Open dmeytin opened 3 years ago
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchForks See info in area-owners.md if you want to be subscribed.
Author: | dmeytin |
---|---|
Assignees: | - |
Labels: | `area-System.Security`, `untriaged` |
Milestone: | - |
What specifically are you wanting to do to a SID on Linux? Linux itself has zero concept of what a SID is, so from a platform perspective it would just be an opaque identifier. What functionality would you need? To that end a simple SID implementation might look something as simple as:
I would expect the helper utility that parses the Sid value and capable to verify known Sid values
On Wed, 11 Aug 2021 at 1:51 Steve Syfuhs @.***> wrote:
What specifically are you wanting to do to a SID on Linux? Linux itself has zero concept of what a SID is, so from a platform perspective it would just be an opaque identifier. What functionality would you need? To that end a simple SID implementation might look something as simple as:
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet/runtime/issues/57122#issuecomment-896362964, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJ2TW76M2XHSM4RB4UXITT4GUPNANCNFSM5B33TFDQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
How common is this scenario? On the face of it this seems quite a niche scenario
Verify how?
A SID has a form of S-1-z-a[-b-c-d-e]
where Z
is an arbitrary authority type in the form of big endian 6 bytes. These are the known registered ones, but it can be whatever the caller wants.
NullAuthority = 0,
WorldAuthority = 1,
LocalAuthority = 2,
CreatorAuthority = 3,
NonUniqueAuthority = 4,
NTAuthority = 5,
SiteServerAuthority = 6,
InternetSiteAuthority = 7,
ExchangeAuthority = 8,
ResourceManagerAuthority = 9,
PassportAuthority = 10,
InternetAuthority = 11,
AadAuthority = 12,
AppPackageAuthority = 15,
MandatoryLabelAuthority = 16,
ScopedPolicyIdAuthority = 17,
AuthenticationAuthority = 18
A
is an arbitrary unsigned 32 bit integer. B=>E
are optional unsigned integers.
If you're looking for basic parsing and sanity checking then this is a fairly simple implementation to undertake. Otherwise anything more complicated like SID-to-name translation is going to require LDAP queries to AD.
The most important functionality is ability to parse the given byte array and to perform IsWellKnown[Sid] validation. I've tried to create my own implementation based on Mono and the c code. Can you please let me know whether this implementation is accurate? https://microsoft-my.sharepoint.com/:u:/p/dmmeytin/EfExhHU1XqBEoF-PgnEeMJUB-yhx17SdKZhnSxGkzjIrqg?e=NeKz1e
On Sat, Aug 14, 2021 at 2:32 AM Steve Syfuhs @.***> wrote:
Verify how?
A SID has a form of S-1-z-a[-b-c-d-e] where Z is an arbitrary authority type in the form of big endian 6 bytes. These are the known registered ones, but it can be whatever the caller wants.
NullAuthority = 0, WorldAuthority = 1, LocalAuthority = 2, CreatorAuthority = 3, NonUniqueAuthority = 4, NTAuthority = 5, SiteServerAuthority = 6, InternetSiteAuthority = 7, ExchangeAuthority = 8, ResourceManagerAuthority = 9, PassportAuthority = 10, InternetAuthority = 11, AadAuthority = 12, AppPackageAuthority = 15, MandatoryLabelAuthority = 16, ScopedPolicyIdAuthority = 17, AuthenticationAuthority = 18
A is an arbitrary unsigned 32 bit integer. B=>E are optional unsigned integers.
If you're looking for basic parsing and sanity checking then this is a fairly simple implementation to undertake. Otherwise anything more complicated like SID-to-name translation is going to require LDAP queries to AD.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet/runtime/issues/57122#issuecomment-898768184, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJ2TQKZZ5SWG7HLYCY3QTT4WTQDANCNFSM5B33TFDQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
Can you post that code as a gist or something that's more easily reviewable?
It’s about 10+ files. Not sure how to make a gist from the folder…
On Mon, 16 Aug 2021 at 18:12 Steve Syfuhs @.***> wrote:
Can you post that code as a gist or something that's more easily reviewable?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet/runtime/issues/57122#issuecomment-899591218, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJ2TRWQ6CX6BT6ZL4JZJ3T5ETHVANCNFSM5B33TFDQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
@Steve, do you want me to send it to you privately as an archive?
On Mon, 16 Aug 2021 at 18:12 Steve Syfuhs @.***> wrote:
Can you post that code as a gist or something that's more easily reviewable?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet/runtime/issues/57122#issuecomment-899591218, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJ2TRWQ6CX6BT6ZL4JZJ3T5ETHVANCNFSM5B33TFDQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
You can just paste the code here: https://gist.github.com/ and get a private link to the gist.
Done: https://gist.github.com/dmeytin/2f7c2142d9b72b895568d67d2f02b690
On Mon, Aug 16, 2021 at 10:49 PM Steve Syfuhs @.***> wrote:
You can just paste the code here: https://gist.github.com/ and get a private link to the gist.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet/runtime/issues/57122#issuecomment-899774347, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJ2TVZ56R73XNV3M5XQKTT5FTUZANCNFSM5B33TFDQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
I don't see any glaring issues with how it functions and it looks like it would correctly parse a SID of any form. I didn't review all the constants. They look about right from memory, but also if this code was forked from the Mono code then I'd expect it to be accurate.
Thank you very much!
On Tue, 17 Aug 2021 at 18:22 Steve Syfuhs @.***> wrote:
I don't see any glaring issues with how it functions and it looks like it would correctly parse a SID of any form. I didn't review all the constants. They look about right from memory, but also if this code was forked from the Mono code then I'd expect it to be accurate.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet/runtime/issues/57122#issuecomment-900393403, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJ2TQY2HVE7DSZW377RCDT5J5EDANCNFSM5B33TFDQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
Problem description:
Our security product, that is running on Linux, should parse SID details received from Windows clients and validate the value is correct. Unfortunately all related functionality is hidden under native dll invocation. This PR is about adding Linux utility to work with SID. More details about Windows implementation could be found here
Describe the solution you'd like
The best alternative will be Linux equivalent of the Windows functionality.