Re: SECURITY_DESCRIPTOR Equality
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 04/24/05
- Next message: Philip: "HKEY_USERS Visibility"
- Previous message: Robert DiFalco: "Re: SECURITY_DESCRIPTOR Equality"
- In reply to: Robert DiFalco: "Re: SECURITY_DESCRIPTOR Equality"
- Next in thread: Pavel Lebedinsky: "Re: SECURITY_DESCRIPTOR Equality"
- Reply: Pavel Lebedinsky: "Re: SECURITY_DESCRIPTOR Equality"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Apr 2005 13:51:25 -0400
A byte compare probably won't work since the ordering of ACEs is not fixed.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Robert DiFalco wrote: > You think a byte compare on the PACL memory will work? I had assumed I would > have to get the ACE's individually and then compare their flags and use > EqualSid to compare the SID of each ace. I can try the byte compare, but how > do I find the size of the PACL buffer? > > R. > > "OShah" <shexec32@aol.com> wrote in message > news:Xns96417562B497E5111156@207.46.248.16... > >>"Robert DiFalco" <rdifalco@tripwire.com> wrote in >>news:ud6SoP4RFHA.3712@TK2MSFTNGP10.phx.gbl: >> >> >>>Given two security descriptors, what is the easiest way to compare them >>>for equality. I guess another question is how do I compare two PACL's >>>for equality. >>> >>>Is the only way to walk all the ACE's and compare them? What do I have >>>to compare in the ACE's to determine if they are the same? >>> >>> >>> >> >>I remember facing this problem before: unfortunately, I had to compare the >>security descriptors piece by piece. >> >>To make things [slightly] easier, you can convert the security descriptors >>to SDDL before comparing. >> >>For the ACLs, a memcmp()-style comparison of the entire ACL should be >>sufficient. The order of ACEs is important in security descriptors, and if >>the ACLs are ordered differently, they do behave differently. A memcmp() >>style comparison will detect this difference. >> >>If the SECURITY_DESCRIPTOR belongs to a private object >>[CreatePrivateObjectSecurity()], then memcmp style comparisons may or may >>not work. >> >>Sysinternals' AccessEnum (the source of which is available) takes an >>entirely differently approach. It only checks for generic rights (ignoring >>inheritance). It turns account aliases (CREATOR_OWNER) into usernames, and >>then converts all usernames to groups. >> >>With the new PACL, for each ACE, it searches the 2nd ACL for an entry >>similar to this ACE. If the ACEs seem similar enough, it takes them as >>equal. >> >> >>-- >>------------------------------------------------------------------------ >>oshah [shexec32] >>Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs >>-> Do not report errors for these programs: >> >>Acrobat.exe >>waol.exe >> >>------------------------------------------------------------------------ > > >
- Next message: Philip: "HKEY_USERS Visibility"
- Previous message: Robert DiFalco: "Re: SECURITY_DESCRIPTOR Equality"
- In reply to: Robert DiFalco: "Re: SECURITY_DESCRIPTOR Equality"
- Next in thread: Pavel Lebedinsky: "Re: SECURITY_DESCRIPTOR Equality"
- Reply: Pavel Lebedinsky: "Re: SECURITY_DESCRIPTOR Equality"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
