Set-Acl: Do not fail on untranslatable SID (PowerShell#21096)

jborean93 · chrisdent-de · commit 5dac36a3f9bd · 2024-09-12T15:42:24.000+01:00
diff --git a/src/System.Management.Automation/namespaces/FileSystemSecurity.cs b/src/System.Management.Automation/namespaces/FileSystemSecurity.cs
@@ -168,27 +168,29 @@ public void SetSecurityDescriptor(
                 {
                     // Get the security descriptor of the destination path
                     ObjectSecurity existingDescriptor = new FileInfo(path).GetAccessControl();
-                    Type ntAccountType = typeof(System.Security.Principal.NTAccount);
+                    // Use SecurityIdentifier to avoid having the below comparison steps
+                    // fail when dealing with an untranslatable SID in the SD
+                    Type identityType = typeof(System.Security.Principal.SecurityIdentifier);
 
                     AccessControlSections sections = AccessControlSections.All;
 
                     // If they didn't modify any audit information, don't try to set
                     // the audit section.
-                    int auditRuleCount = sd.GetAuditRules(true, true, ntAccountType).Count;
+                    int auditRuleCount = sd.GetAuditRules(true, true, identityType).Count;
                     if ((auditRuleCount == 0) &&
                         (sd.AreAuditRulesProtected == existingDescriptor.AreAccessRulesProtected))
                     {
                         sections &= ~AccessControlSections.Audit;
                     }
 
                     // If they didn't modify the owner, don't try to set that section.
-                    if (sd.GetOwner(ntAccountType) == existingDescriptor.GetOwner(ntAccountType))
+                    if (sd.GetOwner(identityType) == existingDescriptor.GetOwner(identityType))
                     {
                         sections &= ~AccessControlSections.Owner;
                     }
 
                     // If they didn't modify the group, don't try to set that section.
-                    if (sd.GetGroup(ntAccountType) == existingDescriptor.GetGroup(ntAccountType))
+                    if (sd.GetGroup(identityType) == existingDescriptor.GetGroup(identityType))
                     {
                         sections &= ~AccessControlSections.Group;
                     }
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Security/AclCmdlets.Tests.ps1 b/test/powershell/Modules/Microsoft.PowerShell.Security/AclCmdlets.Tests.ps1
@@ -77,6 +77,31 @@ Describe "Acl cmdlets are available and operate properly" -Tag CI {
             $newrule | Should -Not -BeNullOrEmpty
         }
 
+        It "Can edit SD that contains an orphaned SID" {
+            $badSid = [System.Security.Principal.SecurityIdentifier]::new("S-1-5-1234-5678")
+            $currentUserSid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User
+
+            $testFilePath = "TestDrive:\pwsh-acl-test.txt"
+            $testFile = New-Item -Path $testFilePath -ItemType File -Value 'foo' -Force
+
+            # We should be able to set an SD entry to an untranslatable SID
+            $fileSecurity = $testFilePath | Get-Acl
+            $fileSecurity.SetGroup($badSid)
+            Set-Acl -Path $testFile -AclObject $fileSecurity
+
+            # We should be able to get the SD with an untranslatable SID
+            $setSD = Get-Acl -Path $testFile
+            $setSD.GetGroup([System.Security.Principal.SecurityIdentifier]) | Should -Be $badSid
+
+            # We should be able to set it back to a known SID
+            $setSD.SetGroup($currentUserSid)
+            Set-Acl -Path $testFile -AclObject $setSD
+
+            $actual = Get-Acl -Path $testFile
+            $actualGroup = $actual.GetGroup([System.Security.Principal.SecurityIdentifier])
+            $actualGroup | Should -Be $currentUserSid
+        }
+
         AfterAll {
             $PSDefaultParameterValues.Remove("It:Skip")
         }

Original file line number	Diff line number	Diff line change
`@@ -168,27 +168,29 @@ public void SetSecurityDescriptor(`
`168`	`168`	`{`
`169`	`169`	`// Get the security descriptor of the destination path`
`170`	`170`	`ObjectSecurity existingDescriptor = new FileInfo(path).GetAccessControl();`
`171`		`- Type ntAccountType = typeof(System.Security.Principal.NTAccount);`
	`171`	`+ // Use SecurityIdentifier to avoid having the below comparison steps`
	`172`	`+ // fail when dealing with an untranslatable SID in the SD`
	`173`	`+ Type identityType = typeof(System.Security.Principal.SecurityIdentifier);`
`172`	`174`
`173`	`175`	`AccessControlSections sections = AccessControlSections.All;`
`174`	`176`
`175`	`177`	`// If they didn't modify any audit information, don't try to set`
`176`	`178`	`// the audit section.`
`177`		`- int auditRuleCount = sd.GetAuditRules(true, true, ntAccountType).Count;`
	`179`	`+ int auditRuleCount = sd.GetAuditRules(true, true, identityType).Count;`
`178`	`180`	`if ((auditRuleCount == 0) &&`
`179`	`181`	`(sd.AreAuditRulesProtected == existingDescriptor.AreAccessRulesProtected))`
`180`	`182`	`{`
`181`	`183`	`sections &= ~AccessControlSections.Audit;`
`182`	`184`	`}`
`183`	`185`
`184`	`186`	`// If they didn't modify the owner, don't try to set that section.`
`185`		`- if (sd.GetOwner(ntAccountType) == existingDescriptor.GetOwner(ntAccountType))`
	`187`	`+ if (sd.GetOwner(identityType) == existingDescriptor.GetOwner(identityType))`
`186`	`188`	`{`
`187`	`189`	`sections &= ~AccessControlSections.Owner;`
`188`	`190`	`}`
`189`	`191`
`190`	`192`	`// If they didn't modify the group, don't try to set that section.`
`191`		`- if (sd.GetGroup(ntAccountType) == existingDescriptor.GetGroup(ntAccountType))`
	`193`	`+ if (sd.GetGroup(identityType) == existingDescriptor.GetGroup(identityType))`
`192`	`194`	`{`
`193`	`195`	`sections &= ~AccessControlSections.Group;`
`194`	`196`	`}`