Berger, Daniel
2008-Jul-08 19:38 UTC
[Win32utils-devel] Some more win32-security: SID.create
Hi all, How does this look as a general approach to a SID.create method: # Creates and initializes def self.create(authority, *sub_authorities) if sub_authorities.length > 8 raise ArgumentError, ''maximum of 8 subauthorities allowed'' end authorities = Array.new(8, 0) authorities.replace(sub_authorities) count = authorities.select{ |e| e > 0 }.size if count == 0 # Use InitializeSid() else # Use AllocateAndInitializeSid() end end Any help actually implementing this method would also be greatly appreciated, as my attempts were not working out so well. Thanks, Dan This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Hi, 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>:> Hi all, > > How does this look as a general approach to a SID.create method: > > # Creates and initializes > def self.create(authority, *sub_authorities) > if sub_authorities.length > 8 > raise ArgumentError, ''maximum of 8 subauthorities allowed'' > end > > authorities = Array.new(8, 0) > authorities.replace(sub_authorities) > count = authorities.select{ |e| e > 0 }.size > > if count == 0 > # Use InitializeSid() > else > # Use AllocateAndInitializeSid() > end > end > > Any help actually implementing this method would also be greatly > appreciated, as my attempts were not working out so well. >Here is an working code: def self.create(authority, *sub_authorities) if sub_authorities.length > 8 raise ArgumentError, "maximum of 8 subauthorities allowed" end sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) if [0,1,2,3,5].include?(authority) auth = 0.chr * 5 + authority.chr bool = InitializeSid(sid, auth, sub_authorities.length+1) unless bool raise Error, get_last_error end sub_authorities.each_index do |i| value = [sub_authorities[i]].pack(''L'') auth_ptr = GetSidSubAuthority(sid, i) memcpy(auth_ptr,value,4) end end sid end Above code works with GetSidSubAuthority definition like this: API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'') Regards, Park Heesob
Daniel Berger
2008-Jul-09 04:11 UTC
[Win32utils-devel] Some more win32-security: SID.create
On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com> wrote:> Hi, > > 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>: >> Hi all, >> >> How does this look as a general approach to a SID.create method: >> >> # Creates and initializes >> def self.create(authority, *sub_authorities) >> if sub_authorities.length > 8 >> raise ArgumentError, ''maximum of 8 subauthorities allowed'' >> end >> >> authorities = Array.new(8, 0) >> authorities.replace(sub_authorities) >> count = authorities.select{ |e| e > 0 }.size >> >> if count == 0 >> # Use InitializeSid() >> else >> # Use AllocateAndInitializeSid() >> end >> end >> >> Any help actually implementing this method would also be greatly >> appreciated, as my attempts were not working out so well. >> > Here is an working code: > > def self.create(authority, *sub_authorities) > > if sub_authorities.length > 8 > raise ArgumentError, "maximum of 8 subauthorities allowed" > end > > sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) > > if [0,1,2,3,5].include?(authority) > auth = 0.chr * 5 + authority.chr > bool = InitializeSid(sid, auth, sub_authorities.length+1) > unless bool > raise Error, get_last_error > end > sub_authorities.each_index do |i| > value = [sub_authorities[i]].pack(''L'') > auth_ptr = GetSidSubAuthority(sid, i) > memcpy(auth_ptr,value,4) > end > end > sid > end > > > Above code works with GetSidSubAuthority definition like this: > API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'')Excellent, thanks. I''ve modified GetSidSubAuthority() as you suggest, and made a few other functions that I had previously returning pointers return longs instead - easier to deal with. Your code gave me an idea, too. What do you think of modifying SID.new so that it accepts either an account name or a sid? Behind the scenes it just calls LookupAccountSid or LookupAccountName, depending on the content of the first argument. That would allow SID.create to return a full SID object. Here''s a proposed implementation: def self.create(authority, *sub_authorities) # Code same as before except for the return value return self.new(sid) end def initialize(account, host=Socket.gethostname) sid = 0.chr * 28 sid_cb = [sid.size].pack(''L'') domain_buf = 0.chr * 80 domain_cch = [domain_buf.size].pack(''L'') sid_name_use = 0.chr * 4 # If the account includes non-alpha characters, assume it''s a SID. if account =~ /\W+/ # Unicode concerns? bool = LookupAccountSid( host, [account].pack(''p*'').unpack(''L'')[0], sid, sid_cb, domain_buf, domain_cch, sid_name_use ) @sid = account @name = sid.strip else bool = LookupAccountName( host, account, sid, sid_cb, domain_buf, domain_cch, sid_name_use ) @sid = sid.strip @account = account end unless bool raise Error, get_last_error end @host = host @domain = domain_buf.strip @account_type = get_account_type(sid_name_use.unpack(''L'')[0]) sid end How does that look? Regards, Dan
2008/7/9 Daniel Berger <djberg96 at gmail.com>:> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com> wrote: >> Hi, >> >> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>: >>> Hi all, >>> >>> How does this look as a general approach to a SID.create method: >>> >>> # Creates and initializes >>> def self.create(authority, *sub_authorities) >>> if sub_authorities.length > 8 >>> raise ArgumentError, ''maximum of 8 subauthorities allowed'' >>> end >>> >>> authorities = Array.new(8, 0) >>> authorities.replace(sub_authorities) >>> count = authorities.select{ |e| e > 0 }.size >>> >>> if count == 0 >>> # Use InitializeSid() >>> else >>> # Use AllocateAndInitializeSid() >>> end >>> end >>> >>> Any help actually implementing this method would also be greatly >>> appreciated, as my attempts were not working out so well. >>> >> Here is an working code: >> >> def self.create(authority, *sub_authorities) >> >> if sub_authorities.length > 8 >> raise ArgumentError, "maximum of 8 subauthorities allowed" >> end >> >> sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) >> >> if [0,1,2,3,5].include?(authority) >> auth = 0.chr * 5 + authority.chr >> bool = InitializeSid(sid, auth, sub_authorities.length+1) >> unless bool >> raise Error, get_last_error >> end >> sub_authorities.each_index do |i| >> value = [sub_authorities[i]].pack(''L'') >> auth_ptr = GetSidSubAuthority(sid, i) >> memcpy(auth_ptr,value,4) >> end >> end >> sid >> end >> >> >> Above code works with GetSidSubAuthority definition like this: >> API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'') > > Excellent, thanks. I''ve modified GetSidSubAuthority() as you suggest, > and made a few other functions that I had previously returning > pointers return longs instead - easier to deal with. > > Your code gave me an idea, too. What do you think of modifying SID.new > so that it accepts either an account name or a sid? Behind the scenes > it just calls LookupAccountSid or LookupAccountName, depending on the > content of the first argument. That would allow SID.create to return a > full SID object. > > Here''s a proposed implementation: > > def self.create(authority, *sub_authorities) > # Code same as before except for the return value > return self.new(sid) > end > > def initialize(account, host=Socket.gethostname) > sid = 0.chr * 28 > sid_cb = [sid.size].pack(''L'') > > domain_buf = 0.chr * 80 > domain_cch = [domain_buf.size].pack(''L'') > > sid_name_use = 0.chr * 4 > > # If the account includes non-alpha characters, assume it''s a SID. > if account =~ /\W+/ # Unicode concerns? > bool = LookupAccountSid( > host, > [account].pack(''p*'').unpack(''L'')[0], > sid, > sid_cb, > domain_buf, > domain_cch, > sid_name_use > ) > > @sid = account > @name = sid.strip > else > bool = LookupAccountName( > host, > account, > sid, > sid_cb, > domain_buf, > domain_cch, > sid_name_use > ) > > @sid = sid.strip > @account = account > end > > unless bool > raise Error, get_last_error > end > > @host = host > @domain = domain_buf.strip > > @account_type = get_account_type(sid_name_use.unpack(''L'')[0]) > > sid > end > > How does that look? >That looks good. I think the SID detection code if account =~ /\W+/ can be something like if account[0] < 10 Regards, Park Heesob
Daniel Berger
2008-Jul-09 13:13 UTC
[Win32utils-devel] Some more win32-security: SID.create
