win32utils devel - Jul 2008 - Some more win32-security: SID.create

Hi all,

How does this look as a general approach to a SID.create method:

# Creates and initializes
def self.create(authority, *sub_authorities)
   if sub_authorities.length > 8
      raise ArgumentError, ''maximum of 8 subauthorities
allowed''
   end

   authorities = Array.new(8, 0)
   authorities.replace(sub_authorities)
   count = authorities.select{ |e| e > 0 }.size

   if count == 0
      # Use InitializeSid()
   else
      # Use AllocateAndInitializeSid()
   end
end

Any help actually implementing this method would also be greatly
appreciated, as my attempts were not working out so well.

Thanks,

Dan


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

Hi,

2008/7/9 Berger, Daniel <Daniel.Berger at
qwest.com>:
> Hi all,
>
> How does this look as a general approach to a SID.create method:
>
> # Creates and initializes
> def self.create(authority, *sub_authorities)
>   if sub_authorities.length > 8
>      raise ArgumentError, ''maximum of 8 subauthorities
allowed''
>   end
>
>   authorities = Array.new(8, 0)
>   authorities.replace(sub_authorities)
>   count = authorities.select{ |e| e > 0 }.size
>
>   if count == 0
>      # Use InitializeSid()
>   else
>      # Use AllocateAndInitializeSid()
>   end
> end
>
> Any help actually implementing this method would also be greatly
> appreciated, as my attempts were not working out so well.
>
Here is an working code:

def self.create(authority, *sub_authorities)

  if sub_authorities.length > 8
     raise ArgumentError, "maximum of 8 subauthorities allowed"
  end

  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)

  if [0,1,2,3,5].include?(authority)
      auth = 0.chr * 5 + authority.chr
      bool = InitializeSid(sid, auth, sub_authorities.length+1)
      unless bool
       raise Error, get_last_error
      end
      sub_authorities.each_index do |i|
         value = [sub_authorities[i]].pack(''L'')
         auth_ptr = GetSidSubAuthority(sid, i)
         memcpy(auth_ptr,value,4)
      end
  end
  sid
end


Above code works with GetSidSubAuthority definition like this:
API.new(''GetSidSubAuthority'', ''PL'',
''L'', ''advapi32'')


Regards,

Park Heesob

On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com>
wrote:
> Hi,
>
> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>> Hi all,
>>
>> How does this look as a general approach to a SID.create method:
>>
>> # Creates and initializes
>> def self.create(authority, *sub_authorities)
>>   if sub_authorities.length > 8
>>      raise ArgumentError, ''maximum of 8 subauthorities
allowed''
>>   end
>>
>>   authorities = Array.new(8, 0)
>>   authorities.replace(sub_authorities)
>>   count = authorities.select{ |e| e > 0 }.size
>>
>>   if count == 0
>>      # Use InitializeSid()
>>   else
>>      # Use AllocateAndInitializeSid()
>>   end
>> end
>>
>> Any help actually implementing this method would also be greatly
>> appreciated, as my attempts were not working out so well.
>>
> Here is an working code:
>
> def self.create(authority, *sub_authorities)
>
>  if sub_authorities.length > 8
>     raise ArgumentError, "maximum of 8 subauthorities allowed"
>  end
>
>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>
>  if [0,1,2,3,5].include?(authority)
>      auth = 0.chr * 5 + authority.chr
>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>      unless bool
>       raise Error, get_last_error
>      end
>      sub_authorities.each_index do |i|
>         value = [sub_authorities[i]].pack(''L'')
>         auth_ptr = GetSidSubAuthority(sid, i)
>         memcpy(auth_ptr,value,4)
>      end
>  end
>  sid
> end
>
>
> Above code works with GetSidSubAuthority definition like this:
> API.new(''GetSidSubAuthority'', ''PL'',
''L'', ''advapi32'')
Excellent, thanks. I''ve modified GetSidSubAuthority() as you suggest,
and made a few other functions that I had previously returning
pointers return longs instead - easier to deal with.

Your code gave me an idea, too. What do you think of modifying SID.new
so that it accepts either an account name or a sid? Behind the scenes
it just calls LookupAccountSid or LookupAccountName, depending on the
content of the first argument. That would allow SID.create to return a
full SID object.

Here''s a proposed implementation:

def self.create(authority, *sub_authorities)
   # Code same as before except for the return value
   return self.new(sid)
end

def initialize(account, host=Socket.gethostname)
   sid    = 0.chr * 28
   sid_cb = [sid.size].pack(''L'')

   domain_buf = 0.chr * 80
   domain_cch = [domain_buf.size].pack(''L'')

   sid_name_use = 0.chr * 4

    # If the account includes non-alpha characters, assume it''s a SID.
     if account =~ /\W+/ # Unicode concerns?
        bool = LookupAccountSid(
           host,
          
[account].pack(''p*'').unpack(''L'')[0],
            sid,
            sid_cb,
            domain_buf,
            domain_cch,
            sid_name_use
         )

         @sid = account
         @name = sid.strip
     else
         bool = LookupAccountName(
            host,
            account,
            sid,
            sid_cb,
            domain_buf,
            domain_cch,
            sid_name_use
         )

         @sid = sid.strip
         @account = account
   end

   unless bool
      raise Error, get_last_error
   end

   @host    = host
   @domain  = domain_buf.strip

   @account_type =
get_account_type(sid_name_use.unpack(''L'')[0])

   sid
end

How does that look?

