ACL inherit problem

OSR_Community_User · November 19, 2009, 10:49pm

Hi, all

I met an awesome problem in ACL inheritance. It was in my file system driver.
When it was in Windows XP sp3, I create a new file and it’s security descriptor was inherited from its
parent. The following is the code:

NTSTATUS
FsdAssignInitialSecurity(
    IN PIRP pIrp,
    OUT PNODE_SECURITY *ppInitialSecurity,
    IN PNODE_SECURITY pParentSecurity
    )
{
    // Check the parameter …
    Status = SeAssignSecurity(pParentSecurity->pSecurityDescriptor,
        AccessState->SecurityDescriptor,
        &pNewSecurity,
        bCreateDir,
        &AccessState->SubjectSecurityContext,
        IoGetFileObjectGenericMapping(),
        PagedPool);
    // Do some other things …
}

The parent’s security descriptor was inherited from the root directory which was a default security
descriptor initialized by the following code:
ulDefaultDaclLength = sizeof(ACL) +
    sizeof(ACCESS_ALLOWED_ACE) +
    SeLengthSid(SeExports->SeWorldSid) +
    8;
pDefaultDacl = (PACL)ExAllocatePool(PagedPool, ulDefaultDaclLength);
//…
Status = RtlCreateAcl(pDefaultDacl, ulDefaultDaclLength, ACL_REVISION);
//…
Status = RtlAddAccessAllowedAce(pDefaultDacl, ACL_REVISION, FILE_ALL_ACCESS,
    SeExports->SeWorldSid);
//…
Status = RtlGetAce(pDefaultDacl, 0, &(pAccessAllowedAce));
//…
pAccessAllowedAce->Flags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
//… Convert the absolute security descriptor to self relative security descriptor

And now the problem is in XP sp3, the initial security descriptor created by FsdAssignInitialSecurity
has the INHERITED_ACE flag but in XP sp2, the initial security descriptor created by FsdAssignInitialSecurity
doesn’t have the INHERITED_ACE flag. I though this flag affect the inherit relationship of the parent and child
and make the application work not correctly.

Hope someone can help me! Thanks.

好玩贺卡等你发，邮箱贺卡全新上线！
http://card.mail.cn.yahoo.com/

OSR_Community_User · November 20, 2009, 12:41am

What I have seen is as follows (These observations are definitely on SP2):
When the DACL_AUTO_INHERIT flag is set on a directory, the children have the INHERITED_ACE flag set on the ACE’s they inherit.
In the opposite case, the children do inherit the ACE’s, however the INHERITED_ACE flag is not set. You can see the exact flags correctly when you use an API like GetKernelObjectSecurity. Whereas, Win32 APIs like GetKernelObjectSecurity do some fudging up.

Generally, DACL_AUTO_INHERIT is set on the System Volume (e.g. C:) and children automatically inherit this flag. Whereas, this flag is not found on other volumes (e.g. D:).

I am not surprised by what you have seen. M$ can make changes to the way SD’s are stored and managed. There are tons of flags and some of them have ambiguous meaning!