On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park <phasis at gmail.com> wrote:> 2008/7/9 Daniel Berger <djberg96 at gmail.com>: >> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com> wrote: >>> Hi, >>> >>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>: >>>> Hi all, >>>> >>>> How does this look as a general approach to a SID.create method: >>>> >>>> # Creates and initializes >>>> def self.create(authority, *sub_authorities) >>>> if sub_authorities.length > 8 >>>> raise ArgumentError, ''maximum of 8 subauthorities allowed'' >>>> end >>>> >>>> authorities = Array.new(8, 0) >>>> authorities.replace(sub_authorities) >>>> count = authorities.select{ |e| e > 0 }.size >>>> >>>> if count == 0 >>>> # Use InitializeSid() >>>> else >>>> # Use AllocateAndInitializeSid() >>>> end >>>> end >>>> >>>> Any help actually implementing this method would also be greatly >>>> appreciated, as my attempts were not working out so well. >>>> >>> Here is an working code: >>> >>> def self.create(authority, *sub_authorities) >>> >>> if sub_authorities.length > 8 >>> raise ArgumentError, "maximum of 8 subauthorities allowed" >>> end >>> >>> sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) >>> >>> if [0,1,2,3,5].include?(authority) >>> auth = 0.chr * 5 + authority.chr >>> bool = InitializeSid(sid, auth, sub_authorities.length+1) >>> unless bool >>> raise Error, get_last_error >>> end >>> sub_authorities.each_index do |i| >>> value = [sub_authorities[i]].pack(''L'') >>> auth_ptr = GetSidSubAuthority(sid, i) >>> memcpy(auth_ptr,value,4) >>> end >>> end >>> sid >>> end >>> >>> >>> Above code works with GetSidSubAuthority definition like this: >>> API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'') >> >> Excellent, thanks. I''ve modified GetSidSubAuthority() as you suggest, >> and made a few other functions that I had previously returning >> pointers return longs instead - easier to deal with. >> >> Your code gave me an idea, too. What do you think of modifying SID.new >> so that it accepts either an account name or a sid? Behind the scenes >> it just calls LookupAccountSid or LookupAccountName, depending on the >> content of the first argument. That would allow SID.create to return a >> full SID object. >> >> Here''s a proposed implementation: >> >> def self.create(authority, *sub_authorities) >> # Code same as before except for the return value >> return self.new(sid) >> end >> >> def initialize(account, host=Socket.gethostname) >> sid = 0.chr * 28 >> sid_cb = [sid.size].pack(''L'') >> >> domain_buf = 0.chr * 80 >> domain_cch = [domain_buf.size].pack(''L'') >> >> sid_name_use = 0.chr * 4 >> >> # If the account includes non-alpha characters, assume it''s a SID. >> if account =~ /\W+/ # Unicode concerns? >> bool = LookupAccountSid( >> host, >> [account].pack(''p*'').unpack(''L'')[0], >> sid, >> sid_cb, >> domain_buf, >> domain_cch, >> sid_name_use >> ) >> >> @sid = account >> @name = sid.strip >> else >> bool = LookupAccountName( >> host, >> account, >> sid, >> sid_cb, >> domain_buf, >> domain_cch, >> sid_name_use >> ) >> >> @sid = sid.strip >> @account = account >> end >> >> unless bool >> raise Error, get_last_error >> end >> >> @host = host >> @domain = domain_buf.strip >> >> @account_type = get_account_type(sid_name_use.unpack(''L'')[0]) >> >> sid >> end >> >> How does that look? >> > That looks good. > > I think the SID detection code > if account =~ /\W+/ > can be something like > if account[0] < 10Yes, that will work better, thanks. Also, I wanted to ask about this bit: if [0,1,2,3,5].include?(authority) Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and SECURITY_RESOURCE_MANAGER_AUTHORITY (9)? Thanks, Dan
----- Original Message ----- From: "Daniel Berger" <djberg96 at gmail.com> To: "Development and ideas for win32utils projects" <win32utils-devel at rubyforge.org> Sent: Wednesday, July 09, 2008 10:13 PM Subject: Re: [Win32utils-devel] Some more win32-security: SID.create> On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park <phasis at gmail.com> wrote: >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>: >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park <phasis at gmail.com> wrote: >>>> Hi, >>>> >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>: >>>>> Hi all, >>>>> >>>>> How does this look as a general approach to a SID.create method: >>>>> >>>>> # Creates and initializes >>>>> def self.create(authority, *sub_authorities) >>>>> if sub_authorities.length > 8 >>>>> raise ArgumentError, ''maximum of 8 subauthorities allowed'' >>>>> end >>>>> >>>>> authorities = Array.new(8, 0) >>>>> authorities.replace(sub_authorities) >>>>> count = authorities.select{ |e| e > 0 }.size >>>>> >>>>> if count == 0 >>>>> # Use InitializeSid() >>>>> else >>>>> # Use AllocateAndInitializeSid() >>>>> end >>>>> end >>>>> >>>>> Any help actually implementing this method would also be greatly >>>>> appreciated, as my attempts were not working out so well. >>>>> >>>> Here is an working code: >>>> >>>> def self.create(authority, *sub_authorities) >>>> >>>> if sub_authorities.length > 8 >>>> raise ArgumentError, "maximum of 8 subauthorities allowed" >>>> end >>>> >>>> sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) >>>> >>>> if [0,1,2,3,5].include?