[Win32utils-devel] Some more win32-security: SID.create

Heesob Park phasis at gmail.com
Wed Jul 9 21:12:42 EDT 2008


2008/7/10 Berger, Daniel <Daniel.Berger at qwest.com>:
>
>
>> -----Original Message-----
>> From: win32utils-devel-bounces at rubyforge.org
>> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of
>> Park Heesob
>> Sent: Wednesday, July 09, 2008 7:27 AM
>> To: Development and ideas for win32utils projects
>> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
>>
>>
>> ----- Original Message -----
>> From: "Daniel Berger" <djberg96 at gmail.com>
>> To: "Development and ideas for win32utils projects"
>> <win32utils-devel at rubyforge.org>
>> Sent: Wednesday, July 09, 2008 10:13 PM
>> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
>>
>>
>> > On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park
>> <phasis at gmail.com> wrote:
>> >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
>> >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park
>> <phasis at gmail.com> wrote:
>> >>>> Hi,
>> >>>>
>> >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>> >>>>> Hi all,
>> >>>>>
>> >>>>> How does this look as a general approach to a SID.create method:
>> >>>>>
>> >>>>> # Creates and initializes
>> >>>>> def self.create(authority, *sub_authorities)
>> >>>>>   if sub_authorities.length > 8
>> >>>>>      raise ArgumentError, 'maximum of 8 subauthorities allowed'
>> >>>>>   end
>> >>>>>
>> >>>>>   authorities = Array.new(8, 0)
>> >>>>>   authorities.replace(sub_authorities)
>> >>>>>   count = authorities.select{ |e| e > 0 }.size
>> >>>>>
>> >>>>>   if count == 0
>> >>>>>      # Use InitializeSid()
>> >>>>>   else
>> >>>>>      # Use AllocateAndInitializeSid()
>> >>>>>   end
>> >>>>> end
>> >>>>>
>> >>>>> Any help actually implementing this method would also be greatly
>> >>>>> appreciated, as my attempts were not working out so well.
>> >>>>>
>> >>>> Here is an working code:
>> >>>>
>> >>>> def self.create(authority, *sub_authorities)
>> >>>>
>> >>>>  if sub_authorities.length > 8
>> >>>>     raise ArgumentError, "maximum of 8 subauthorities allowed"
>> >>>>  end
>> >>>>
>> >>>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>> >>>>
>> >>>>  if [0,1,2,3,5].include?(authority)
>> >>>>      auth = 0.chr * 5 + authority.chr
>> >>>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>> >>>>      unless bool
>> >>>>       raise Error, get_last_error
>> >>>>      end
>> >>>>      sub_authorities.each_index do |i|
>> >>>>         value = [sub_authorities[i]].pack('L')
>> >>>>         auth_ptr = GetSidSubAuthority(sid, i)
>> >>>>         memcpy(auth_ptr,value,4)
>> >>>>      end
>> >>>>  end
>> >>>>  sid
>> >>>> end
>> >>>>
>> >>>>
>> >>>> Above code works with GetSidSubAuthority definition like this:
>> >>>> API.new('GetSidSubAuthority', 'PL', 'L', 'advapi32')
>> >>>
>> >>> Excellent, thanks. I've modified GetSidSubAuthority() as
>> you suggest,
>> >>> and made a few other functions that I had previously returning
>> >>> pointers return longs instead - easier to deal with.
>> >>>
>> >>> Your code gave me an idea, too. What do you think of
>> modifying SID.new
>> >>> so that it accepts either an account name or a sid?
>> Behind the scenes
>> >>> it just calls LookupAccountSid or LookupAccountName,
>> depending on the
>> >>> content of the first argument. That would allow
>> SID.create to return a
>> >>> full SID object.
>> >>>
>> <snip>
>>
>> > Yes, that will work better, thanks.
>> >
>> > Also, I wanted to ask about this bit:
>> >
>> > if [0,1,2,3,5].include?(authority)
>> >
>> > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
>> > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?
>> >
>> I have no idea about the excluding values.
>> I just have ported it from the Visual C++ code :)
>> Refer to http://support.microsoft.com/kb/276208/en-us
>
> Ok, but something's not right, because this bit of code doesn't seem to
> do anything:
>
> sub_authorities.each_index do |i|
>   value = [sub_authorities[i]].pack('L')
>   auth_ptr = GetSidSubAuthority(sid, i)
>   memcpy(auth_ptr, value, 4)
> end
>
> I think part of the problem is that I changed the return type of
> GetSidSubAuthority to a long. But, regardless, I don't understand what
> that's supposed to do.
>
That is just ruby version of the following code:

       long j;
        for( j = 2; j <= lcAuths+1; j++)
        {
            DWORD dwValue = (DWORD)atol(pAuths[j]);
            PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2));
            *pdwSubAuth = dwValue;
        }

Why do you think that did nothing?


Regards,

Park Heesob


More information about the win32utils-devel mailing list