Regards,

Dan

2008/7/9 Daniel Berger <djberg96 at gmail.com>:
> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com>
wrote:
>> Hi,
>>
>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>>> Hi all,
>>>
>>> How does this look as a general approach to a SID.create method:
>>>
>>> # Creates and initializes
>>> def self.create(authority, *sub_authorities)
>>>   if sub_authorities.length > 8
>>>      raise ArgumentError, ''maximum of 8 subauthorities
allowed''
>>>   end
>>>
>>>   authorities = Array.new(8, 0)
>>>   authorities.replace(sub_authorities)
>>>   count = authorities.select{ |e| e > 0 }.size
>>>
>>>   if count == 0
>>>      # Use InitializeSid()
>>>   else
>>>      # Use AllocateAndInitializeSid()
>>>   end
>>> end
>>>
>>> Any help actually implementing this method would also be greatly
>>> appreciated, as my attempts were not working out so well.
>>>
>> Here is an working code:
>>
>> def self.create(authority, *sub_authorities)
>>
>>  if sub_authorities.length > 8
>>     raise ArgumentError, "maximum of 8 subauthorities
allowed"
>>  end
>>
>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>>
>>  if [0,1,2,3,5].include?(authority)
>>      auth = 0.chr * 5 + authority.chr
>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>>      unless bool
>>       raise Error, get_last_error
>>      end
>>      sub_authorities.each_index do |i|
>>         value = [sub_authorities[i]].pack(''L'')
>>         auth_ptr = GetSidSubAuthority(sid, i)
>>         memcpy(auth_ptr,value,4)
>>      end
>>  end
>>  sid
>> end
>>
>>
>> Above code works with GetSidSubAuthority definition like this:
>> API.new(''GetSidSubAuthority'', ''PL'',
''L'', ''advapi32'')
>
> Excellent, thanks. I''ve modified GetSidSubAuthority() as you
suggest,
> and made a few other functions that I had previously returning
> pointers return longs instead - easier to deal with.
>
> Your code gave me an idea, too. What do you think of modifying SID.new
> so that it accepts either an account name or a sid? Behind the scenes
> it just calls LookupAccountSid or LookupAccountName, depending on the
> content of the first argument. That would allow SID.create to return a
> full SID object.
>
> Here''s a proposed implementation:
>
> def self.create(authority, *sub_authorities)
>   # Code same as before except for the return value
>   return self.new(sid)
> end
>
> def initialize(account, host=Socket.gethostname)
>   sid    = 0.chr * 28
>   sid_cb = [sid.size].pack(''L'')
>
>   domain_buf = 0.chr * 80
>   domain_cch = [domain_buf.size].pack(''L'')
>
>   sid_name_use = 0.chr * 4
>
>    # If the account includes non-alpha characters, assume it''s a
SID.
>     if account =~ /\W+/ # Unicode concerns?
>        bool = LookupAccountSid(
>           host,
>          
[account].pack(''p*'').unpack(''L'')[0],
>            sid,
>            sid_cb,
>            domain_buf,
>            domain_cch,
>            sid_name_use
>         )
>
>         @sid = account
>         @name = sid.strip
>     else
>         bool = LookupAccountName(
>            host,
>            account,
>            sid,
>            sid_cb,
>            domain_buf,
>            domain_cch,
>            sid_name_use
>         )
>
>         @sid = sid.strip
>         @account = account
>   end
>
>   unless bool
>      raise Error, get_last_error
>   end
>
>   @host    = host
>   @domain  = domain_buf.strip
>
>   @account_type =
get_account_type(sid_name_use.unpack(''L'')[0])
>
>   sid
> end
>
> How does that look?
>
That looks good.

