FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Wed May 12, 2021 01:50

Post new topic Reply to topic  [ 2 posts ] 
[BUG] Empty DACL considered invalid 
Author Message

Joined: Fri Aug 24, 2012 21:18
Posts: 30
Post [BUG] Empty DACL considered invalid

I had a report that wimlib, using libntfs-3g, was unable to set the security descriptors of 3 files from the values specified in a Windows Server 2012 image. It turns out that all 3 files shared the same security descriptor, and it had an empty DACL. That is, SE_DACL_PRESENT was set, and dacl_offset was nonzero and specified the offset to an ACL with zero ACEs located at the end of the SECURITY_DESCRIPTOR_RELATIVE structure.

The 3 files were all located in the "/Windows/System32/LogFiles/WMI/RtBackup" directory and were called "EtwRTDiagLog.etl", "EtwRTEventLog-System.etl", and "EtwRTEventLog-Application.etl". The security descriptor was as follows in hexadecimal (56 bytes):


On this security descriptor the following check in ntfs_valid_descr() failed, causing the security descriptor to be rejected:

                && (!offdacl
                        || ((offdacl >= sizeof(SECURITY_DESCRIPTOR_RELATIVE))
                            && (offdacl+sizeof(ACL) < attrsz)))

This case was in fact brought up a while back when the same problem occurred with empty SACLs. Despite the nonsensicalness of having a file that cannot be accessed under the Windows NT security model without acquiring backup privileges, it appears to be a valid case that is allowed by Windows NT and for some reason shows up in the directory mentioned above. Furthermore, I verified that on Windows, SetFileSecurity() and NtSetSecurityObject() will, with appropriate privileges, apply this security descriptor successfully. Also note that Microsoft does make a distinction between "null" and "empty" DACLs in their documentation (for example, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa379286(v=vs.85).aspx).

I'd therefore recommend that the check be changed to:

                && (!offdacl
                        || ((offdacl >= sizeof(SECURITY_DESCRIPTOR_RELATIVE))
                            && (offdacl+sizeof(ACL) <= attrsz)))

In the meantime, for a workaround on security descriptors that end in an empty DACL, I'm considering placing a SACL after the empty DACL (creating an empty SACL if it was "null" before--- I understand the two cases to be equivalent, unlike with DACLs). Does this sound reasonable?

Mon Sep 16, 2013 23:14
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: [BUG] Empty DACL considered invalid

I'd therefore recommend that the check be changed to:

Sounds reasonable, will do.



Tue Sep 17, 2013 22:00
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

Who is online

Users browsing this forum: Google [Bot] and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.