> R.
> 
> "OShah" <shexec32@aol.com> wrote in message
> news:Xns96417562B497E5111156@207.46.248.16...
> 
>>"Robert DiFalco" <rdifalco@tripwire.com> wrote in
>>news:ud6SoP4RFHA.3712@TK2MSFTNGP10.phx.gbl:
>>
>>
>>>Given two security descriptors, what is the easiest way to compare them
>>>for equality. I guess another question is how do I compare two PACL's
>>>for equality.
>>>
>>>Is the only way to walk all the ACE's and compare them? What do I have
>>>to compare in the ACE's to determine if they are the same?
>>>
>>>
>>>
>>
>>I remember facing this problem before: unfortunately, I had to compare the
>>security descriptors piece by piece.
>>
>>To make things [slightly] easier, you can convert the security descriptors
>>to SDDL before comparing.
>>
>>For the ACLs, a memcmp()-style comparison of the entire ACL should be
>>sufficient. The order of ACEs is important in security descriptors, and if
>>the ACLs are ordered differently, they do behave differently. A memcmp()
>>style comparison will detect this difference.
>>
>>If the SECURITY_DESCRIPTOR belongs to a private object
>>[CreatePrivateObjectSecurity()], then memcmp style comparisons may or may
>>not work.
>>
>>Sysinternals' AccessEnum (the source of which is available) takes an
>>entirely differently approach. It only checks for generic rights (ignoring
>>inheritance). It turns account aliases (CREATOR_OWNER) into usernames, and
>>then converts all usernames to groups.
>>
>>With the new PACL, for each ACE, it searches the 2nd ACL for an entry
>>similar to this ACE. If the ACEs seem similar enough, it takes them as
>>equal.
>>
>>
>>-- 
>>------------------------------------------------------------------------
>>oshah [shexec32]
>>Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
>>-> Do not report errors for these programs:
>>
>>Acrobat.exe
>>waol.exe
>>
>>------------------------------------------------------------------------
> 
> 
> 


Relevant Pages

  • Re: Evidence for Big Leaps?
    ... know if any organism is cheating or pulling favourable cards out of its ... How would you figure out whether a player is getting more aces than ... What you're saying is that we compare it to other players. ...
    (talk.origins)
  • Re: how to compare two DACLs for equality
    ... I agree with what you are saying and don't know of any established methods of doing the compare. ... I did want to say that there is at least one documented case of a company specifically misordering ACEs. ... They order the ACL with Exchange Servers and Account Operators with access and then a Deny Everyone on read ... > I need to compare the DACL of a system object to an explicit ...
    (microsoft.public.platformsdk.security)
  • Re: SECURITY_DESCRIPTOR Equality
    ... > for equality. ... I guess another question is how do I compare two PACL's ... For the ACLs, a memcmp-style comparison of the entire ACL should be ... If the ACEs seem similar enough, ...
    (microsoft.public.platformsdk.security)
  • Re: SECURITY_DESCRIPTOR Equality
    ... a byte compare is far from guaranteed to be accurate. ... > Again, if a byte compare will work, how do I find the size of the PACL ... >>A byte compare probably won't work since the ordering of ACEs is not fixed. ... >>>>the ACLs are ordered differently, ...
    (microsoft.public.platformsdk.security)
  • Re: SECURITY_DESCRIPTOR Equality
    ... You think a byte compare on the PACL memory will work? ... EqualSid to compare the SID of each ace. ... > the ACLs are ordered differently, ...
    (microsoft.public.platformsdk.security)