search

jborean93 / smbprotocol

Python SMBv2 and v3 Client
MIT License
309 stars 72 forks source link

Unable to get accurate acl from Security Descriptor #277

Open surajvenkat92 opened 3 months ago

surajvenkat92 commented 3 months ago

I am using the smb_security_descriptor.py example to get the list of users and the access they have. It is returning response, but that it is misleading. For example : user1 -> Read and execute, read, list user 2 -> Read and execute, read, list , write

For both the users, I am getting READ_CONTROL and SYNCHRONIZE as the mask flag.

Is there a way can you help me to decode this DACL to match the one we choose in Security windows?

jborean93 commented 3 months ago

This library returns the full security descriptor from the server, I'm unsure what the differences are between how the server represents the ACEs but on a test I can see that the mask is returning the correct values and also returned inherited ACEs.


[
    AccessAllowedAce:
        ace_type = (0) ACCESS_ALLOWED_ACE_TYPE
        ace_flags = (3) CONTAINER_INHERIT_ACE, OBJECT_INHERIT_ACE
        ace_size = 24
        mask = (2032127) DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DACL, WRITE_OWNER
        sid =
        S-1-5-32-545

        Raw Hex:
            00 03 18 00 FF 01 1F 00
            01 02 00 00 00 00 00 05
            20 00 00 00 21 02 00 00,
    AccessAllowedAce:
        ace_type = (0) ACCESS_ALLOWED_ACE_TYPE
        ace_flags = (19) CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
        ace_size = 20
        mask = (2032127) DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DACL, WRITE_OWNER
        sid =
        S-1-5-18

        Raw Hex:
            00 13 14 00 FF 01 1F 00
            01 01 00 00 00 00 00 05
            12 00 00 00,
...
]
``

Potentially the GUI groups up ACEs for the same principal so it doesn't show duplicates whereas this library gives you the raw SD and doesn't do any processing on top.
surajvenkat92 commented 3 months ago

In windows, we have below permissions: Read and execute Read List Write Modify Full Control Special permissions

How i can infer these from the mask value returned as a part of Security Descriptor In short, From the DACL list, is there a way, i can get the below standard access?

STANDARD_RIGHTS_ALL STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_READ STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_WRITE

jborean93 commented 3 months ago

The mask values are the normal file access mask values used on Windows. This library has a pre-defined set of access mask values for files/pipes and directories at https://github.com/jborean93/smbprotocol/blob/3f69e6dac58e75edc75cba3f20e50b39b3c53d19/src/smbprotocol/open.py#L128-L185

surajvenkat92 commented 3 months ago

In Security Descriptor, I am setting below permission set: User 1 : Read and execute, List, Read User 2: Read and execute, List, Read, Write

In this case, I am getting READ_CONTROL, SYNCHRONIZE as the DACL values for User1 and User2. Is there a way, I can identify User 2 has Read/Write acess?

jborean93 commented 3 months ago

The response from SMB is the raw security descriptor and ACE entries for the DACL. If they do not have the entry for the user then when you set it it probably is just already part of another rule. Not much you can do about that as this library just gets the raw ACE entries.