I think the SID detection code
 if account =~ /\W+/
can be something like
 if account[0] < 10


Regards,

Park Heesob

On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park <phasis at gmail.com>
wrote:
> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com>
wrote:
>>> Hi,
>>>
>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>>>> Hi all,
>>>>
>>>> How does this look as a general approach to a SID.create
method:
>>>>
>>>> # Creates and initializes
>>>> def self.create(authority, *sub_authorities)
>>>>   if sub_authorities.length > 8
>>>>      raise ArgumentError, ''maximum of 8 subauthorities
allowed''
>>>>   end
>>>>
>>>>   authorities = Array.new(8, 0)
>>>>   authorities.replace(sub_authorities)
>>>>   count = authorities.select{ |e| e > 0 }.size
>>>>
>>>>   if count == 0
>>>>      # Use InitializeSid()
>>>>   else
>>>>      # Use AllocateAndInitializeSid()
>>>>   end
>>>> end
>>>>
>>>> Any help actually implementing this method would also be
greatly
>>>> appreciated, as my attempts were not working out so well.
>>>>
>>> Here is an working code:
>>>
>>> def self.create(authority, *sub_authorities)
>>>
>>>  if sub_authorities.length > 8
>>>     raise ArgumentError, "maximum of 8 subauthorities
allowed"
>>>  end
>>>
>>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>>>
>>>  if [0,1,2,3,5].include?(authority)
>>>      auth = 0.chr * 5 + authority.chr
>>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>>>      unless bool
>>>       raise Error, get_last_error
>>>      end
>>>      sub_authorities.each_index do |i|
>>>         value = [sub_authorities[i]].pack(''L'')
>>>         auth_ptr = GetSidSubAuthority(sid, i)
>>>         memcpy(auth_ptr,value,4)
>>>      end
>>>  end
>>>  sid
>>> end
>>>
>>>
>>> Above code works with GetSidSubAuthority definition like this:
>>> API.new(''GetSidSubAuthority'',
''PL'', ''L'', ''advapi32'')
>>
>> Excellent, thanks. I''ve modified GetSidSubAuthority() as you
suggest,
>> and made a few other functions that I had previously returning
>> pointers return longs instead - easier to deal with.
>>
>> Your code gave me an idea, too. What do you think of modifying SID.new
>> so that it accepts either an account name or a sid? Behind the scenes
>> it just calls LookupAccountSid or LookupAccountName, depending on the
>> content of the first argument. That would allow SID.create to return a
>> full SID object.
>>
>> Here''s a proposed implementation:
>>
>> def self.create(authority, *sub_authorities)
>>   # Code same as before except for the return value
>>   return self.new(sid)
>> end
>>
>> def initialize(account, host=Socket.gethostname)
>>   sid    = 0.chr * 28
>>   sid_cb = [sid.size].pack(''L'')
>>
>>   domain_buf = 0.chr * 80
>>   domain_cch = [domain_buf.size].pack(''L'')
>>
>>   sid_name_use = 0.chr * 4
>>
>>    # If the account includes non-alpha characters, assume it''s
a SID.
>>     if account =~ /\W+/ # Unicode concerns?
>>        bool = LookupAccountSid(
>>           host,
>>          
[account].pack(''p*'').unpack(''L'')[0],
>>            sid,
>>            sid_cb,
>>            domain_buf,
>>            domain_cch,
>>            sid_name_use
>>         )
>>
>>         @sid = account
>>         @name = sid.strip
>>     else
>>         bool = LookupAccountName(
>>            host,
>>            account,
>>            sid,
>>            sid_cb,
>>            domain_buf,
>>            domain_cch,
>>            sid_name_use
>>         )
>>
>>         @sid = sid.strip
>>         @account = account
>>   end
>>
>>   unless bool
>>      raise Error, get_last_error
>>   end
>>
>>   @host    = host
>>   @domain  = domain_buf.strip
>>
>>   @account_type =
get_account_type(sid_name_use.unpack(''L'')[0])
>>
>>   sid
>> end
>>
>> How does that look?
>>
> That looks good.
>
> I think the SID detection code
>  if account =~ /\W+/
> can be something like
>  if account[0] < 10
Yes, that will work better, thanks.

Also, I wanted to ask about this bit:

if [0,1,2,3,5].include?(authority)

Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?

Thanks,

Dan

----- Original Message ----- 
From: "Daniel Berger" <djberg96 at gmail.com>
To: "Development and ideas for win32utils projects" 
<win32utils-devel at rubyforge.org>
Sent: Wednesday, July 09, 2008 10:13 PM
Subject: Re: [Win32utils-devel] Some more win32-security: SID.create

