Refactor security descriptors

Author: Schamper

dissect/database/ese/ntds/c_sd.py

@@ -0,0 +1,121 @@
+from __future__ import annotations
+
+from dissect.cstruct import cstruct
+
+# Largely copied from dissect.ntfs
+sd_def = """
+flag SECURITY_DESCRIPTOR_CONTROL : WORD {
+    SE_OWNER_DEFAULTED                  = 0x0001,
+    SE_GROUP_DEFAULTED                  = 0x0002,
+    SE_DACL_PRESENT                     = 0x0004,
+    SE_DACL_DEFAULTED                   = 0x0008,
+    SE_SACL_PRESENT                     = 0x0010,
+    SE_SACL_DEFAULTED                   = 0x0020,
+    SE_DACL_AUTO_INHERIT_REQ            = 0x0100,
+    SE_SACL_AUTO_INHERIT_REQ            = 0x0200,
+    SE_DACL_AUTO_INHERITED              = 0x0400,
+    SE_SACL_AUTO_INHERITED              = 0x0800,
+    SE_DACL_PROTECTED                   = 0x1000,
+    SE_SACL_PROTECTED                   = 0x2000,
+    SE_RM_CONTROL_VALID                 = 0x4000,
+    SE_SELF_RELATIVE                    = 0x8000,
+};
+
+flag ACCESS_MASK : DWORD {
+    ADS_RIGHT_DS_CREATE_CHILD           = 0x00000001,
+    ADS_RIGHT_DS_DELETE_CHILD           = 0x00000002,
+    ADS_RIGHT_DS_LIST_CONTENTS          = 0x00000004,       // Undocumented?
+    ADS_RIGHT_DS_SELF                   = 0x00000008,
+    ADS_RIGHT_DS_READ_PROP              = 0x00000010,
+    ADS_RIGHT_DS_WRITE_PROP             = 0x00000020,
+    ADS_RIGHT_DS_CONTROL_ACCESS         = 0x00000100,
+
+    DELETE                              = 0x00010000,
+    READ_CONTROL                        = 0x00020000,
+    WRITE_DACL                          = 0x00040000,
+    WRITE_OWNER                         = 0x00080000,
+    SYNCHRONIZE                         = 0x00100000,
+    ACCESS_SYSTEM_SECURITY              = 0x01000000,
+    MAXIMUM_ALLOWED                     = 0x02000000,
+    GENERIC_ALL                         = 0x10000000,
+    GENERIC_EXECUTE                     = 0x20000000,
+    GENERIC_WRITE                       = 0x40000000,
+    GENERIC_READ                        = 0x80000000,
+};
+
+enum ACE_TYPE : BYTE {
+    ACCESS_ALLOWED                      = 0x00,
+    ACCESS_DENIED                       = 0x01,
+    SYSTEM_AUDIT                        = 0x02,
+    SYSTEM_ALARM                        = 0x03,
+    ACCESS_ALLOWED_COMPOUND             = 0x04,
+    ACCESS_ALLOWED_OBJECT               = 0x05,
+    ACCESS_DENIED_OBJECT                = 0x06,
+    SYSTEM_AUDIT_OBJECT                 = 0x07,
+    SYSTEM_ALARM_OBJECT                 = 0x08,
+    ACCESS_ALLOWED_CALLBACK             = 0x09,
+    ACCESS_DENIED_CALLBACK              = 0x0A,
+    ACCESS_ALLOWED_CALLBACK_OBJECT      = 0x0B,
+    ACCESS_DENIED_CALLBACK_OBJECT       = 0x0C,
+    SYSTEM_AUDIT_CALLBACK               = 0x0D,
+    SYSTEM_ALARM_CALLBACK               = 0x0E,
+    SYSTEM_AUDIT_CALLBACK_OBJECT        = 0x0F,
+    SYSTEM_ALARM_CALLBACK_OBJECT        = 0x10,
+    SYSTEM_MANDATORY_LABEL              = 0x11,
+    SYSTEM_RESOURCE_ATTRIBUTE           = 0x12,
+    SYSTEM_SCOPED_POLICY_ID             = 0x13,
+    SYSTEM_PROCESS_TRUST_LABEL          = 0x14,
+    SYSTEM_ACCESS_FILTER                = 0x15,
+};
+
+flag ACE_FLAGS : BYTE {
+    OBJECT_INHERIT_ACE                  = 0x01,
+    CONTAINER_INHERIT_ACE               = 0x02,
+    NO_PROPAGATE_INHERIT_ACE            = 0x04,
+    INHERIT_ONLY_ACE                    = 0x08,
+    INHERITED_ACE                       = 0x10,
+    SUCCESSFUL_ACCESS_ACE_FLAG          = 0x40,
+    FAILED_ACCESS_ACE_FLAG              = 0x80,
+};
+
+flag ACE_OBJECT_FLAGS : DWORD {
+    ACE_OBJECT_TYPE_PRESENT             = 0x01,
+    ACE_INHERITED_OBJECT_TYPE_PRESENT   = 0x02,
+};
+
+enum COMPOUND_ACE_TYPE : USHORT {
+    COMPOUND_ACE_IMPERSONATION          = 0x01,
+};
+
+typedef struct _ACL {
+    BYTE        AclRevision;
+    BYTE        Sbz1;
+    WORD        AclSize;
+    WORD        AceCount;
+    WORD        Sbz2;
+} ACL;
+
+typedef struct _ACE_HEADER {
+    ACE_TYPE    AceType;
+    ACE_FLAGS   AceFlags;
+    WORD        AceSize;
+} ACE_HEADER;
+
+typedef struct _SECURITY_DESCRIPTOR_HEADER {
+    ULONG       HashId;
+    ULONG       SecurityId;
+    ULONG64     Offset;
+    ULONG       Length;
+} SECURITY_DESCRIPTOR_HEADER;
+
+typedef struct _SECURITY_DESCRIPTOR_RELATIVE {
+    BYTE        Revision;
+    BYTE        Sbz1;
+    SECURITY_DESCRIPTOR_CONTROL Control;
+    ULONG       Owner;
+    ULONG       Group;
+    ULONG       Sacl;
+    ULONG       Dacl;
+} SECURITY_DESCRIPTOR_RELATIVE;
+"""
+c_sd = cstruct(sd_def)

