BUG in Win32_SecurityDescriptorHelper.Win32SDToSDDL()

Discussion:

(too old to reply)

Gerry Hickman

2009-02-07 17:05:54 UTC

Hi,

Vista/Win2008

I think there is a bug in Win32_SecurityDescriptorHelper.Win32SDToSDDL()
whereby it does not correctly show the INHERITED_ACE AceFlag.

cacls "c:\program files\microsoft.net" /s

D:AI(A;ID;FA;;;S-1-5-80-956008885-3418522649-183
1038044-1853292631-2271478464)
(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-18310
38044-1853292631-2271478464)
(A;ID;FA;;;SY)
(A;OICIIOID;GA;;;SY)
(A;ID;FA;;;BA)
(A;OICIIOID;GA;;;BA)
(A;ID;0x1200a9;;;BU)
(A;OICIIOID;GXGR;;;BU)
(A;OICIIOID;GA;;;CO)

Note the "ID" string in the output above. CACLS correctly shows the
INHERITED_ACE flag

Now using WMI (code below) the string reads:

O:SYG:SYD:AI
(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478
464)
(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;;FA;;;SY)
(A;OICIIO;GA;;;SY)
(A;;FA;;;BA)
(A;OICIIO;GA;;;BA)
(A;;0x1200a9;;;BU)
(A;OICIIO;GXGR;;;BU)
(A;OICIIO;GA;;;CO)

Note that the "ID" string is MISSING from the output above.

function _sd2sddl(oSd) {
// Convert a security descriptor to an SDDL string
// Accept sd
// Return string

if (oSd.Path_.Class != "Win32_SecurityDescriptor") {
_trace("Object is not a Security Descriptor!");
return "Error";
}

// Set up the helper object, SDDL on Vista only!
var oHelper = oSvc.Get("Win32_SecurityDescriptorHelper");

var oInParam =
oHelper.Methods_("Win32SDToSDDL").InParameters.SpawnInstance_();
oInParam.Properties_.Item("Descriptor").Value = oSecurityDescriptor;
var oOut = oHelper.ExecMethod_("Win32SDToSDDL", oInParam);
if (oOut.ReturnValue != 0) {
_trace("Error getting SDDL string! " + oOut.ReturnValue);
return "Error";
}
return oOut.SDDL;

}

--
Gerry Hickman (London UK)

Jialiang Ge [MSFT]

2009-02-09 05:03:34 UTC

Permalink

Hello Gerry,

Thank you for the report. I can reproduce the problem using the steps: SDDL
outputted from Win32_SecurityDescriptorHelper.Win32SDToSDDL never shows ID.
I looked into the Win32_SecurityDescriptor object that was passed to
Win32_SecurityDescriptorHelper.Win32SDToSDDL. I dumped its Win32_ACE array
of the DACL property:

objDACL = objSD.DACL
For Each objACE in objDACL
WScript.Echo objACE.AceFlags
Next

It outputs 16, the ID of INHERITED_ACE:

INHERITED_ACE
16
0x10
The system sets this bit when it propagates an inherited ACE to a child
object.

From the test, I see that INHERITED_ACE does exist in the source
Win32_SecurityDescriptor object, however, it appears that
Win32_SecurityDescriptorHelper. Win32SDToSDDL ignored the inheritance flag
when it converts SD to SDDL. I agree that this is possibly a product issue
of Win32SDToSDDL. I have logged it into our product database, and am
waiting for the product group's further investigation.

As a workaround, Gerry, we can get the correct ID flag from the
Win32_SecurityDescriptor object. Does this workaround work for you?

Thank you again for the report.

Jialiang Ge (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Gerry Hickman

2009-02-10 21:09:44 UTC

Permalink

Hello Jialiang Ge,

Thank you for the help with this.

Post by Jialiang Ge [MSFT]
From the test, I see that INHERITED_ACE does exist in the source
Win32_SecurityDescriptor object, however, it appears that
Win32_SecurityDescriptorHelper. Win32SDToSDDL ignored the inheritance flag
when it converts SD to SDDL.

Yes, that's the problem.

Post by Jialiang Ge [MSFT]
I agree that this is possibly a product issue
of Win32SDToSDDL. I have logged it into our product database, and am
waiting for the product group's further investigation.

OK, thanks, please let me know what they say.

Post by Jialiang Ge [MSFT]
As a workaround, Gerry, we can get the correct ID flag from the
Win32_SecurityDescriptor object. Does this workaround work for you?

No, I need the SDDL, otherwise the new helper classes are not helpful!

--
Gerry Hickman (London UK)

Jialiang Ge [MSFT]

2009-02-12 09:48:43 UTC

Permalink

Hello Gerry

I understand your concerns. I have been trying to connect to the product
group, and am discussing the issue with my manager to see how to handle the
produce issue properly. I will update you every one or two days about our
progress.

Thanks
Jialiang Ge (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Gerry Hickman

2009-02-12 22:13:29 UTC

Permalink

Hello Jialiang,

Thank you for your communications with the product group, this is much
appreciated.

Post by Jialiang Ge [MSFT]
Hello Gerry
I understand your concerns. I have been trying to connect to the product
group, and am discussing the issue with my manager to see how to handle the
produce issue properly. I will update you every one or two days about our
progress.
Thanks
Microsoft Online Community Support
=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

--
Gerry Hickman (London UK)

Jialiang Ge [MSFT]

2009-02-27 04:20:33 UTC

Permalink

Hello Gerry

I sent an email about this issue to your mailbox a few days ago. Would you
please check the mail? In that message, I present our next action plan for
the problem.

Best Regards,
Jialiang Ge (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Gerry Hickman

2009-03-24 16:46:08 UTC

Permalink

Hello,

In case others are interested, Microsoft Customer Support Services have now
confirmed this is a BUG.
--
Gerry Hickman
London (UK)

Post by Jialiang Ge [MSFT]
Hello Gerry
I sent an email about this issue to your mailbox a few days ago. Would you
please check the mail? In that message, I present our next action plan for
the problem.
Best Regards,
Microsoft Online Community Support
=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================