> On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park <phasis at gmail.com>
wrote:
>> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
>>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at
gmail.com> wrote:
>>>> Hi,
>>>>
>>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:
>>>>> Hi all,
>>>>>
>>>>> How does this look as a general approach to a SID.create
method:
>>>>>
>>>>> # Creates and initializes
>>>>> def self.create(authority, *sub_authorities)
>>>>>   if sub_authorities.length > 8
>>>>>      raise ArgumentError, ''maximum of 8
subauthorities allowed''
>>>>>   end
>>>>>
>>>>>   authorities = Array.new(8, 0)
>>>>>   authorities.replace(sub_authorities)
>>>>>   count = authorities.select{ |e| e > 0 }.size
>>>>>
>>>>>   if count == 0
>>>>>      # Use InitializeSid()
>>>>>   else
>>>>>      # Use AllocateAndInitializeSid()
>>>>>   end
>>>>> end
>>>>>
>>>>> Any help actually implementing this method would also be
greatly
>>>>> appreciated, as my attempts were not working out so well.
>>>>>
>>>> Here is an working code:
>>>>
>>>> def self.create(authority, *sub_authorities)
>>>>
>>>>  if sub_authorities.length > 8
>>>>     raise ArgumentError, "maximum of 8 subauthorities
allowed"
>>>>  end
>>>>
>>>>  sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1)
>>>>
>>>>  if [0,1,2,3,5].include?(authority)
>>>>      auth = 0.chr * 5 + authority.chr
>>>>      bool = InitializeSid(sid, auth, sub_authorities.length+1)
>>>>      unless bool
>>>>       raise Error, get_last_error
>>>>      end
>>>>      sub_authorities.each_index do |i|
>>>>         value =
[sub_authorities[i]].pack(''L'')
>>>>         auth_ptr = GetSidSubAuthority(sid, i)
>>>>         memcpy(auth_ptr,value,4)
>>>>      end
>>>>  end
>>>>  sid
>>>> end
>>>>
>>>>
>>>> Above code works with GetSidSubAuthority definition like this:
>>>> API.new(''GetSidSubAuthority'',
''PL'', ''L'', ''advapi32'')
>>>
>>> Excellent, thanks. I''ve modified GetSidSubAuthority() as
you suggest,
>>> and made a few other functions that I had previously returning
>>> pointers return longs instead - easier to deal with.
>>>
>>> Your code gave me an idea, too. What do you think of modifying
SID.new
>>> so that it accepts either an account name or a sid? Behind the
scenes
>>> it just calls LookupAccountSid or LookupAccountName, depending on
the
>>> content of the first argument. That would allow SID.create to
return a
>>> full SID object.
>>>
<snip>
> Yes, that will work better, thanks.
>
> Also, I wanted to ask about this bit:
>
> if [0,1,2,3,5].include?(authority)
>
> Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
> SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?
>
I have no idea about the excluding values.
I just have ported it from the Visual C++ code :)
Refer to http://support.microsoft.com/kb/276208/en-us

Regards,

Park Heesob

> -----Original Message-----
> From: win32utils-devel-bounces at rubyforge.org 
> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of 
> Park Heesob
> Sent: Wednesday, July 09, 2008 7:27 AM
> To: Development and ideas for win32utils projects
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> 
> ----- Original Message -----
> From: "Daniel Berger" <djberg96 at gmail.com>
> To: "Development and ideas for win32utils projects" 
> <win32utils-devel at rubyforge.org>
> Sent: Wednesday, July 09, 2008 10:13 PM
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> 
> > On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park 
> <phasis at gmail.com> wrote:
> >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
> >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park 
> <phasis at gmail.com> wrote:
> >>>> Hi,
> >>>>
> >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at
qwest.com>:
> >>>>> Hi all,
> >>>>>
> >>>>> How does this look as a general approach to a
SID.create method:
> >>>>>
> >>>>> # Creates and initializes
> >>>>> def self.create(authority, *sub_authorities)
> >>>>>   if sub_authorities.length > 8
> >>>>>      raise ArgumentError, ''maximum of 8
subauthorities allowed''
> >>>>>   end
> >>>>>
> >>>>>   authorities = Array.new(8, 0)
> >>>>>   authorities.replace(sub_authorities)
> >>>>>   count = authorities.select{ |e| e > 0 }.size
> >>>>>
> >>>>>   if count == 0
> >>>>>      # Use InitializeSid()
> >>>>>   else
> >>>>>      # Use AllocateAndInitializeSid()
> >>>>>   end
> >>>>> end
> >>>>>
> >>>>> Any help actually implementing this method would also
be greatly
> >>>>> appreciated, as my attempts were not working out so
well.
> >>>>>
> >>>> Here is an working code:
> >>>>
> >>>> def self.create(authority, *sub_authorities)
> >>>>
> >>>>  if sub_authorities.length > 8
> >>>>     raise ArgumentError, "maximum of 8 subauthorities
allowed"
> >>>>  end
> >>>>
> >>>>  sid = 0.chr *
GetSidLengthRequired(sub_authorities.length+1)
> >>>>
> >>>>  if [0,1,2,3,5].include?(authority)
> >>>>      auth = 0.chr * 5 + authority.chr
> >>>>      bool = InitializeSid(sid, auth,
sub_authorities.length+1)
> >>>>      unless bool
> >>>>       raise Error, get_last_error
> >>>>      end
> >>>>      sub_authorities.each_index do |i|
> >>>>         value =
[sub_authorities[i]].pack(''L'')
> >>>>         auth_ptr = GetSidSubAuthority(sid, i)
> >>>>         memcpy(auth_ptr,value,4)
> >>>>      end
> >>>>  end
> >>>>  sid
> >>>> end
> >>>>
> >>>>
> >>>> Above code works with GetSidSubAuthority definition like
this:
> >>>> API.new(''GetSidSubAuthority'',
''PL'', ''L'', ''advapi32'')
> >>>
> >>> Excellent, thanks. I''ve modified GetSidSubAuthority()
as
> you suggest,
> >>> and made a few other functions that I had previously returning
> >>> pointers return longs instead - easier to deal with.
> >>>
> >>> Your code gave me an idea, too. What do you think of 
> modifying SID.new
> >>> so that it accepts either an account name or a sid? 
> Behind the scenes
> >>> it just calls LookupAccountSid or LookupAccountName, 
> depending on the
> >>> content of the first argument. That would allow 
> SID.create to return a
> >>> full SID object.
> >>>
> <snip>
> 
> > Yes, that will work better, thanks.
> >
> > Also, I wanted to ask about this bit:
> >
> > if [0,1,2,3,5].include?(authority)
> >
> > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
> > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?
> >
> I have no idea about the excluding values.
> I just have ported it from the Visual C++ code :)
> Refer to http://support.microsoft.com/kb/276208/en-us
Ok, but something''s not right, because this bit of code
doesn''t seem to
do anything:

