Skip to content

Add Support for Windows Security Descriptors in SMB2 Client #27

@elfrucool

Description

@elfrucool

Overview

This enhancement adds support for reading and setting Windows security descriptors through the SMB2 client. This functionality is essential for applications that need to interact with Windows file permissions, enabling proper security management in Windows-based file sharing scenarios.

Implementation Details

The implementation adds support for security descriptor operations as defined in [MS-DTYP] 2.4.6. Security descriptors contain critical security information including:

  • Owner SID
  • Group SID
  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)

Reading Security Descriptors

The implementation supports querying security information using QUERY_INFO with the following security information flags ([MS-DTYP] 2.4.7):

  • OWNER_SECURITY_INFORMATION
  • GROUP_SECURITY_INFORMATION
  • DACL_SECURITY_INFORMATION
  • SACL_SECURITY_INFORMATION

This allows applications to retrieve comprehensive security information about files and directories.

Setting Security Descriptors

Support for modifying security descriptors through SET_INFO operations enables applications to:

  • Change file/directory ownership
  • Modify access permissions
  • Update audit settings
  • Manage inheritance flags

Technical Implementation Notes

  • Implementation follows [MS-SMB2] 2.2.37 for QUERY_INFO and [MS-SMB2] 2.2.39 for SET_INFO operations
  • Security descriptor structure adheres to [MS-DTYP] 2.4.6 specification
  • Operations require appropriate access rights validation
  • Implementation currently uses separate CREATE and QUERY/SET operations
    • While SMB2 compound operations could potentially optimize this in the future, the current implementation prioritizes functionality and reliability

Benefits

This enhancement enables several important scenarios:

  1. Security auditing of file systems
  2. Programmatic permission management
  3. Access control migration and replication
  4. Security policy enforcement
  5. Compliance monitoring and reporting

References

  1. [MS-DTYP] 2.4.6 "SECURITY_DESCRIPTOR Structure"
  2. [MS-DTYP] 2.4.7 "SECURITY_INFORMATION"
  3. [MS-SMB2] 2.2.37 "SMB2 QUERY_INFO Request"
  4. [MS-SMB2] 2.2.39 "SMB2 SET_INFO Request"

Next Steps

  1. Add comprehensive tests for security descriptor operations
  2. Document the new APIs and their usage
  3. Add examples for common security management scenarios
  4. Consider performance optimizations in future iterations

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions