Open exoosh opened 2 years ago
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchForks See info in area-owners.md if you want to be subscribed.
Author: | exoosh |
---|---|
Assignees: | - |
Labels: | `area-System.Security`, `:watch: Not Triaged`, `Pri3` |
Milestone: | - |
The documentation ends with the following remark:
The remark is correct regarding the ordering of ACEs in a DACL and that a well-formed (i.e. canonically sorted) DACL has the Deny ACEs before the Allow ACEs. It does matter.
Also, since the base class implementation of
NativeObjectSecurity.Persist()
usesWin32.SetSecurityInfo()
:... one might expect that the outcome is some wildly ill-formed (i.e. non-canonical) ACL.
And the remark is borderline FUD due to its suggestive wording, as if one would potentially need to fix up the ACL's order of ACES as follows, quote:
Back to the remark. Walking the DACL isn't the same as having to fix it. But since the explicit ACEs come first and within that group the Deny ACEs come first, it's totally unclear what may need fixing, let alone how to fix it.
But the suggestive, yet vague, remark becomes questionable once you notice that DACLs always always seem to get canonicalized by the .NET Framework, via this code (and references to this method).
So what's the purpose of the remark?
With best regards,
Oliver