[Win32utils-devel] Some more win32-security: SID.create

Berger, Daniel Daniel.Berger at qwest.com
Wed Jul 9 18:00:15 EDT 2008


 

> -----Original Message-----
> From: win32utils-devel-bounces at rubyforge.org 
> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of 
> Park Heesob
> Sent: Wednesday, July 09, 2008 7:27 AM
> To: Development and ideas for win32utils projects
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> 
> ----- Original Message -----
> From: "Daniel Berger" <djberg96 at gmail.com>
> To: "Development and ideas for win32utils projects" 
> <win32utils-devel at rubyforge.org>
> Sent: Wednesday, July 09, 2008 10:13 PM
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> 
> > On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park 
> <phasis at gmail.com> wrote:
> >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
> >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park 
> <phasis at gmail.com> wrote:
> >>>> Hi,
> >>>>
> >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
> >>>>> Hi all,
> >>>>>
> >>>>> How does this look as a general approach to a SID.create method:
> >>>>>
> >>>>> # Creates and initializes
> >>>>> def self.create(authority, *sub_authorities)
> >>>>>   if sub_authorities.length > 8
> >>>>>      raise ArgumentError, 'maximum of 8 subauthorities allowed'
> >>>>>   end
> >>>>>
> >>>>>   authorities = Array.new(8, 0)
> >>>>>   authorities.replace(sub_authorities)
> >>>>>   count = authorities.select{ |e| e > 0 }.size
> >>>>>
> >>>>>   if count == 0
> >>>>>      # Use InitializeSid()
> >>>>>   else
> >>>>>      # Use AllocateAndInitializeSid()
> >>>>>   end
> >>>>> end
> >>>>>
> >>>>> Any help actually implementing this method would also be greatly
> >>>>> appreciated, as my attempts were not working out so well.
> >>>>>
> >>>> Here is an working code:
> >>>>
> >>>> def self.create(authority, *sub_authorities)
> >>>>
> >>>>  if sub_authorities.length > 8
> >>>>     raise ArgumentError, "maximum of 8 subauthorities allowed"
> >>>>  end
> >>>>
> >>>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
> >>>>
> >>>>  if [0,1,2,3,5].include?(authority)
> >>>>      auth = 0.chr * 5 + authority.chr
> >>>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
> >>>>      unless bool
> >>>>       raise Error, get_last_error
> >>>>      end
> >>>>      sub_authorities.each_index do |i|
> >>>>         value = [sub_authorities[i]].pack('L')
> >>>>         auth_ptr = GetSidSubAuthority(sid, i)
> >>>>         memcpy(auth_ptr,value,4)
> >>>>      end
> >>>>  end
> >>>>  sid
> >>>> end
> >>>>
> >>>>
> >>>> Above code works with GetSidSubAuthority definition like this:
> >>>> API.new('GetSidSubAuthority', 'PL', 'L', 'advapi32')
> >>>
> >>> Excellent, thanks. I've modified GetSidSubAuthority() as 
> you suggest,
> >>> and made a few other functions that I had previously returning
> >>> pointers return longs instead - easier to deal with.
> >>>
> >>> Your code gave me an idea, too. What do you think of 
> modifying SID.new
> >>> so that it accepts either an account name or a sid? 
> Behind the scenes
> >>> it just calls LookupAccountSid or LookupAccountName, 
> depending on the
> >>> content of the first argument. That would allow 
> SID.create to return a
> >>> full SID object.
> >>>
> <snip>
> 
> > Yes, that will work better, thanks.
> >
> > Also, I wanted to ask about this bit:
> >
> > if [0,1,2,3,5].include?(authority)
> >
> > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
> > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?
> >
> I have no idea about the excluding values.
> I just have ported it from the Visual C++ code :)
> Refer to http://support.microsoft.com/kb/276208/en-us

Ok, but something's not right, because this bit of code doesn't seem to
do anything:

sub_authorities.each_index do |i|
   value = [sub_authorities[i]].pack('L')
   auth_ptr = GetSidSubAuthority(sid, i)
   memcpy(auth_ptr, value, 4)
end

I think part of the problem is that I changed the return type of
GetSidSubAuthority to a long. But, regardless, I don't understand what
that's supposed to do.

I took a stab at trying to create a SID with a sub-authority with the
following code, but it didn't seem to work. Any ideas?

def self.create(authority, *sub_authorities)        
   if sub_authorities.length > 8
      raise ArgumentError, "maximum of 8 subauthorities allowed"
   end
            
   sid  = 0.chr * GetSidLengthRequired(sub_authorities.length + 1)
   auth = 0.chr * 5 + authority.chr
            
   if sub_authorities.length == 0
      unless InitializeSid(sid, auth, 1)
         raise Error, get_last_error
      end
   else
      array = Array.new(8, 0)
      array.replace(sub_authorities)

      bool = AllocateAndInitializeSid(
         auth,
         sub_authorities.select{ |e| e > 0 }.size,
         array[0],
         array[1],
         array[2],
         array[3],
         array[4],
         array[5],
         array[6],
         array[7],
         sid
      )

      unless bool
         raise Error, get_last_error
      end
   end
             
   self.new(sid)           
end

Thanks,

Dan


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.


More information about the win32utils-devel mailing list