dissect/database/ese/ntds/c_sd.pyi

@@ -0,0 +1,158 @@
+# Generated by cstruct-stubgen
+from typing import BinaryIO, TypeAlias, overload
+
+import dissect.cstruct as __cs__
+
+class _c_sd(__cs__.cstruct):
+    class SECURITY_DESCRIPTOR_CONTROL(__cs__.Flag):
+        SE_OWNER_DEFAULTED = ...
+        SE_GROUP_DEFAULTED = ...
+        SE_DACL_PRESENT = ...
+        SE_DACL_DEFAULTED = ...
+        SE_SACL_PRESENT = ...
+        SE_SACL_DEFAULTED = ...
+        SE_DACL_AUTO_INHERIT_REQ = ...
+        SE_SACL_AUTO_INHERIT_REQ = ...
+        SE_DACL_AUTO_INHERITED = ...
+        SE_SACL_AUTO_INHERITED = ...
+        SE_DACL_PROTECTED = ...
+        SE_SACL_PROTECTED = ...
+        SE_RM_CONTROL_VALID = ...
+        SE_SELF_RELATIVE = ...
+
+    class ACCESS_MASK(__cs__.Flag):
+        ADS_RIGHT_DS_CREATE_CHILD = ...
+        ADS_RIGHT_DS_DELETE_CHILD = ...
+        ADS_RIGHT_DS_SELF = ...
+        ADS_RIGHT_DS_READ_PROP = ...
+        ADS_RIGHT_DS_WRITE_PROP = ...
+        ADS_RIGHT_DS_CONTROL_ACCESS = ...
+        DELETE = ...
+        READ_CONTROL = ...
+        WRITE_DACL = ...
+        WRITE_OWNER = ...
+        SYNCHRONIZE = ...
+        ACCESS_SYSTEM_SECURITY = ...
+        MAXIMUM_ALLOWED = ...
+        GENERIC_ALL = ...
+        GENERIC_EXECUTE = ...
+        GENERIC_WRITE = ...
+        GENERIC_READ = ...
+
+    class ACE_TYPE(__cs__.Enum):
+        ACCESS_ALLOWED = ...
+        ACCESS_DENIED = ...
+        SYSTEM_AUDIT = ...
+        SYSTEM_ALARM = ...
+        ACCESS_ALLOWED_COMPOUND = ...
+        ACCESS_ALLOWED_OBJECT = ...
+        ACCESS_DENIED_OBJECT = ...
+        SYSTEM_AUDIT_OBJECT = ...
+        SYSTEM_ALARM_OBJECT = ...
+        ACCESS_ALLOWED_CALLBACK = ...
+        ACCESS_DENIED_CALLBACK = ...
+        ACCESS_ALLOWED_CALLBACK_OBJECT = ...
+        ACCESS_DENIED_CALLBACK_OBJECT = ...
+        SYSTEM_AUDIT_CALLBACK = ...
+        SYSTEM_ALARM_CALLBACK = ...
+        SYSTEM_AUDIT_CALLBACK_OBJECT = ...
+        SYSTEM_ALARM_CALLBACK_OBJECT = ...
+        SYSTEM_MANDATORY_LABEL = ...
+        SYSTEM_RESOURCE_ATTRIBUTE = ...
+        SYSTEM_SCOPED_POLICY_ID = ...
+        SYSTEM_PROCESS_TRUST_LABEL = ...
+        SYSTEM_ACCESS_FILTER = ...
+
+    class ACE_FLAGS(__cs__.Flag):
+        OBJECT_INHERIT_ACE = ...
+        CONTAINER_INHERIT_ACE = ...
+        NO_PROPAGATE_INHERIT_ACE = ...
+        INHERIT_ONLY_ACE = ...
+        INHERITED_ACE = ...
+        SUCCESSFUL_ACCESS_ACE_FLAG = ...
+        FAILED_ACCESS_ACE_FLAG = ...
+
+    class ACE_OBJECT_FLAGS(__cs__.Flag):
+        ACE_OBJECT_TYPE_PRESENT = ...
+        ACE_INHERITED_OBJECT_TYPE_PRESENT = ...
+
+    class COMPOUND_ACE_TYPE(__cs__.Enum):