sub_authorities.each_index do |i|
   value = [sub_authorities[i]].pack(''L'')
   auth_ptr = GetSidSubAuthority(sid, i)
   memcpy(auth_ptr, value, 4)
end

I think part of the problem is that I changed the return type of
GetSidSubAuthority to a long. But, regardless, I don''t understand what
that''s supposed to do.

I took a stab at trying to create a SID with a sub-authority with the
following code, but it didn''t seem to work. Any ideas?

def self.create(authority, *sub_authorities)        
   if sub_authorities.length > 8
      raise ArgumentError, "maximum of 8 subauthorities allowed"
   end
            
   sid  = 0.chr * GetSidLengthRequired(sub_authorities.length + 1)
   auth = 0.chr * 5 + authority.chr
            
   if sub_authorities.length == 0
      unless InitializeSid(sid, auth, 1)
         raise Error, get_last_error
      end
   else
      array = Array.new(8, 0)
      array.replace(sub_authorities)

      bool = AllocateAndInitializeSid(
         auth,
         sub_authorities.select{ |e| e > 0 }.size,
         array[0],
         array[1],
         array[2],
         array[3],
         array[4],
         array[5],
         array[6],
         array[7],
         sid
      )

      unless bool
         raise Error, get_last_error
      end
   end
             
   self.new(sid)           
end

Thanks,

Dan


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

2008/7/10 Berger, Daniel <Daniel.Berger at
qwest.com>:
>
>
>> -----Original Message-----
>> From: win32utils-devel-bounces at rubyforge.org
>> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of
>> Park Heesob
>> Sent: Wednesday, July 09, 2008 7:27 AM
>> To: Development and ideas for win32utils projects
>> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
>>
>>
>> ----- Original Message -----
>> From: "Daniel Berger" <djberg96 at gmail.com>
>> To: "Development and ideas for win32utils projects"
>> <win32utils-devel at rubyforge.org>
>> Sent: Wednesday, July 09, 2008 10:13 PM
>> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
>>
>>
>> > On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park
>> <phasis at gmail.com> wrote:
>> >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>:
>> >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park
>> <phasis at gmail.com> wrote:
>> >>>> Hi,
>> >>>>
>> >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at
qwest.com>:
>> >>>>> Hi all,
>> >>>>>
>> >>>>> How does this look as a general approach to a
SID.create method:
>> >>>>>
>> >>>>> # Creates and initializes
>> >>>>> def self.create(authority, *sub_authorities)
>> >>>>>   if sub_authorities.length > 8
>> >>>>>      raise ArgumentError, ''maximum of 8
subauthorities allowed''
>> >>>>>   end
>> >>>>>
>> >>>>>   authorities = Array.new(8, 0)
>> >>>>>   authorities.replace(sub_authorities)
>> >>>>>   count = authorities.select{ |e| e > 0 }.size
>> >>>>>
>> >>>>>   if count == 0
>> >>>>>      # Use InitializeSid()
>> >>>>>   else
>> >>>>>      # Use AllocateAndInitializeSid()
>> >>>>>   end
>> >>>>> end
>> >>>>>
>> >>>>> Any help actually implementing this method would
also be greatly
>> >>>>> appreciated, as my attempts were not working out
so well.
>> >>>>>
>> >>>> Here is an working code:
>> >>>>
>> >>>> def self.create(authority, *sub_authorities)
>> >>>>
>> >>>>  if sub_authorities.length > 8
>> >>>>     raise ArgumentError, "maximum of 8
subauthorities allowed"
>> >>>>  end
>> >>>>
>> >>>>  sid = 0.chr *
GetSidLengthRequired(sub_authorities.length+1)
>> >>>>
>> >>>>  if [0,1,2,3,5].include?(authority)
>> >>>>      auth = 0.chr * 5 + authority.chr
>> >>>>      bool = InitializeSid(sid, auth,
sub_authorities.length+1)
>> >>>>      unless bool
>> >>>>       raise Error, get_last_error
>> >>>>      end
>> >>>>      sub_authorities.each_index do |i|
>> >>>>         value =
[sub_authorities[i]].pack(''L'')
>> >>>>         auth_ptr = GetSidSubAuthority(sid, i)
>> >>>>         memcpy(auth_ptr,value,4)
>> >>>>      end
>> >>>>  end
>> >>>>  sid
>> >>>> end
>> >>>>
>> >>>>
>> >>>> Above code works with GetSidSubAuthority definition
like this:
>> >>>> API.new(''GetSidSubAuthority'',
''PL'', ''L'', ''advapi32'')
>> >>>
>> >>> Excellent, thanks. I''ve modified
GetSidSubAuthority() as
>> you suggest,
>> >>> and made a few other functions that I had previously
returning