(authority) >>>> auth = 0.chr * 5 + authority.chr >>>> bool = InitializeSid(sid, auth, sub_authorities.length+1) >>>> unless bool >>>> raise Error, get_last_error >>>> end >>>> sub_authorities.each_index do |i| >>>> value = [sub_authorities[i]].pack(''L'') >>>> auth_ptr = GetSidSubAuthority(sid, i) >>>> memcpy(auth_ptr,value,4) >>>> end >>>> end >>>> sid >>>> end >>>> >>>> >>>> Above code works with GetSidSubAuthority definition like this: >>>> API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'') >>> >>> Excellent, thanks. I''ve modified GetSidSubAuthority() as you suggest, >>> and made a few other functions that I had previously returning >>> pointers return longs instead - easier to deal with. >>> >>> Your code gave me an idea, too. What do you think of modifying SID.new >>> so that it accepts either an account name or a sid? Behind the scenes >>> it just calls LookupAccountSid or LookupAccountName, depending on the >>> content of the first argument. That would allow SID.create to return a >>> full SID object. >>><snip>> Yes, that will work better, thanks. > > Also, I wanted to ask about this bit: > > if [0,1,2,3,5].include?(authority) > > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)? >I have no idea about the excluding values. I just have ported it from the Visual C++ code :) Refer to http://support.microsoft.com/kb/276208/en-us Regards, Park Heesob
Berger, Daniel
2008-Jul-09 22:00 UTC
[Win32utils-devel] Some more win32-security: SID.create
> -----Original Message----- > From: win32utils-devel-bounces at rubyforge.org > [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of > Park Heesob > Sent: Wednesday, July 09, 2008 7:27 AM > To: Development and ideas for win32utils projects > Subject: Re: [Win32utils-devel] Some more win32-security: SID.create > > > ----- Original Message ----- > From: "Daniel Berger" <djberg96 at gmail.com> > To: "Development and ideas for win32utils projects" > <win32utils-devel at rubyforge.org> > Sent: Wednesday, July 09, 2008 10:13 PM > Subject: Re: [Win32utils-devel] Some more win32-security: SID.create > > > > On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park > <phasis at gmail.com> wrote: > >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>: > >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park > <phasis at gmail.com> wrote: > >>>> Hi, > >>>> > >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>: > >>>>> Hi all, > >>>>> > >>>>> How does this look as a general approach to a SID.create method: > >>>>> > >>>>> # Creates and initializes > >>>>> def self.create(authority, *sub_authorities) > >>>>> if sub_authorities.length > 8 > >>>>> raise ArgumentError, ''maximum of 8 subauthorities allowed'' > >>>>> end > >>>>> > >>>>> authorities = Array.new(8, 0) > >>>>> authorities.replace(sub_authorities) > >>>>> count = authorities.select{ |e| e > 0 }.size > >>>>> > >>>>> if count == 0 > >>>>> # Use InitializeSid() > >>>>> else > >>>>> # Use AllocateAndInitializeSid() > >>>>> end > >>>>> end > >>>>> > >>>>> Any help actually implementing this method would also be greatly > >>>>> appreciated, as my attempts were not working out so well. > >>>>> > >>>> Here is an working code: > >>>> > >>>> def self.create(authority, *sub_authorities) > >>>> > >>>> if sub_authorities.length > 8 > >>>> raise ArgumentError, "maximum of 8 subauthorities allowed" > >>>> end > >>>> > >>>> sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) > >>>> > >>>> if [0,1,2,3,5].include?