From 7f4508f61b125072a78e06643873fbab3e0b458c Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Wed, 24 Jul 2024 17:24:59 +1200 Subject: [PATCH] libcli:security: allow spaces after BAD: In AD_DS_Classes_Windows_Server_v1903.ldf from https://www.microsoft.com/en-us/download/details.aspx?id=23782, we see defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15685 Signed-off-by: Douglas Bagnall Reviewed-by: Jo Sutton Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Thu Jul 25 06:27:27 UTC 2024 on atb-devel-224 (cherry picked from commit 8903876f65d5721d30186875d391889d1ddcd52c) --- libcli/security/sddl.c | 5 +++++ python/samba/tests/sddl.py | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index d1f77075238..c0fddb72e5f 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -814,6 +814,11 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, return acl; } + /* Windows AD allows spaces here */ + while (*sddl == ' ') { + sddl++; + } + /* work out the ACL flags */ if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) { *msg = talloc_strdup(sd, "bad ACL flags"); diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py index b594021013a..6d4448233e3 100644 --- a/python/samba/tests/sddl.py +++ b/python/samba/tests/sddl.py @@ -670,6 +670,11 @@ class SddlNonCanonical(SddlDecodeEncodeBase): ("O:LAG:BAD:(A;;CCDCLCSWRPWPDTLOCR;;;WD)"))), ("D:(A;;FAGX;;;SY)", "D:(A;;0x201f01ff;;;SY)"), + # whitespace before ACL string flags is ignored. + ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"), + ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"), + ("D: P(A;;GA;;;LG)", "D:P(A;;GA;;;LG)"), + ("D: S:","D:S:"), ] @@ -818,17 +823,12 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase): strings = [ # whitespace is ignored, repaired on return ("D:(A;;GA;;; LG)", "D:(A;;GA;;;LG)"), - ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"), - # whitespace before ACL string flags is ignored. - ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"), # wrong case on type is ignored, fixed ("D:(a;;GA;;;LG)", "D:(A;;GA;;;LG)"), ("D:(A;;GA;;;lg)", "D:(A;;GA;;;LG)"), ("D:(A;;ga;;;LG)", "D:(A;;GA;;;LG)"), - ("D: S:","D:S:"), # whitespace around ACL flags - ("D: P(A;;GA;;;LG)", "D:P(A;;GA;;;LG)"), ("D:P (A;;GA;;;LG)", "D:P(A;;GA;;;LG)"), # whitespace between ACES -- 2.34.1