+        COMPOUND_ACE_IMPERSONATION = ...
+
+    class _ACL(__cs__.Structure):
+        AclRevision: _c_sd.uint8
+        Sbz1: _c_sd.uint8
+        AclSize: _c_sd.uint16
+        AceCount: _c_sd.uint16
+        Sbz2: _c_sd.uint16
+        @overload
+        def __init__(
+            self,
+            AclRevision: _c_sd.uint8 | None = ...,
+            Sbz1: _c_sd.uint8 | None = ...,
+            AclSize: _c_sd.uint16 | None = ...,
+            AceCount: _c_sd.uint16 | None = ...,
+            Sbz2: _c_sd.uint16 | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    ACL: TypeAlias = _ACL
+    class _ACE_HEADER(__cs__.Structure):
+        AceType: _c_sd.ACE_TYPE
+        AceFlags: _c_sd.ACE_FLAGS
+        AceSize: _c_sd.uint16
+        @overload
+        def __init__(
+            self,
+            AceType: _c_sd.ACE_TYPE | None = ...,
+            AceFlags: _c_sd.ACE_FLAGS | None = ...,
+            AceSize: _c_sd.uint16 | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    ACE_HEADER: TypeAlias = _ACE_HEADER
+    class _SECURITY_DESCRIPTOR_HEADER(__cs__.Structure):
+        HashId: _c_sd.uint32
+        SecurityId: _c_sd.uint32
+        Offset: _c_sd.uint64
+        Length: _c_sd.uint32
+        @overload
+        def __init__(
+            self,
+            HashId: _c_sd.uint32 | None = ...,
+            SecurityId: _c_sd.uint32 | None = ...,
+            Offset: _c_sd.uint64 | None = ...,
+            Length: _c_sd.uint32 | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    SECURITY_DESCRIPTOR_HEADER: TypeAlias = _SECURITY_DESCRIPTOR_HEADER
+    class _SECURITY_DESCRIPTOR_RELATIVE(__cs__.Structure):
+        Revision: _c_sd.uint8
+        Sbz1: _c_sd.uint8
+        Control: _c_sd.SECURITY_DESCRIPTOR_CONTROL
+        Owner: _c_sd.uint32
+        Group: _c_sd.uint32
+        Sacl: _c_sd.uint32
+        Dacl: _c_sd.uint32
+        @overload
+        def __init__(
+            self,
+            Revision: _c_sd.uint8 | None = ...,
+            Sbz1: _c_sd.uint8 | None = ...,
+            Control: _c_sd.SECURITY_DESCRIPTOR_CONTROL | None = ...,
+            Owner: _c_sd.uint32 | None = ...,
+            Group: _c_sd.uint32 | None = ...,
+            Sacl: _c_sd.uint32 | None = ...,
+            Dacl: _c_sd.uint32 | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    SECURITY_DESCRIPTOR_RELATIVE: TypeAlias = _SECURITY_DESCRIPTOR_RELATIVE
+
+# Technically `c_sd` is an instance of `_c_sd`, but then we can't use it in type hints
+c_sd: TypeAlias = _c_sd

dissect/database/ese/ntds/database.py

@@ -159,7 +159,7 @@ def __init__(self, db: Database):
         self.db = db
         self.table = self.db.ese.table("sd_table")
 