(authority) > >>>> auth = 0.chr * 5 + authority.chr > >>>> bool = InitializeSid(sid, auth, sub_authorities.length+1) > >>>> unless bool > >>>> raise Error, get_last_error > >>>> end > >>>> sub_authorities.each_index do |i| > >>>> value = [sub_authorities[i]].pack(''L'') > >>>> auth_ptr = GetSidSubAuthority(sid, i) > >>>> memcpy(auth_ptr,value,4) > >>>> end > >>>> end > >>>> sid > >>>> end > >>>> > >>>> > >>>> Above code works with GetSidSubAuthority definition like this: > >>>> API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'') > >>> > >>> Excellent, thanks. I''ve modified GetSidSubAuthority() as > you suggest, > >>> and made a few other functions that I had previously returning > >>> pointers return longs instead - easier to deal with. > >>> > >>> Your code gave me an idea, too. What do you think of > modifying SID.new > >>> so that it accepts either an account name or a sid? > Behind the scenes > >>> it just calls LookupAccountSid or LookupAccountName, > depending on the > >>> content of the first argument. That would allow > SID.create to return a > >>> full SID object. > >>> > <snip> > > > Yes, that will work better, thanks. > > > > Also, I wanted to ask about this bit: > > > > if [0,1,2,3,5].include?(authority) > > > > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and > > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)? > > > I have no idea about the excluding values. > I just have ported it from the Visual C++ code :) > Refer to http://support.microsoft.com/kb/276208/en-usOk, but something''s not right, because this bit of code doesn''t seem to do anything: sub_authorities.each_index do |i| value = [sub_authorities[i]].pack(''L'') auth_ptr = GetSidSubAuthority(sid, i) memcpy(auth_ptr, value, 4) end I think part of the problem is that I changed the return type of GetSidSubAuthority to a long. But, regardless, I don''t understand what that''s supposed to do. I took a stab at trying to create a SID with a sub-authority with the following code, but it didn''t seem to work. Any ideas? def self.create(authority, *sub_authorities) if sub_authorities.length > 8 raise ArgumentError, "maximum of 8 subauthorities allowed" end sid = 0.chr * GetSidLengthRequired(sub_authorities.length + 1) auth = 0.chr * 5 + authority.chr if sub_authorities.length == 0 unless InitializeSid(sid, auth, 1) raise Error, get_last_error end else array = Array.new(8, 0) array.replace(sub_authorities) bool = AllocateAndInitializeSid( auth, sub_authorities.select{ |e| e > 0 }.size, array[0], array[1], array[2], array[3], array[4], array[5], array[6], array[7], sid ) unless bool raise Error, get_last_error end end self.new(sid) end Thanks, Dan This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
2008/7/10 Berger, Daniel <Daniel.Berger at qwest.com>:> > >> -----Original Message----- >> From: win32utils-devel-bounces at rubyforge.org >> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of >> Park Heesob >> Sent: Wednesday, July 09, 2008 7:27 AM >> To: Development and ideas for win32utils projects >> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create >> >> >> ----- Original Message ----- >> From: "Daniel Berger" <djberg96 at gmail.com> >> To: "Development and ideas for win32utils projects" >> <win32utils-devel at rubyforge.org> >> Sent: Wednesday, July 09, 2008 10:13 PM >> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create >> >> >> > On Tue, Jul 8, 2008 at 10:35 PM, Heesob Park >> <phasis at gmail.com> wrote: >> >> 2008/7/9 Daniel Berger <djberg96 at gmail.com>: >> >>> On Tue, Jul 8, 2008 at 9:12 PM, Heesob Park >> <phasis at gmail.com> wrote: >> >>>> Hi, >> >>>> >> >>>> 2008/7/9 Berger, Daniel <Daniel.Berger at qwest.com>: >> >>>>> Hi all, >> >>>>> >> >>>>> How does this look as a general approach to a SID.create method: >> >>>>> >> >>>>> # Creates and initializes >> >>>>> def self.create(authority, *sub_authorities) >> >>>>> if sub_authorities.length > 8 >> >>>>> raise ArgumentError, ''maximum of 8 subauthorities allowed'' >> >>>>> end >> >>>>> >> >>>>> authorities = Array.new(8, 0) >> >>>>> authorities.replace(sub_authorities) >> >>>>> count = authorities.select{ |e| e > 0 }.size >> >>>>> >> >>>>> if count == 0 >> >>>>> # Use InitializeSid() >> >>>>> else >> >>>>> # Use AllocateAndInitializeSid() >> >>>>> end >> >>>>> end >> >>>>> >> >>>>> Any help actually implementing this method would also be greatly >> >>>>> appreciated, as my attempts were not working out so well. >> >>>>> >> >>>> Here is an working code: >> >>>> >> >>>> def self.create(authority, *sub_authorities) >> >>>> >> >>>> if sub_authorities.length > 8 >> >>>> raise ArgumentError, "maximum of 8 subauthorities allowed" >> >>>> end >> >>>> >> >>>> sid = 0.chr * GetSidLengthRequired(sub_authorities.length+1) >> >>>> >> >>>> if [0,1,2,3,5].include?