Proposal Details
On Windows, access to an object / file can be controlled through the Discretionary Access Control List (DACL). The DACL contains a list of Access Control Entries (ACEs), which can be retrieved through the GetAce syscall.
Currently, we have support for manipulating the DACLs and setting ACEs, but we there's no support for querying / retriving set ACEs on an object / file, and there is no wrapper for GetAce, which would allow us to retrieve them.
References:
- https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
- https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_ace
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-getace
Comment From: ianlancetaylor
Do you have a proposal for what this would look like? Thanks.
CC @golang/windows
Comment From: claudiubelu
I do. I have sent a PR here: https://github.com/golang/sys/pull/191 / https://go-review.googlesource.com/c/sys/+/578976
Comment From: alexbrainman
@claudiubelu ,
I suggest we add Windows GetAce API https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-getace instead of GetEntriesFromACL added in https://go-review.googlesource.com/c/sys/+/578976 .
Everyone expects to find standard Windows API in golang.org/x/sys/windows package and not some made up functions.
They can write the GetEntriesFromACL themselves. You can keep getEntriesFromACL as part of your test in https://go-review.googlesource.com/c/sys/+/578976 .
Then you will not need to wait for this proposal, because it is OK to just add standard Windows APIs.
What do you think?
Alex.
Comment From: claudiubelu
@claudiubelu ,
I suggest we add Windows GetAce API https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-getace instead of GetEntriesFromACL added in https://go-review.googlesource.com/c/sys/+/578976 .
Everyone expects to find standard Windows API in
golang.org/x/sys/windowspackage and not some made up functions.They can write the GetEntriesFromACL themselves. You can keep getEntriesFromACL as part of your test in https://go-review.googlesource.com/c/sys/+/578976 .
Then you will not need to wait for this proposal, because it is OK to just add standard Windows APIs.
What do you think?
Alex.
Done.
Comment From: alexbrainman
@claudiubelu
Let's continue conversation on
https://go-review.googlesource.com/c/sys/+/578976
@ianlancetaylor
I hope it is OK to rename existing Windows struct field to make it accessible from outside of "golang.org/x/sys/windows" package. See https://go-review.googlesource.com/c/sys/+/578976/4/windows/security_windows.go#1185 for details. This code is very old, and all struct fields should be public but they are not. I am surprised that no one complained about that earlier.
Thank you.
Alex
Comment From: ianlancetaylor
I don't see a problem with renaming an unexported field to be exported.
Comment From: gopherbot
Change https://go.dev/cl/578976 mentions this issue: windows: add GetAce Windows API
Comment From: gopherbot
Change https://go.dev/cl/599295 mentions this issue: windows: correctly generate GetAce syscall