Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to get accurate acl from Security Descriptor #277

Open
surajvenkat92 opened this issue Apr 10, 2024 · 5 comments
Open

Unable to get accurate acl from Security Descriptor #277

surajvenkat92 opened this issue Apr 10, 2024 · 5 comments

Comments

@surajvenkat92
Copy link

I am using the smb_security_descriptor.py example to get the list of users and the access they have. It is returning response, but that it is misleading.
For example : user1 -> Read and execute, read, list
user 2 -> Read and execute, read, list , write

For both the users, I am getting READ_CONTROL and SYNCHRONIZE as the mask flag.

Is there a way can you help me to decode this DACL to match the one we choose in Security windows?
@jborean93
Copy link
Owner

jborean93 commented Apr 10, 2024
edited
Loading

This library returns the full security descriptor from the server, I'm unsure what the differences are between how the server represents the ACEs but on a test I can see that the mask is returning the correct values and also returned inherited ACEs.

[
    AccessAllowedAce:
        ace_type = (0) ACCESS_ALLOWED_ACE_TYPE
        ace_flags = (3) CONTAINER_INHERIT_ACE, OBJECT_INHERIT_ACE
        ace_size = 24
        mask = (2032127) DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DACL, WRITE_OWNER
        sid =
        S-1-5-32-545

        Raw Hex:
            00 03 18 00 FF 01 1F 00
            01 02 00 00 00 00 00 05
            20 00 00 00 21 02 00 00,
    AccessAllowedAce:
        ace_type = (0) ACCESS_ALLOWED_ACE_TYPE
        ace_flags = (19) CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
        ace_size = 20
        mask = (2032127) DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DACL, WRITE_OWNER
        sid =
        S-1-5-18

        Raw Hex:
            00 13 14 00 FF 01 1F 00
            01 01 00 00 00 00 00 05
            12 00 00 00,
...
]
``

Potentially the GUI groups up ACEs for the same principal so it doesn't show duplicates whereas this library gives you the raw SD and doesn't do any processing on top.

@surajvenkat92
Copy link
Author

surajvenkat92 commented Apr 12, 2024
edited
Loading

In windows, we have below permissions:
Read and execute
Read
List
Write
Modify
Full Control
Special permissions

How i can infer these from the mask value returned as a part of Security Descriptor
In short, From the DACL list, is there a way, i can get the below standard access?

STANDARD_RIGHTS_ALL
STANDARD_RIGHTS_EXECUTE
STANDARD_RIGHTS_READ
STANDARD_RIGHTS_REQUIRED
STANDARD_RIGHTS_WRITE

@jborean93
Copy link
Owner

The mask values are the normal file access mask values used on Windows. This library has a pre-defined set of access mask values for files/pipes and directories at

smbprotocol/src/smbprotocol/open.py

Lines 128 to 185 in 3f69e6d

class FilePipePrinterAccessMask:
"""
[MS-SMB2] v53.0 2017-09-15
2.2.13.1.1 File_Pipe_Printer_Access_Mask
Access Mask flag values to be used when accessing a file, pipe, or printer
"""
FILE_READ_DATA = 0x00000001
FILE_WRITE_DATA = 0x00000002
FILE_APPEND_DATA = 0x00000004
FILE_READ_EA = 0x00000008
FILE_WRITE_EA = 0x00000010
FILE_DELETE_CHILD = 0x00000040
FILE_EXECUTE = 0x00000020
FILE_READ_ATTRIBUTES = 0x00000080
FILE_WRITE_ATTRIBUTES = 0x00000100
DELETE = 0x00010000
READ_CONTROL = 0x00020000
WRITE_DAC = 0x00040000
WRITE_OWNER = 0x00080000
SYNCHRONIZE = 0x00100000
ACCESS_SYSTEM_SECURITY = 0x01000000
MAXIMUM_ALLOWED = 0x02000000
GENERIC_ALL = 0x10000000
GENERIC_EXECUTE = 0x20000000
GENERIC_WRITE = 0x40000000
GENERIC_READ = 0x80000000
class DirectoryAccessMask:
"""
[MS-SMB2] v53.0 2017-09-15
2.2.13.1.2 Directory_Access_Mask
Access Mask flag values to be used when accessing a directory
"""
FILE_LIST_DIRECTORY = 0x00000001
FILE_ADD_FILE = 0x00000002
FILE_ADD_SUBDIRECTORY = 0x00000004
FILE_READ_EA = 0x00000008
FILE_WRITE_EA = 0x00000010
FILE_TRAVERSE = 0x00000020
FILE_DELETE_CHILD = 0x00000040
FILE_READ_ATTRIBUTES = 0x00000080
FILE_WRITE_ATTRIBUTES = 0x00000100
DELETE = 0x00010000
READ_CONTROL = 0x00020000
WRITE_DAC = 0x00040000
WRITE_OWNER = 0x00080000
SYNCHRONIZE = 0x00100000
ACCESS_SYSTEM_SECURITY = 0x01000000
MAXIMUM_ALLOWED = 0x02000000
GENERIC_ALL = 0x10000000
GENERIC_EXECUTE = 0x20000000
GENERIC_WRITE = 0x40000000
GENERIC_READ = 0x80000000

@surajvenkat92
Copy link
Author

In Security Descriptor,
I am setting below permission set:
User 1 : Read and execute, List, Read
User 2: Read and execute, List, Read, Write

In this case, I am getting READ_CONTROL, SYNCHRONIZE as the DACL values for User1 and User2. Is there a way, I can identify User 2 has Read/Write acess?

@jborean93
Copy link
Owner

The response from SMB is the raw security descriptor and ACE entries for the DACL. If they do not have the entry for the user then when you set it it probably is just already part of another rule. Not much you can do about that as this library just gets the raw ACE entries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jborean93 @surajvenkat92