Best way to determine a well-known SID?
in [Win32 Kernel]
|
From: Stefan Kuhr on 7 Feb 2010 07:32 Hello Jeroen, On 2/6/2010 8:44 PM, Jeroen Mostert wrote: > On 2010-02-06 19:34, Stefan Kuhr wrote: >> is there a canonical way to determine a well-known SID? > > <snip> > I don't know if SID lookup functions like LookupAccountName() will > return without a network call if the SID is well-known. It should be > easy enough to find out. Even if a network call is required, it will > almost certainly be cached, meaning that looking up a WKS won't bother > the DC at all. I think I will make the following approach: If my code is running on W2K3 server or higher, I will test the SID against IsWellKnownSid and the WELL_KNOWN_SID_TYPE enumeration members that are known at compile time. For older OS versions I will use the values documented in http://support.microsoft.com/kb/243330. For all other SIDs I will make a single call to LookupAccountSid and use the SID_NAME_USE value which is SidTypeWellKnownGroup for a well known SID. The results of the call to LookupAccountSid will be stored in a database table so next time my service starts, it will know that the SID is a well-known SID from the table lookup. > > > Can I safely assume that well-known SIDs will always be exactly >> of the form S-1–x–y? > > No. For example, S-1-0 is the null authority and S-1-5-32-544 is the > local administrators group. All SIDs in current use (well-known and > otherwise) start with S-1-... > OK, let me rephrase my question: "Can I safely assume that well-known SIDs will always be exactly one of the two forms S-1–x or S-1–x–y or S-1–x–y-z? >> Are there any SIDs that are of the form S-1–x–y thar >> are not well-known SIDs? >> > Knowledge of this is not stable. For example, S-1-16-4096 is not a > well-known SID on Windows XP, but it is on Windows Vista. > That would not bother me, for my purposes it would be considered a well-known SID. -- S
From: Jeroen Mostert on 7 Feb 2010 10:24 On 2010-02-07 13:32, Stefan Kuhr wrote: > I think I will make the following approach: If my code is running on > W2K3 server or higher, I will test the SID against IsWellKnownSid and > the WELL_KNOWN_SID_TYPE enumeration members that are known at compile > time. For older OS versions I will use the values documented in > http://support.microsoft.com/kb/243330. For all other SIDs I will make a > single call to LookupAccountSid and use the SID_NAME_USE value which is > SidTypeWellKnownGroup for a well known SID. The results of the call to > LookupAccountSid will be stored in a database table so next time my > service starts, it will know that the SID is a well-known SID from the > table lookup. > What an enormous amount of non-obvious trouble to go through. Have you considered getting a faster domain controller instead? >> > Can I safely assume that well-known SIDs will always be exactly >>> of the form S-1–x–y? >> >> No. For example, S-1-0 is the null authority and S-1-5-32-544 is the >> local administrators group. All SIDs in current use (well-known and >> otherwise) start with S-1-... >> > > OK, let me rephrase my question: "Can I safely assume that well-known > SIDs will always be exactly one of the two forms S-1–x or S-1–x–y or > S-1–x–y-z? > First of all, that's three forms. Second -- no you can't, stressing "safely", unless you can point to where this is given as a rule. Third -- how is this supposed to help you distinguish well-known SIDs from not-so-well-known SIDs? There's no complementary rule that says "short" SIDs like that cannot be "full" SIDs. Premature optimization is bad enough if you *do* know the cases you're trying to optimize away. >>> Are there any SIDs that are of the form S-1–x–y thar >>> are not well-known SIDs? >>> >> Knowledge of this is not stable. For example, S-1-16-4096 is not a >> well-known SID on Windows XP, but it is on Windows Vista. >> > That would not bother me, for my purposes it would be considered a > well-known SID. > My point is: there will be a well-known SID tomorrow that your code will *not* consider well-known. If you always consider SIDs of a particular form well-known, there might be a non-well-known SID tomorrow that has that particular form. Without guarantees, your assumptions are just setting you up for a compatibility issue later. -- J.