>> >>> pointers return longs instead - easier to deal with.
>> >>>
>> >>> Your code gave me an idea, too. What do you think of
>> modifying SID.new
>> >>> so that it accepts either an account name or a sid?
>> Behind the scenes
>> >>> it just calls LookupAccountSid or LookupAccountName,
>> depending on the
>> >>> content of the first argument. That would allow
>> SID.create to return a
>> >>> full SID object.
>> >>>
>> <snip>
>>
>> > Yes, that will work better, thanks.
>> >
>> > Also, I wanted to ask about this bit:
>> >
>> > if [0,1,2,3,5].include?(authority)
>> >
>> > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and
>> > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)?
>> >
>> I have no idea about the excluding values.
>> I just have ported it from the Visual C++ code :)
>> Refer to http://support.microsoft.com/kb/276208/en-us
>
> Ok, but something''s not right, because this bit of code
doesn''t seem to
> do anything:
>
> sub_authorities.each_index do |i|
>   value = [sub_authorities[i]].pack(''L'')
>   auth_ptr = GetSidSubAuthority(sid, i)
>   memcpy(auth_ptr, value, 4)
> end
>
> I think part of the problem is that I changed the return type of
> GetSidSubAuthority to a long. But, regardless, I don''t understand
what
> that''s supposed to do.
>
That is just ruby version of the following code:

       long j;
        for( j = 2; j <= lcAuths+1; j++)
        {
            DWORD dwValue = (DWORD)atol(pAuths[j]);
            PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2));
            *pdwSubAuth = dwValue;
        }

Why do you think that did nothing?


Regards,

Park Heesob

Hi,

<snip>
> That is just ruby version of the following code:
>
>       long j;
>        for( j = 2; j <= lcAuths+1; j++)
>        {
>            DWORD dwValue = (DWORD)atol(pAuths[j]);
>            PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2));
>            *pdwSubAuth = dwValue;
>        }
>
> Why do you think that did nothing?
I guess I misread it. Nevermind. :)

I did remove the [0,1,2,3,5] loop, though.

I do need some help with testing please. I''ve added some more tests in
CVS, but I wasn''t sure what a good way was to test SID.create with
subauthorities. Any suggestions?

Thanks,

Dan

Hi,

2008/7/11 Daniel Berger <djberg96 at gmail.com>:
> Hi,
>
> <snip>
>
>> That is just ruby version of the following code:
>>
>>       long j;
>>        for( j = 2; j <= lcAuths+1; j++)
>>        {
>>            DWORD dwValue = (DWORD)atol(pAuths[j]);
>>            PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2));
>>            *pdwSubAuth = dwValue;
>>        }
>>
>> Why do you think that did nothing?
>
> I guess I misread it. Nevermind. :)
>
> I did remove the [0,1,2,3,5] loop, though.
>
> I do need some help with testing please. I''ve added some more
tests in
> CVS, but I wasn''t sure what a good way was to test SID.create with
> subauthorities. Any suggestions?
>
I guess SID.create test with Well-known SIDs is possible.
Refer to http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx

Regards,

Park Heesob

> -----Original Message-----
> From: win32utils-devel-bounces at rubyforge.org 
> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of 
> Heesob Park
> Sent: Thursday, July 10, 2008 10:27 PM
> To: Development and ideas for win32utils projects
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> Hi,
> 
> 2008/7/11 Daniel Berger <djberg96 at gmail.com>:
> > Hi,
> >
> > <snip>
> >
> >> That is just ruby version of the following code:
> >>
> >>       long j;
> >>        for( j = 2; j <= lcAuths+1; j++)
> >>        {
> >>            DWORD dwValue = (DWORD)atol(pAuths[j]);
> >>            PDWORD pdwSubAuth = GetSidSubAuthority( 
> pLocalSid, (j-2));
> >>            *pdwSubAuth = dwValue;
> >>        }
> >>
> >> Why do you think that did nothing?
> >
> > I guess I misread it. Nevermind. :)
> >
> > I did remove the [0,1,2,3,5] loop, though.
> >
> > I do need some help with testing please. I''ve added some 
> more tests in 
> > CVS, but I wasn''t sure what a good way was to test SID.create
with
> > subauthorities. Any suggestions?
> >
> I guess SID.create test with Well-known SIDs is possible.
> Refer to http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx
After adding some RID constants to Windows::Security (now in CVS) I
tried this:

