FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Sat May 15, 2021 03:36



Post new topic Reply to topic  [ 9 posts ] 
secaudit under Windows not displaying SACLs 
Author Message

Joined: Mon Jun 11, 2012 22:44
Posts: 7
Post secaudit under Windows not displaying SACLs
I am currently using the compiled version of secaudit found on this page: http://b.andre.pagesperso-orange.fr/secaudit.html

Compiling a newer (assuming the one linked above isn't the most current) version of secaudit on Windows isn't possible, as the configure script for ntfs-3g explicitly disallows compilation under Windows, even with ./configure --disable-ntfs-3g

To give an example of a file where the SACLs are not displayed:

Code:
C:\Users\Nick Garvey\Desktop>subinacl /file acltestfile /display=sacl

+File C:\Users\Nick Garvey\Desktop\acltestfile
/audit ace count   =1
/aace =ngarvey-ws\nick garvey    SYSTEM_AUDIT_ACE_TYPE-0x2
   SUCCESSFUL_ACCESS_ACE_FLAG-0x40
    Type of access:
   Special acccess : -Delete  -Change Permissions  -Take Ownership
    Detailed Access Flags :
   FILE_READ_DATA-0x1          FILE_WRITE_DATA-0x2         FILE_APPEND_DATA-0x4       
   FILE_READ_EA-0x8            FILE_WRITE_EA-0x10          FILE_EXECUTE-0x20            FILE_DELETE_CHILD-0x40     
   FILE_READ_ATTRIBUTES-0x80   FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000              READ_CONTROL-0x20000       
   WRITE_DAC-0x40000           WRITE_OWNER-0x80000         


vs. the secaudit output, which says "No SACL":

Code:
$ ntfs-tools/secaudit.exe -bvv Desktop/acltestfile  | head -n 40
No errors were found
secaudit 1.3.22 : NTFS security data auditing
#
# Recursive ACL collection on Mon Jun 11 23:52:43 2012
#
File Desktop/acltestfile
   No SACL
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 00001400
        000020  ff011f00 01010000 00000005 12000000
        000030  00001800 ff011f00 01020000 00000005
        000040  20000000 20020000 00002400 ff011f00
        000050  01050000 00000005 15000000 8db9b70c
        000060  15a58521 057aca53 e8030000 01050000
        000070  00000005 15000000 8db9b70c 15a58521
        000080  057aca53 e8030000 01050000 00000005
        000090  15000000 8db9b70c 15a58521 057aca53
        0000a0  01020000
Computed hash : 0x87f00e90
# File Desktop/acltestfile hash 0x87f00e90
Windows attrib : 0x20
#   Global header
#       revision 1
#       flags    0x8004
#           DACL present
#           self relative descriptor
#       Off USID 0x6c
#       Off GSID 0x88
#       Off SACL 0x0
#       Off DACL 0x14
#   Owner SID
#       Local user-1000 SID
#       O:hex S-1-5-15-cb7b98d-2185a515-53ca7a05-3e8
#       O:dec S-1-5-21-213367181-562406677-1405778437-1000
#   Group SID
#       Local users SID
#       G:hex S-1-5-15-cb7b98d-2185a515-53ca7a05-201
#       G:dec S-1-5-21-213367181-562406677-1405778437-513
#   DACL
#       revision 2
-- snip --
#   No SACL
# Interpreted Unix owner 0, group 0, mode 0700
No errors were found
No errors were found


Ultimately my goal is to restore the ACL information into a NTFS image stored on a Linux machine, where the ACL information has been lost but many of the files are preserved. Other than needing to convert paths, secaudit appears to have most of the functionality for this. If secaudit isn't the right tool for this I am certainly open to other suggestions.

Thanks for your time.


Tue Jun 12, 2012 01:06
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: secaudit under Windows not displaying SACLs
Hi,

Quote:
Compiling a newer (assuming the one linked above isn't the most current) version of secaudit on Windows isn't possible

secaudit on Windows has to be compiled independly of ntfs-3g, but no significant change has been done since 1.3.22 which you are using, so it is no worth recompiling.
Quote:
To give an example of a file where the SACLs are not displayed:

Code:
   No SACL
        000000  01000480 6c000000 88000000 00000000

The last word on the first line is zero, hence there is no SACL there.
Quote:
Ultimately my goal is to restore the ACL information into a NTFS image stored on a Linux machine, where the ACL information has been lost but many of the files are preserved.

secaudit on Windows can only restore ACLs on files owned by the process running secaudit, because for changing the owner on Windows requires the current owner to set the "take ownership" flag and the target owner to take the ownership, hence two processes would be needed.

The SACL is probably set elsewhere, system wide and inherited, and secaudit would not be able to restore it unless having some privilege.
Quote:
If secaudit isn't the right tool for this I am certainly open to other suggestions.

