If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.
In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.
The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.
There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
"""We'll fail these because we don't recognise 'KA' and related object
rights strings that are used for registry objects."""
json_file = TEST_DIR / 'registry-object-rights.json'
+
+
+@DynamicTestCase
+class SDDLvsDescriptorOverSizeAcls(SDDLvsDescriptorBase):
+ """These are ordinary ACLs that contain duplicate ACEs (e.g.
+ 'D:P(D;;;;;MP)(D;;;;;MP)(D;;;;;MP)(D;;;;;MP)'). Due to a
+ peculiarity in Windows, the ACL structures generated have extra
+ trailing zero bytes. Due to a peculiarity in the way Samba reads
+ an ACL (namely, it assumes an ACL will be just big enough for its
+ ACEs), these cannot currently be parsed by Samba.
+ """
+ json_file = TEST_DIR / 'oversize-acls.json.gz'
^samba.tests.security_descriptors.+SDDLvsDescriptorRegistryObjectRights.+
+^samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.+
+
projects / thirdparty / samba.git / commitdiff
