Fix ACE SID comparion in RBCD module#21651
Conversation
|
Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected. We've added the |
smcintyre-r7
left a comment
There was a problem hiding this comment.
Yeah this looks right to me, I've got no changes to request. I was able to reproduce the original issue and then validate that these changes fix it.
New and fixed on the left, old and busted on the right. I ran the old test second, so you'll see that's why the first read output is slightly different because an empty object exists vs being entirely absent.
Release NotesThis fixes a bug in the Role Based Constrained Delegation (RBCD) module that prevented Access Control Entries (ACEs) from being removed due to a type mismatch while comparing Security Identifiers (SIDs). |
Description
This fixes a broken SID comparison.
action_removewas failing to remove the target ACE because of a type mismatch in how it compared SIDs. Before the module was doing:The two sides of that comparison aren't the same datatype.
ace.body.sidis aRex::Proto::MsDtyp::MsDtypSid, and when you compare it with ==, it uses its human-readable string form - something like "S-1-5-21-2324486357-...". Butdelegate_from[:objectSid].firstis the raw binary SID straight from LDAP ie:Net::BER::BerIdentifiedStringThe module was comparing a formatted SID string against raw bytes, which never matches. The
delete_ifblock always returned false, and the ACE was never removed.The fix is to parse the raw binary into a
MsDtypSidfirst, so both sides are comparing on the same type. This mirrors what#_action_write_createalready does before handing the SID off tobuild_ace, so it brings#action_removein line with the existing pattern.This also fixes the same bug in
#_action_write_update- its "already configured" check had the identical type mismatch, meaning it would never detect an existing duplicate entry.Related Issue:
This is was discovered when making these changes: #21647 however I figured it made sense to separate these PRs as they're different issues.
Breaking Changes
None
Reviewer Notes
Verification Steps
READaction of the rbcd module and verify there are no entries present for a specific machine accountWRITEaction and verify an entry gets written to the attributeREADaction to be extra super duper certain the entry was written successfullyREMOVEaction, it should say the entry was removedREADaction once more to verify the entry to was removedTest Evidence
Before
After
Environment
AI Usage Disclosure
kiro-cli
Pre-Submission Checklist