[Win32utils-devel] Some more win32-security: SID.create

Daniel Berger djberg96 at gmail.com
Wed Jul 9 09:13:20 EDT 2008


On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park <phasis at gmail.com> wrote:
> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com> wrote:
>>> Hi,
>>>
>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>>>> Hi all,
>>>>
>>>> How does this look as a general approach to a SID.create method:
>>>>
>>>> # Creates and initializes
>>>> def self.create(authority, *sub_authorities)
>>>>   if sub_authorities.length > 8
>>>>      raise ArgumentError, 'maximum of 8 subauthorities allowed'
>>>>   end
>>>>
>>>>   authorities = Array.new(8, 0)
>>>>   authorities.replace(sub_authorities)
>>>>   count = authorities.select{ |e| e > 0 }.size
>>>>
>>>>   if count == 0
>>>>      # Use InitializeSid()
>>>>   else
>>>>      # Use AllocateAndInitializeSid()
>>>>   end
>>>> end
>>>>
>>>> Any help actually implementing this method would also be greatly
>>>> appreciated, as my attempts were not working out so well.
>>>>
>>> Here is an working code:
>>>
>>> def self.create(authority, *sub_authorities)
>>>
>>>  if sub_authorities.length > 8
>>>     raise ArgumentError, "maximum of 8 subauthorities allowed"
>>>  end
>>>
>>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>>>
>>>  if [0,1,2,3,5].include?(authority)
>>>      auth = 0.chr * 5 + authority.chr
>>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>>>      unless bool
>>>       raise Error, get_last_error
>>>      end
>>>      sub_authorities.each_index do |i|
>>>         value = [sub_authorities[i]].pack('L')
>>>         auth_ptr = GetSidSubAuthority(sid, i)
>>>         memcpy(auth_ptr,value,4)
>>>      end
>>>  end
>>>  sid
>>> end
>>>
>>>
>>> Above code works with GetSidSubAuthority definition like this:
>>> API.new('GetSidSubAuthority', 'PL', 'L', 'advapi32')
>>
>> Excellent, thanks. I've modified GetSidSubAuthority() as you suggest,
>> and made a few other functions that I had previously returning
>> pointers return longs instead - easier to deal with.
>>
>> Your code gave me an idea, too. What do you think of modifying SID.new
>> so that it accepts either an account name or a sid? Behind the scenes
>> it just calls LookupAccountSid or LookupAccountName, depending on the
>> content of the first argument. That would allow SID.create to return a
>> full SID object.
>>
>> Here's a proposed implementation:
>>
>> def self.create(authority, *sub_authorities)
>>   # Code same as before except for the return value
>>   return self.new(sid)
>> end
>>
>> def initialize(account, host=Socket.gethostname)
>>   sid    = 0.chr * 28
>>   sid_cb = [sid.size].pack('L')
>>
>>   domain_buf = 0.chr * 80
>>   domain_cch = [domain_buf.size].pack('L')
>>
>>   sid_name_use = 0.chr * 4
>>
>>    # If the account includes non-alpha characters, assume it's a SID.
>>     if account =~ /\W+/ # Unicode concerns?
>>        bool = LookupAccountSid(
>>           host,
>>           [account].pack('p*').unpack('L')[0],
>>            sid,
>>            sid_cb,
>>            domain_buf,
>>            domain_cch,
>>            sid_name_use
>>         )
>>
>>         @sid = account
>>         @name = sid.strip
>>     else
>>         bool = LookupAccountName(
>>            host,
>>            account,
>>            sid,
>>            sid_cb,
>>            domain_buf,
>>            domain_cch,
>>            sid_name_use
>>         )
>>
>>         @sid = sid.strip
>>         @account = account
>>   end
>>
>>   unless bool
>>      raise Error, get_last_error
>>   end
>>
>>   @host    = host
>>   @domain  = domain_buf.strip
>>
>>   @account_type = get_account_type(sid_name_use.unpack('L')[0])
>>
>>   sid
>> end
>>
>> How does that look?
>>
> That looks good.
>
> I think the SID detection code
>  if account =~ /\W+/
> can be something like
>  if account[0] < 10

Yes, that will work better, thanks.

Also, I wanted to ask about this bit:

if [0,1,2,3,5].include?(authority)

Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?

Thanks,

Dan


More information about the win32utils-devel mailing list