(authority) >> >>>> auth = 0.chr * 5 + authority.chr >> >>>> bool = InitializeSid(sid, auth, sub_authorities.length+1) >> >>>> unless bool >> >>>> raise Error, get_last_error >> >>>> end >> >>>> sub_authorities.each_index do |i| >> >>>> value = [sub_authorities[i]].pack(''L'') >> >>>> auth_ptr = GetSidSubAuthority(sid, i) >> >>>> memcpy(auth_ptr,value,4) >> >>>> end >> >>>> end >> >>>> sid >> >>>> end >> >>>> >> >>>> >> >>>> Above code works with GetSidSubAuthority definition like this: >> >>>> API.new(''GetSidSubAuthority'', ''PL'', ''L'', ''advapi32'') >> >>> >> >>> Excellent, thanks. I''ve modified GetSidSubAuthority() as >> you suggest, >> >>> and made a few other functions that I had previously returning >> >>> pointers return longs instead - easier to deal with. >> >>> >> >>> Your code gave me an idea, too. What do you think of >> modifying SID.new >> >>> so that it accepts either an account name or a sid? >> Behind the scenes >> >>> it just calls LookupAccountSid or LookupAccountName, >> depending on the >> >>> content of the first argument. That would allow >> SID.create to return a >> >>> full SID object. >> >>> >> <snip> >> >> > Yes, that will work better, thanks. >> > >> > Also, I wanted to ask about this bit: >> > >> > if [0,1,2,3,5].include?(authority) >> > >> > Why are we excluding SECURITY_NON_UNIQUE_AUTHORITY (4) and >> > SECURITY_RESOURCE_MANAGER_AUTHORITY (9)? >> > >> I have no idea about the excluding values. >> I just have ported it from the Visual C++ code :) >> Refer to http://support.microsoft.com/kb/276208/en-us > > Ok, but something''s not right, because this bit of code doesn''t seem to > do anything: > > sub_authorities.each_index do |i| > value = [sub_authorities[i]].pack(''L'') > auth_ptr = GetSidSubAuthority(sid, i) > memcpy(auth_ptr, value, 4) > end > > I think part of the problem is that I changed the return type of > GetSidSubAuthority to a long. But, regardless, I don''t understand what > that''s supposed to do. >That is just ruby version of the following code: long j; for( j = 2; j <= lcAuths+1; j++) { DWORD dwValue = (DWORD)atol(pAuths[j]); PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2)); *pdwSubAuth = dwValue; } Why do you think that did nothing? Regards, Park Heesob
Daniel Berger
2008-Jul-11 03:55 UTC
[Win32utils-devel] Some more win32-security: SID.create
Hi, <snip>> That is just ruby version of the following code: > > long j; > for( j = 2; j <= lcAuths+1; j++) > { > DWORD dwValue = (DWORD)atol(pAuths[j]); > PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2)); > *pdwSubAuth = dwValue; > } > > Why do you think that did nothing?I guess I misread it. Nevermind. :) I did remove the [0,1,2,3,5] loop, though. I do need some help with testing please. I''ve added some more tests in CVS, but I wasn''t sure what a good way was to test SID.create with subauthorities. Any suggestions? Thanks, Dan
Hi, 2008/7/11 Daniel Berger <djberg96 at gmail.com>:> Hi, > > <snip> > >> That is just ruby version of the following code: >> >> long j; >> for( j = 2; j <= lcAuths+1; j++) >> { >> DWORD dwValue = (DWORD)atol(pAuths[j]); >> PDWORD pdwSubAuth = GetSidSubAuthority( pLocalSid, (j-2)); >> *pdwSubAuth = dwValue; >> } >> >> Why do you think that did nothing? > > I guess I misread it. Nevermind. :) > > I did remove the [0,1,2,3,5] loop, though. > > I do need some help with testing please. I''ve added some more tests in > CVS, but I wasn''t sure what a good way was to test SID.create with > subauthorities. Any suggestions? >I guess SID.create test with Well-known SIDs is possible. Refer to http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx Regards, Park Heesob
Berger, Daniel
2008-Jul-11 13:35 UTC
[Win32utils-devel] Some more win32-security: SID.create