include Win32

s = Security::SID.create(
   Security::SID::SECURITY_WORLD_SID_AUTHORITY,
   Security::SID::SECURITY_WORLD_RID
)

p s

But I get:

C:\Documents and
Settings\djberge\workspace\win32-security\lib\win32\security>ruby sid.rb
sid.rb:151:in `initialize'': No mapping between account names and
security IDs was done. (Win32::Security::SID:
:Error)
        from sid.rb:89:in `new''
        from sid.rb:89:in `create''
        from sid.rb:231

I suspect I don''t understand the Windows security model as well as I
should. Perhaps I should order this book:

"Programming Windows Security"

http://www.bookpool.com/sm/0201604426

It''s a bit dated, but probably has everything I need. Does anyone have
any opinion on this book?

Thanks,

Dan




This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

Hi,
----- Original Message ----- 
From: "Berger, Daniel" <Daniel.Berger at qwest.com>
To: "Development and ideas for win32utils projects" 
<win32utils-devel at rubyforge.org>
Sent: Friday, July 11, 2008 10:35 PM
Subject: Re: [Win32utils-devel] Some more win32-security: SID.create

>
>
>> -----Original Message-----
>> From: win32utils-devel-bounces at rubyforge.org
>> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of
>> Heesob Park
>> Sent: Thursday, July 10, 2008 10:27 PM
>> To: Development and ideas for win32utils projects
>> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
>>
>> Hi,
>>
>> 2008/7/11 Daniel Berger <djberg96 at gmail.com>:
>> > Hi,
>> >
>> > <snip>
>> >
>> >> That is just ruby version of the following code:
>> >>
>> >>       long j;
>> >>        for( j = 2; j <= lcAuths+1; j++)
>> >>        {
>> >>            DWORD dwValue = (DWORD)atol(pAuths[j]);
>> >>            PDWORD pdwSubAuth = GetSidSubAuthority(
>> pLocalSid, (j-2));
>> >>            *pdwSubAuth = dwValue;
>> >>        }
>> >>
>> >> Why do you think that did nothing?
>> >
>> > I guess I misread it. Nevermind. :)
>> >
>> > I did remove the [0,1,2,3,5] loop, though.
>> >
>> > I do need some help with testing please. I''ve added some
>> more tests in
>> > CVS, but I wasn''t sure what a good way was to test
SID.create with
>> > subauthorities. Any suggestions?
>> >
>> I guess SID.create test with Well-known SIDs is possible.
>> Refer to http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx
>
> After adding some RID constants to Windows::Security (now in CVS) I
> tried this:
>
> include Win32
>
> s = Security::SID.create(
>   Security::SID::SECURITY_WORLD_SID_AUTHORITY,
>   Security::SID::SECURITY_WORLD_RID
> )
>
> p s
>
> But I get:
>
> C:\Documents and
> Settings\djberge\workspace\win32-security\lib\win32\security>ruby sid.rb
> sid.rb:151:in `initialize'': No mapping between account names and
> security IDs was done. (Win32::Security::SID:
> :Error)
>        from sid.rb:89:in `new''
>        from sid.rb:89:in `create''
>        from sid.rb:231
>
I found the bug.
The self.create method should be like this  :

         def self.create(authority, *sub_authorities)
            if sub_authorities.length > 8
               raise ArgumentError, "maximum of 8 subauthorities
allowed"
            end

            sid = 0.chr * GetSidLengthRequired(sub_authorities.length)

            auth = 0.chr * 5 + authority.chr

            unless InitializeSid(sid, auth, sub_authorities.length)
               raise Error, get_last_error
            end

            sub_authorities.each_index do |i|
               value = [sub_authorities[i]].pack(''L'')
               auth_ptr = GetSidSubAuthority(sid, i)
               memcpy(auth_ptr, value, 4)
            end

            self.new(sid)
         end

And here is a test code:

sid = 0.chr * 12
sid_size = [12].pack(''L'')
bool = CreateWellKnownSid(WinWorldSid,nil,sid,sid_size)
unless bool
  puts get_last_error
end
s1 = Security::SID.new(sid)

s2 = Security::SID.create(
   Security::SID::SECURITY_WORLD_SID_AUTHORITY,
   SECURITY_WORLD_RID
)
p s1==s2
> I suspect I don''t understand the Windows security model as well as
I
> should. Perhaps I should order this book:
>
> "Programming Windows Security"
>
> http://www.bookpool.com/sm/0201604426
>
> It''s a bit dated, but probably has everything I need. Does anyone
have
> any opinion on this book?
>
No comment :)