From: Jonathan de Boyne Pollard on 7 Feb 2010 14:16 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:OselyK7pKHA.5224(a)TK2MSFTNGP05.phx.gbl" type="cite"> <blockquote type="cite"> <blockquote type="cite"> <p>Are there any SIDs that are of the form S-1-x-y thar are not well-known SIDs?</p> </blockquote> <p>Yes, plenty. The 1 is the revision number of the SID structure.</p> </blockquote> <p>Um... Can you make an example of not-well-known SID with a single subauthority component (that's what the OP was asking)?</p> </blockquote> <p>That's your inference, and not in fact an implication in the original question. There's no occurrence of the word "subauthority" anywhere in xyr post. Indeed, M. Kuhr's recent purported paraphrase of xyr question actually includes <em>two</em> subauthorities in one of its examples, contradicting your inference. </p> <p>Even if one does incorporate your inference into the question, it's trivial to come up with examples, and you could have answered your own question with a moment's thought. There are, after all, tens of thousands of unused authorities and unused RIDs for exisiting authorities. You think that all SIDs with one RID are well-known? You tell us what S-1-2-45, S-1-1-32, and S-1-24-36 <em>are well-known as</em>, then. As I said, this is a trivial exercise, that you could easily have solved.</p> </body> </html>
From: Jonathan de Boyne Pollard on 7 Feb 2010 14:16 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:uKpWZG$pKHA.3748(a)TK2MSFTNGP02.phx.gbl" type="cite"> <p>let me rephrase my question: "Can I safely assume that well-known SIDs will always be exactly one of the two forms S-1–x or S-1–x–y or S-1–x–y-z?"</p> </blockquote> <p>That's not two forms. That's not a paraphrase. Nor is it what you want to know. You're <em>excluding</em> well-known SIDs in your program, so you should be asking whether any <em>non-</em>well-known SIDs match the trivial patterns that you want to use for pattern matching. The answer to that is, of course, "Yes.". There are tens of thousands of <em>non-</em>well-known SIDs that match your patterns. As I was just saying to M. Grigoriev, it is a trivial exercise to construct some, that doesn't require very much effort at all.</p> <p>And this is to presume that your letters stand for one RID each, a presumption that is on shaky ground because you seem to think that the "S-1-x-y-z" in your paraphrase matches the "S-1-x-y" in your original, which of course would only be true if, like Microsoft's documentation, you actually <em>do not</em> mean one RID per letter. (In some of the TechNet documentation, Y denotes the entire string of RIDs, however long it is.) In which case, as M. Mostert said, your patterns in fact match all SIDs currently in existence.<br> </p> </body> </html>
From: Stefan Kuhr on 7 Feb 2010 17:01 Hi Jeroen, Jeroen Mostert wrote: > On 2010-02-07 13:32, Stefan Kuhr wrote: >> I think I will make the following approach: If my code is running on >> W2K3 server or higher, I will test the SID against IsWellKnownSid and >> the WELL_KNOWN_SID_TYPE enumeration members that are known at compile >> time. For older OS versions I will use the values documented in >> http://support.microsoft.com/kb/243330. For all other SIDs I will make a >> single call to LookupAccountSid and use the SID_NAME_USE value which is >> SidTypeWellKnownGroup for a well known SID. The results of the call to >> LookupAccountSid will be stored in a database table so next time my >> service starts, it will know that the SID is a well-known SID from the >> table lookup. >> > What an enormous amount of non-obvious trouble to go through. Have you > considered getting a faster domain controller instead? > It is not my domain controller, it is my customers' DCs, and it might be possible that the network might be very, very slow, this is something that is not under my control. I will have to store the results of my LDAP queries for the SID lookup in database tables anyway in order to avoid them whenever possible and the DC hasn't changed their uSNChanged attribute, so additionally storing well-known SIDs as well, will not hurt anyway. In case your point is that looking up from the database server might also be slow - no, I am using an embedded database (SQLITE). >> >> OK, let me rephrase my question: "Can I safely assume that well-known >> SIDs will always be exactly one of the two forms S-1–x or S-1–x–y or >> S-1–x–y-z? >> > First of all, that's three forms. Second -- no you can't, stressing > "safely", unless you can point to where this is given as a rule. Third > -- how is this supposed to help you distinguish well-known SIDs from > not-so-well-known SIDs? There's no complementary rule that says "short" > SIDs like that cannot be "full" SIDs. Premature optimization is bad > enough if you *do* know the cases you're trying to optimize away. True. I corrected my sentence to contain three example SID forms and forgot to replace "two" with "three" :-) - stupid me. > >>>> Are there any SIDs that are of the form S-1–x–y thar >>>> are not well-known SIDs? >>>> >>> Knowledge of this is not stable. For example, S-1-16-4096 is not a >>> well-known SID on Windows XP, but it is on Windows Vista. >>> >> That would not bother me, for my purposes it would be considered a >> well-known SID. >> > My point is: there will be a well-known SID tomorrow that your code will > *not* consider well-known. If you always consider SIDs of a particular > form well-known, there might be a non-well-known SID tomorrow that has > that particular form. Without guarantees, your assumptions are just > setting you up for a compatibility issue later. > Agreed, relying on these forms of SIDs is stupid. There is no guarantee that a SID of this form is not going to be created tomorrow by some security authority and this is then not going to be a well-known SID. However, if I can determine successfully that a given SID is actually a well-known SID, is enough for me. If my code that is compiled today instead considers a SID *not* to be a well-known SID but it actually is one that might get introduced in a future version of Windows (so it is not in the current values of the enum WELL_KNOWN_SID_TYPE or the documented values today), then this will not make my code work incorrect because the LDAP query for the SID will then return ERROR_DS_NO_SUCH_OBJECT as the error. It would be just better if this LDAP query would not be necessary at all, that's why I want to filter out well-known SIDs. I cannot think of a compatibility issue in the future using this approach. SIDs that are documented well-known SIDs today, will also be well-known SIDs in the future, right? SIDs that will get introduced in the future will return ERROR_DS_NO_SUCH_OBJECT as the result of the LDAP query, so correctness is not a problem here. Anyway, thank you very much for your input. -- S
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Driver development - newbie questions Next: disk driver implementation |