> -----Original Message----- > From: win32utils-devel-bounces at rubyforge.org > [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of > Heesob Park > Sent: Thursday, July 10, 2008 10:27 PM > To: Development and ideas for win32utils projects > Subject: Re: [Win32utils-devel] Some more win32-security: SID.create > > Hi, > > 2008/7/11 Daniel Berger <djberg96 at gmail.com>: > > Hi, > > > > <snip> > > > >> That is just ruby version of the following code: > >> > >> long j; > >> for( j = 2; j <= lcAuths+1; j++) > >> { > >> DWORD dwValue = (DWORD)atol(pAuths[j]); > >> PDWORD pdwSubAuth = GetSidSubAuthority( > pLocalSid, (j-2)); > >> *pdwSubAuth = dwValue; > >> } > >> > >> Why do you think that did nothing? > > > > I guess I misread it. Nevermind. :) > > > > I did remove the [0,1,2,3,5] loop, though. > > > > I do need some help with testing please. I''ve added some > more tests in > > CVS, but I wasn''t sure what a good way was to test SID.create with > > subauthorities. Any suggestions? > > > I guess SID.create test with Well-known SIDs is possible. > Refer to http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspxAfter adding some RID constants to Windows::Security (now in CVS) I tried this: include Win32 s = Security::SID.create( Security::SID::SECURITY_WORLD_SID_AUTHORITY, Security::SID::SECURITY_WORLD_RID ) p s But I get: C:\Documents and Settings\djberge\workspace\win32-security\lib\win32\security>ruby sid.rb sid.rb:151:in `initialize'': No mapping between account names and security IDs was done. (Win32::Security::SID: :Error) from sid.rb:89:in `new'' from sid.rb:89:in `create'' from sid.rb:231 I suspect I don''t understand the Windows security model as well as I should. Perhaps I should order this book: "Programming Windows Security" http://www.bookpool.com/sm/0201604426 It''s a bit dated, but probably has everything I need. Does anyone have any opinion on this book? Thanks, Dan This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Hi, ----- Original Message ----- From: "Berger, Daniel" <Daniel.Berger at qwest.com> To: "Development and ideas for win32utils projects" <win32utils-devel at rubyforge.org> Sent: Friday, July 11, 2008 10:35 PM Subject: Re: [Win32utils-devel] Some more win32-security: SID.create> > >> -----Original Message----- >> From: win32utils-devel-bounces at rubyforge.org >> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of >> Heesob Park >> Sent: Thursday, July 10, 2008 10:27 PM >> To: Development and ideas for win32utils projects >> Subject: Re: [Win32utils-devel] Some more win32-security: SID.create >> >> Hi, >> >> 2008/7/11 Daniel Berger <djberg96 at gmail.com>: >> > Hi, >> > >> > <snip> >> > >> >> That is just ruby version of the following code: >> >> >> >> long j; >> >> for( j = 2; j <= lcAuths+1; j++) >> >> { >> >> DWORD dwValue = (DWORD)atol(pAuths[j]); >> >> PDWORD pdwSubAuth = GetSidSubAuthority( >> pLocalSid, (j-2)); >> >> *pdwSubAuth = dwValue; >> >> } >> >> >> >> Why do you think that did nothing? >> > >> > I guess I misread it. Nevermind. :) >> > >> > I did remove the [0,1,2,3,5] loop, though. >> > >> > I do need some help with testing please. I''ve added some >> more tests in >> > CVS, but I wasn''t sure what a good way was to test SID.create with >> > subauthorities. Any suggestions? >> > >> I guess SID.create test with Well-known SIDs is possible. >> Refer to http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx > > After adding some RID constants to Windows::Security (now in CVS) I > tried this: > > include Win32 > > s = Security::SID.create( > Security::SID::SECURITY_WORLD_SID_AUTHORITY, > Security::SID::SECURITY_WORLD_RID > ) > > p s > > But I get: > > C:\Documents and > Settings\djberge\workspace\win32-security\lib\win32\security>ruby sid.rb > sid.rb:151:in `initialize'': No mapping between account names and > security IDs was done. (Win32::Security::SID: > :Error) > from sid.rb:89:in `new'' > from sid.rb:89:in `create'' > from sid.rb:231 >I found the bug. The self.create method should be like this : def self.create(authority, *sub_authorities) if sub_authorities.length > 8 raise ArgumentError, "maximum of 8 subauthorities allowed" end sid = 0.chr * GetSidLengthRequired(sub_authorities.length) auth = 0.chr * 5 + authority.chr unless InitializeSid(sid, auth, sub_authorities.length) raise Error, get_last_error end sub_authorities.each_index do |i| value = [sub_authorities[i]].pack(''L'') auth_ptr = GetSidSubAuthority(sid, i) memcpy(auth_ptr, value, 4) end self.new(sid) end And here is a test code: sid = 0.chr * 12 sid_size = [12].pack(''L'') bool = CreateWellKnownSid(WinWorldSid,nil,sid,sid_size) unless bool puts get_last_error end s1 = Security::SID.new(sid) s2 = Security::SID.create( Security::SID::SECURITY_WORLD_SID_AUTHORITY, SECURITY_WORLD_RID ) p s1==s2> I suspect I don''t understand the Windows security model as well as I > should. Perhaps I should order this book: > > "Programming Windows Security" > > http://www.bookpool.com/sm/0201604426 > > It''s a bit dated, but probably has everything I need. Does anyone have > any opinion on this book? >No comment :) Regards, Park Heesob