-    def dacl(self, id: int) -> ACL | None:
+    def sd(self, id: int) -> ACL | None:
         """Get the Discretionary Access Control List (DACL), if available.
 
         Args:
@@ -175,5 +175,4 @@ def dacl(self, id: int) -> ACL | None:
         if (value := record.get("sd_value")) is None:
             return None
 
-        sd = SecurityDescriptor(BytesIO(value))
-        return sd.dacl
+        return SecurityDescriptor(BytesIO(value))

dissect/database/ese/ntds/object.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+from functools import cached_property
 from typing import TYPE_CHECKING, Any, ClassVar
 
 from dissect.database.ese.ntds.schema import FIXED_COLUMN_MAP
@@ -9,7 +10,7 @@
     from collections.abc import Iterator
 
     from dissect.database.ese.ntds.database import Database
-    from dissect.database.ese.ntds.sd import ACL
+    from dissect.database.ese.ntds.sd import ACL, SecurityDescriptor
     from dissect.database.ese.record import Record
 
 
@@ -32,7 +33,7 @@ def __init_subclass__(cls):
         cls.__known_classes__[cls.__object_class__] = cls
 
     def __repr__(self) -> str:
-        return f"<Object name={self.name} objectCategory={self.objectCategory} objectClass={self.objectClass}>"
+        return f"<Object name={self.name!r} objectCategory={self.objectCategory} objectClass={self.objectClass}>"
 
     def __getattr__(self, name: str) -> Any:
         return self.get(name)
@@ -77,6 +78,11 @@ def as_dict(self) -> dict[str, Any]:
 
         return result
 
+    @property
+    def sid(self) -> str | None:
+        """Return the object's Security Identifier (SID)."""
+        return self.get("objectSid")
+
     @property
     def distinguishedName(self) -> str | None:
         """Return the fully qualified Distinguished Name (DN) for this object."""
@@ -86,15 +92,25 @@ def distinguishedName(self) -> str | None:
 
     DN = distinguishedName
 
+    @cached_property
+    def sd(self) -> SecurityDescriptor | None:
+        """Return the Security Descriptor for this object."""
+        if (sd_id := self.get("nTSecurityDescriptor")) is not None:
+            return self.db.sd.sd(sd_id)
+        return None
+
     @property
-    def dacl(self) -> ACL | None:
-        """Get the Discretionary Access Control List (DACL) for this object.
+    def sacl(self) -> ACL | None:
+        """Return the System Access Control List (SACL) for this object."""
+        if (sd := self.sd) is not None:
+            return sd.sacl
+        return None
 
-        Returns:
-            The ACL object containing access control entries.
-        """
-        if (sd_id := self.get("nTSecurityDescriptor")) is not None:
-            return self.db.sd.dacl(sd_id)
+    @property
+    def dacl(self) -> ACL | None:
+        """Return the Discretionary Access Control List (DACL) for this object."""
+        if (sd := self.sd) is not None:
+            return sd.dacl
         return None
 
 
@@ -104,7 +120,7 @@ class Group(Object):
     __object_class__ = "group"
 
     def __repr__(self) -> str:
-        return f"<Group name={self.sAMAccountName}>"
+        return f"<Group name={self.sAMAccountName!r}>"
 
     def members(self) -> Iterator[User]:
         """Yield all members of this group."""
@@ -128,7 +144,7 @@ class Server(Object):
     __object_class__ = "server"
 
     def __repr__(self) -> str:
-        return f"<Server name={self.name}>"
+        return f"<Server name={self.name!r}>"
 
 
 class User(Object):
@@ -138,7 +154,7 @@ class User(Object):
 
     def __repr__(self) -> str:
         return (
-            f"<User name={self.name} sAMAccountName={self.sAMAccountName} "
+            f"<User name={self.name!r} sAMAccountName={self.sAMAccountName!r} "
             f"is_machine_account={self.is_machine_account()}>"
         )