[Win32utils-devel] Some more win32-security: SID.create

Park Heesob phasis at gmail.com
Wed Jul 9 09:26:49 EDT 2008


----- Original Message ----- 
From: "Daniel Berger" <djberg96 at gmail.com>
To: "Development and ideas for win32utils projects" 
<win32utils-devel at rubyforge.org>
Sent: Wednesday, July 09, 2008 10:13 PM
Subject: Re: [Win32utils-devel] Some more win32-security: SID.create


> On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park <phasis at gmail.com> wrote:
>> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
>>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com> wrote:
>>>> Hi,
>>>>
>>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>>>>> Hi all,
>>>>>
>>>>> How does this look as a general approach to a SID.create method:
>>>>>
>>>>> # Creates and initializes
>>>>> def self.create(authority, *sub_authorities)
>>>>>   if sub_authorities.length > 8
>>>>>      raise ArgumentError, 'maximum of 8 subauthorities allowed'
>>>>>   end
>>>>>
>>>>>   authorities = Array.new(8, 0)
>>>>>   authorities.replace(sub_authorities)
>>>>>   count = authorities.select{ |e| e > 0 }.size
>>>>>
>>>>>   if count == 0
>>>>>      # Use InitializeSid()
>>>>>   else
>>>>>      # Use AllocateAndInitializeSid()
>>>>>   end
>>>>> end
>>>>>
>>>>> Any help actually implementing this method would also be greatly
>>>>> appreciated, as my attempts were not working out so well.
>>>>>
>>>> Here is an working code:
>>>>
>>>> def self.create(authority, *sub_authorities)
>>>>
>>>>  if sub_authorities.length > 8
>>>>     raise ArgumentError, "maximum of 8 subauthorities allowed"
>>>>  end
>>>>
>>>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>>>>
>>>>  if [0,1,2,3,5].include?(authority)
>>>>      auth = 0.chr * 5 + authority.chr
>>>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>>>>      unless bool
>>>>       raise Error, get_last_error
>>>>      end
>>>>      sub_authorities.each_index do |i|
>>>>         value = [sub_authorities[i]].pack('L')
>>>>         auth_ptr = GetSidSubAuthority(sid, i)
>>>>         memcpy(auth_ptr,value,4)
>>>>      end
>>>>  end
>>>>  sid
>>>> end
>>>>
>>>>
>>>> Above code works with GetSidSubAuthority definition like this:
>>>> API.new('GetSidSubAuthority', 'PL', 'L', 'advapi32')
>>>
>>> Excellent, thanks. I've modified GetSidSubAuthority() as you suggest,
>>> and made a few other functions that I had previously returning
>>> pointers return longs instead - easier to deal with.
>>>
>>> Your code gave me an idea, too. What do you think of modifying SID.new
>>> so that it accepts either an account name or a sid? Behind the scenes
>>> it just calls LookupAccountSid or LookupAccountName, depending on the
>>> content of the first argument. That would allow SID.create to return a
>>> full SID object.
>>>
<snip>

> Yes, that will work better, thanks.
>
> Also, I wanted to ask about this bit:
>
> if [0,1,2,3,5].include?(authority)
>
> Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
> SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?
>
I have no idea about the excluding values.
I just have ported it from the Visual C++ code :)
Refer to http://support.microsoft.com/kb/276208/en-us

Regards,

Park Heesob




More information about the win32utils-devel mailing list