Regards,

Park Heesob

> -----Original Message-----
> From: win32utils-devel-bounces at rubyforge.org 
> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of 
> Park Heesob
> Sent: Friday, July 11, 2008 9:20 AM
> To: Development and ideas for win32utils projects
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> Hi,
> ----- Original Message -----
> From: "Berger, Daniel" <Daniel.Berger at qwest.com>
> To: "Development and ideas for win32utils projects" 
> <win32utils-devel at rubyforge.org>
> Sent: Friday, July 11, 2008 10:35 PM
> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create
> 
> 
> >
> >
> >> -----Original Message-----
> >> From: win32utils-devel-bounces at rubyforge.org
> >> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of
> >> Heesob Park
> >> Sent: Thursday, July 10, 2008 10:27 PM
> >> To: Development and ideas for win32utils projects
> >> Subject: Re: [Win32utils-devel] Some more win32-security: 
> SID.create
> >>
> >> Hi,
> >>
> >> 2008/7/11 Daniel Berger <djberg96 at gmail.com>:
> >> > Hi,
> >> >
> >> > <snip>
> >> >
> >> >> That is just ruby version of the following code:
> >> >>
> >> >>       long j;
> >> >>        for( j = 2; j <= lcAuths+1; j++)
> >> >>        {
> >> >>            DWORD dwValue = (DWORD)atol(pAuths[j]);
> >> >>            PDWORD pdwSubAuth = GetSidSubAuthority(
> >> pLocalSid, (j-2));
> >> >>            *pdwSubAuth = dwValue;
> >> >>        }
> >> >>
> >> >> Why do you think that did nothing?
> >> >
> >> > I guess I misread it. Nevermind. :)
> >> >
> >> > I did remove the [0,1,2,3,5] loop, though.
> >> >
> >> > I do need some help with testing please. I''ve added
some
> >> more tests in
> >> > CVS, but I wasn''t sure what a good way was to test 
> SID.create with
> >> > subauthorities. Any suggestions?
> >> >
> >> I guess SID.create test with Well-known SIDs is possible.
> >> Refer to 
> http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx
> >
> > After adding some RID constants to Windows::Security (now in CVS) I
> > tried this:
> >
> > include Win32
> >
> > s = Security::SID.create(
> >   Security::SID::SECURITY_WORLD_SID_AUTHORITY,
> >   Security::SID::SECURITY_WORLD_RID
> > )
> >
> > p s
> >
> > But I get:
> >
> > C:\Documents and
> > 
> Settings\djberge\workspace\win32-security\lib\win32\security>r
> uby sid.rb
> > sid.rb:151:in `initialize'': No mapping between account names
and
> > security IDs was done. (Win32::Security::SID:
> > :Error)
> >        from sid.rb:89:in `new''
> >        from sid.rb:89:in `create''
> >        from sid.rb:231
> >
> I found the bug.
> The self.create method should be like this  :
> 
>          def self.create(authority, *sub_authorities)
>             if sub_authorities.length > 8
>                raise ArgumentError, "maximum of 8 
> subauthorities allowed"
>             end
> 
>             sid = 0.chr * GetSidLengthRequired(sub_authorities.length)
> 
>             auth = 0.chr * 5 + authority.chr
> 
>             unless InitializeSid(sid, auth, sub_authorities.length)
>                raise Error, get_last_error
>             end
> 
>             sub_authorities.each_index do |i|
>                value = [sub_authorities[i]].pack(''L'')
>                auth_ptr = GetSidSubAuthority(sid, i)
>                memcpy(auth_ptr, value, 4)
>             end
> 
>             self.new(sid)
>          end
> 
> And here is a test code:
> 
> sid = 0.chr * 12
> sid_size = [12].pack(''L'')
> bool = CreateWellKnownSid(WinWorldSid,nil,sid,sid_size)
> unless bool
>   puts get_last_error
> end
> s1 = Security::SID.new(sid)
> 
> s2 = Security::SID.create(
>    Security::SID::SECURITY_WORLD_SID_AUTHORITY,
>    SECURITY_WORLD_RID
> )
> p s1==s2
Excellent, thanks! Fixed in CVS.
> 
> > I suspect I don''t understand the Windows security model as
well as I
> > should. Perhaps I should order this book:
> >
> > "Programming Windows Security"
> >
> > http://www.bookpool.com/sm/0201604426
> >
> > It''s a bit dated, but probably has everything I need. Does 
> anyone have
> > any opinion on this book?
> >
> No comment :)
I can get a used copy on Amazon for $5, so what the heck. :)

Thanks,

Dan


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.