No idea

Regards

Jean-Pierre


Tue Jun 12, 2012 06:38
Profile

Joined: Mon Jun 11, 2012 22:44
Posts: 7
Post Re: secaudit under Windows not displaying SACLs
Looking at the source for secaudit, it looks as if the proper permissions aren't requested to call GetFileSecurity with SACL_SECURITY_INFORMATION as an argument.

I believe I have a fix (via AdjustTokenPrivileges()), but I am unable test it so I can submit it as a patch as I can't build secaudit to run on Windows. Is it possible to build on Windows or will I need to cross compile?


Tue Jun 12, 2012 23:24
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: secaudit under Windows not displaying SACLs
Hi,
Quote:
Looking at the source for secaudit, it looks as if the proper permissions aren't requested to call GetFileSecurity with SACL_SECURITY_INFORMATION as an argument.

Good point.
Quote:
I believe I have a fix (via AdjustTokenPrivileges()), but I am unable test it so I can submit it as a patch as I can't build secaudit to run on Windows. Is it possible to build on Windows or will I need to cross compile?

You only need to have three source files : secaudit.c secaudit.h and acls.h, define WIN32 on the command line, and have the windows.h, stdio.h etc. headers available.
Then you should be able to compile by something like :
Code:
cc -DWIN32 -o secaudit.exe acls.c secaudit.c

where cc is the compiler you are using (either a Windows one or a cross-compiler one).
Of course, depending on your environment, you may have to add extra arguments to designate the location of the needed included files (windows.h, stdio.h, etc.), or even adapt a few things in the source code.
If you have some difficulty, just post your patch, and I will do the job (note : on this forum attachments must be compressed).

Regards

Jean-Pierre


Wed Jun 13, 2012 08:56
Profile

Joined: Mon Jun 11, 2012 22:44
Posts: 7
Post Re: secaudit under Windows not displaying SACLs
I've attached a patch for the fix. The only changed file is secaudit.c.


Attachments:
File comment: secaudit SACL patch
sacl_fix.zip [1.27 KiB]
Downloaded 751 times
Wed Jun 13, 2012 17:46
Profile

Joined: Mon Jun 11, 2012 22:44
Posts: 7
Post Re: secaudit under Windows not displaying SACLs
While attempting to compile, I wasn't able to resolve type conflicts. When you are compiling on your machine, how do you resolve this? This happens on both the 1.3.22 and the version I wrote the patch for.

Code:
In file included from libntfs-3g/acls.c:108:0:
src/secaudit.h:230:3: error: conflicting types for 'GUID'
c:\mingw\bin\../lib/gcc/mingw32/4.6.2/../../../../include/winnt.h:1786:3: note: previous declaration of 'GUID' was here


Wed Jun 13, 2012 18:06
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: secaudit under Windows not displaying SACLs
Hi,

Quote:
While attempting to compile, I wasn't able to resolve type conflicts. When you are compiling on your machine, how do you resolve this? This happens on both the 1.3.22 and the version I wrote the patch for.

I do not get the error, as I do not have GUID defined in winnt.h (probably an old version). Anyway, the declaration in secaudit.h is apparently not needed any more, so you can comment it (or change GUID to UNNEEDED_GUID).

In http://b.andre.pagesperso-orange.fr/secaudit.zip I have put secaudit for Windows, compiled with your patch (not tested). I have however noticed something odd :
Code:
selection = OWNER_SECURITY_INFORMATION | GROUP.... etc
[...]
if () selection |= SACL_SECURITY_INFORMATION;
[...]
if (selection ^ SACL_SECURITY_INFORMATION)

IMHO this last condition will always be true, and you might have wanted it more like :
Code:
if (selection & SACL_SECURITY_INFORMATION)

Now, I did not look into depth...

Regards

Jean-Pierre


Wed Jun 13, 2012 19:30
Profile

Joined: Mon Jun 11, 2012 22:44
Posts: 7
Post Re: secaudit under Windows not displaying SACLs
While your executable didn't appear to work (it ran, but didn't call Windows API functions properly?), your advice allowed me to successfully compile. Thanks a lot for your help.

I also noticed that there is a getdrive call, but I don't see a declaration for it anywhere. GetModuleFileName looks like a replacement.

In case you are curious, I've attached all of my changes.


Attachments:
sacl_fix.zip [1.7 KiB]
Downloaded 719 times
Wed Jun 13, 2012 23:58
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: secaudit under Windows not displaying SACLs
Hi,

Quote:
In case you are curious, I've attached all of my changes.

Thank you. Your improvements will be included in future versions.

Regards

Jean-Pierre


Thu Jun 14, 2012 08:48
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.