Title
#windows
SK

SK

12/21/2020, 11:28 AM
Hey guys, has anyone used the 'ntfs_acl_permissions' table? Can't seem to figure out how it should be used, 
select * from ntfs_acl_permissions where path LIKE
  with any path or file doesn't seem to give any results.
s

seph

12/21/2020, 1:42 PM
Does it work with an explicit path? A common osquery pattern is to require path, and if you want wildcards join against the file table for that expansion
SK

SK

12/21/2020, 1:48 PM
Hey @seph I also tried with different paths and there are no results, are there any specific requirements to get NTFS ACL results?
2:39 PM
Commands Get-Acl and icacls both give me NTFS ACL data but the query does not give me anything.
f

fritz

12/21/2020, 2:53 PM
@SK What does your path look like? Can we see an example query?
SK

SK

12/21/2020, 2:54 PM
The one I use to test.
select * from ntfs_acl_permissions where path = 'C:\Program Files\osquery\osqueryi.exe';
This query does not result anything.
2:56 PM
Results from Get-Acl
> Get-Acl -Path 'C:\Program Files\osquery\osqueryi.exe'


    Directory: C:\Program Files\osquery


Path         Owner               Access
----         -----               ------
osqueryi.exe NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow  FullControl...
f

fritz

12/21/2020, 4:32 PM
@SK my windows internals knowledge is not terrific, however i just did some of my own testing and it appears that certain files will produce output and others will not.
4:32 PM
For example on your test device try running:
select * from ntfs_acl_permissions where path = '\Program Files'
4:32 PM
You should see results
s

seph

12/21/2020, 4:45 PM
I’ve seen this as well, and I’ve always assumed it’s that I don’t understand which things are ntfs acls, vs some other windows filesysytem acl.
SK

SK

12/21/2020, 7:11 PM
That is interesting....
> select * from ntfs_acl_permissions where path = 'C:\Program Files\';
+-------------------+-------+-------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------+
| path              | type  | principal                           | access                                                                                                       | inherited_from |
+-------------------+-------+-------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------+
| C:\Program Files\ | Grant | TrustedInstaller                    | Specific Rights All,Delete,Read Control,Write DAC,Write Owner,Std Rights Required,Synchronize,Std Rights All | No Inheritance |
| C:\Program Files\ | Grant | TrustedInstaller                    | Generic All                                                                                                  | Unknown        |
Did not expect that to work at all.@fritz it seems to only work on folders not files, am I correct?
f

fritz

12/21/2020, 7:21 PM
That was the behavior which I encountered.
7:21 PM
I know nothing about ntfs acl so I can't comment on what the expected behavior should be.
SK

SK

12/21/2020, 7:27 PM
Thanks for your help @fritz, I thought i understood NTFS ACLs but this table does not work as I would have expected, it might need a rework, but I am not knowledgeable enough to do it.
Mike Myers

Mike Myers

12/21/2020, 8:42 PM
Files do have ACLs, this is probably an osquery bug
SK

SK

12/21/2020, 8:47 PM
@Mike Myers I also think so, and I couldn't get deeper into "program files" I will file a bug report for this