Re: GetEffectivePermissions and Implementing DACL Inheritence

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/27/05 

Date: Fri, 26 Aug 2005 22:53:50 -0700

My guess is that it is an error in the calls initiated with the atl
wrappers.
There have been changes in the semantics of ACE ordering within ACLs,
and perhaps the ultimately called APIs are not following correct ordering.
The SDDL is not the issue, as since both
"O:BAG:BAD:AI(A;OICI;0xfff;;;BA)(A;OICIID;0xfff;;;BA)"
and
"O:BAG:BAD:AI(A;OICI;0xfff;;;BA)(D;OICIID;0xfff;;;BA)"
 are totally valid, and as these also do not express ACE order the issue
must be in what is implementing the ACL manipulation. The particular
issue you mention was commonly seen back when the semantics for
inherited vs explicit deny was first defined, so that correct is deny,
allow, deny, allow but older code used the older semantics of always
placing deny before allow leading to invalid ACL with inherited deny
in ACE list before explicit allows. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
<chris.rosner@gmail.com> wrote in message
news:1125099665.100667.102620@o13g2000cwo.googlegroups.com...
> This question has to do with Win32 security functions.
>
> I am not entirely certain as to why, but GetEffectivePermissions
> reports an ERROR_INVALID_ACL error on what I thought was a valid DACL.
> The Problem seems to be related to inherited deny entries in the DACL.
> Inherited allow entries seem to be fine (as far as my testing goes). I
> generate my DACL using the atl wrappers in CSecurityDesc::FromString()
> function. I created two ACLs; one with an inherited allow entry, and
> one with an inherited deny entry. The inherited allow works, the deny
> does not. It seems perfectly valid to me looking at the rules of
> permission inheritance and sddl syntax in the msdn library.
>
> This works:
> "O:BAG:BAD:AI(A;OICI;0xfff;;;BA)(A;OICIID;0xfff;;;BA)"
> This does not:
> "O:BAG:BAD:AI(A;OICI;0xfff;;;BA)(D;OICIID;0xfff;;;BA)"
>
> Does anyone have any insight as to why this would happen?
>

Relevant Pages

  • Re: do allowed perrmisions override denyed permissions?
    ... with only grant permissions. ... We have always had sym diff (grant to A, deny to B where ... | Explicit Grant ACEs for Object | ... to sort that out is with hierarchical precedence of the inheritance ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... with only grant permissions. ... We have always had sym diff (grant to A, deny to B where ... when the handling of inheritance was changed and how the info was ... | Explicit Grant ACEs for Object | ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... We have always had sym diff (grant to A, deny to B where ... some of B is in A), and we have always had union (grant to ... the handling of inheritance was changed and how the info was written to ... | Explicit Grant ACEs for Object | ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... We have always had sym diff (grant to A, deny to B where ... some of B is in A), and we have always had union (grant to ... | Explicit Grant ACEs for Object | ... The only way to sort that out is with hierarchical precedence of the inheritance which is represented by the ordering of the ACEs in the ACL. ...
    (microsoft.public.windows.server.security)
  • Re: do allowed perrmisions override denyed permissions?
    ... We have always had sym diff (grant to A, deny to B where ... some of B is in A), and we have always had union (grant to ... | Explicit Grant ACEs for Object | ... to sort that out is with hierarchical precedence of the inheritance ...
    (microsoft.public.windows.server.security)