Berger, Daniel
2008-Jul-11 17:32 UTC
[Win32utils-devel] Some more win32-security: SID.create
> -----Original Message----- > From: win32utils-devel-bounces at rubyforge.org > [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of > Park Heesob > Sent: Friday, July 11, 2008 9:20 AM > To: Development and ideas for win32utils projects > Subject: Re: [Win32utils-devel] Some more win32-security: SID.create > > Hi, > ----- Original Message ----- > From: "Berger, Daniel" <Daniel.Berger at qwest.com> > To: "Development and ideas for win32utils projects" > <win32utils-devel at rubyforge.org> > Sent: Friday, July 11, 2008 10:35 PM > Subject: Re: [Win32utils-devel] Some more win32-security: SID.create > > > > > > > >> -----Original Message----- > >> From: win32utils-devel-bounces at rubyforge.org > >> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of > >> Heesob Park > >> Sent: Thursday, July 10, 2008 10:27 PM > >> To: Development and ideas for win32utils projects > >> Subject: Re: [Win32utils-devel] Some more win32-security: > SID.create > >> > >> Hi, > >> > >> 2008/7/11 Daniel Berger <djberg96 at gmail.com>: > >> > Hi, > >> > > >> > <snip> > >> > > >> >> That is just ruby version of the following code: > >> >> > >> >> long j; > >> >> for( j = 2; j <= lcAuths+1; j++) > >> >> { > >> >> DWORD dwValue = (DWORD)atol(pAuths[j]); > >> >> PDWORD pdwSubAuth = GetSidSubAuthority( > >> pLocalSid, (j-2)); > >> >> *pdwSubAuth = dwValue; > >> >> } > >> >> > >> >> Why do you think that did nothing? > >> > > >> > I guess I misread it. Nevermind. :) > >> > > >> > I did remove the [0,1,2,3,5] loop, though. > >> > > >> > I do need some help with testing please. I''ve added some > >> more tests in > >> > CVS, but I wasn''t sure what a good way was to test > SID.create with > >> > subauthorities. Any suggestions? > >> > > >> I guess SID.create test with Well-known SIDs is possible. > >> Refer to > http://msdn.microsoft.com/en-us/library/aa379649(VS.85).aspx > > > > After adding some RID constants to Windows::Security (now in CVS) I > > tried this: > > > > include Win32 > > > > s = Security::SID.create( > > Security::SID::SECURITY_WORLD_SID_AUTHORITY, > > Security::SID::SECURITY_WORLD_RID > > ) > > > > p s > > > > But I get: > > > > C:\Documents and > > > Settings\djberge\workspace\win32-security\lib\win32\security>r > uby sid.rb > > sid.rb:151:in `initialize'': No mapping between account names and > > security IDs was done. (Win32::Security::SID: > > :Error) > > from sid.rb:89:in `new'' > > from sid.rb:89:in `create'' > > from sid.rb:231 > > > I found the bug. > The self.create method should be like this : > > def self.create(authority, *sub_authorities) > if sub_authorities.length > 8 > raise ArgumentError, "maximum of 8 > subauthorities allowed" > end > > sid = 0.chr * GetSidLengthRequired(sub_authorities.length) > > auth = 0.chr * 5 + authority.chr > > unless InitializeSid(sid, auth, sub_authorities.length) > raise Error, get_last_error > end > > sub_authorities.each_index do |i| > value = [sub_authorities[i]].pack(''L'') > auth_ptr = GetSidSubAuthority(sid, i) > memcpy(auth_ptr, value, 4) > end > > self.new(sid) > end > > And here is a test code: > > sid = 0.chr * 12 > sid_size = [12].pack(''L'') > bool = CreateWellKnownSid(WinWorldSid,nil,sid,sid_size) > unless bool > puts get_last_error > end > s1 = Security::SID.new(sid) > > s2 = Security::SID.create( > Security::SID::SECURITY_WORLD_SID_AUTHORITY, > SECURITY_WORLD_RID > ) > p s1==s2Excellent, thanks! Fixed in CVS.> > > I suspect I don''t understand the Windows security model as well as I > > should. Perhaps I should order this book: > > > > "Programming Windows Security" > > > > http://www.bookpool.com/sm/0201604426 > > > > It''s a bit dated, but probably has everything I need. Does > anyone have > > any opinion on this book? > > > No comment :)I can get a used copy on Amazon for $5, so what the heck. :) Thanks, Dan This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.