Advanced Security Permissions.

NTFSD
1

Hi ALL,

I am trying to add the NTFS like security support to my driver. I have succeeded so far to see the ACL lists in explorer security panel - I can modify users and groups, change their permissions, set/modify the owner, etc. However advanced options such as “Inherit from parent …” or/and “Replace permission entries on all child objects …” do not work. It fails silently, that is I do not see any errors in the driver.

Any help or reference regarding how one can add the support of advanced security permissions will be greatly appreciated.

Also I have another issue that may be related …

When I create a new file, I assign a new relative descriptor to it using the following API:

SeAssignSecurityEx( ParentRelativeSD, absoluteSD, &assignedRelativeSD, NULL, IsDirectory,
SEF_AVOID_PRIVILEGE_CHECK | SEF_DACL_AUTO_INHERIT | SEF_SACL_AUTO_INHERIT,
SubjectContext,
IoGetFileObjectGenericMapping(),
PagedPool),

however when I open the security properties of just created file/directory, I do not see all parent DACL while I expected it to be inherited.

Thanks,

Ilya.

2

I am sure that someone had to implement the driver security before. Any help regarding how to support the security inheritance and/or propagation will be greatly appreciated.

-Ilya.
-------------- Original message --------------
From: xxxxx@comcast.net

Hi ALL,

I am trying to add the NTFS like security support to my driver. I have succeeded so far to see the ACL lists in explorer security panel - I can modify users and groups, change their permissions, set/modify the owner, etc. However advanced options such as “Inherit from parent …” or/and “Replace permission entries on all child objects …” do not work. It fails silently, that is I do not see any errors in the driver.

Any help or reference regarding how one can add the support of advanced security permissions will be greatly appreciated.

Also I have another issue that may be related …

When I create a new file, I assign a new relative descriptor to it using the following API:

SeAssignSecurityEx( ParentRelativeSD, absoluteSD, &assignedRelativeSD, NULL, IsDirectory,
SEF_AVOID_PRIVILEGE_CHECK | SEF_DACL_AUTO_INHERIT | SEF_SACL_AUTO_INHERIT,
SubjectContext,
IoGetFileObjectGenericMapping(),
PagedPool),

however when I open the security properties of just created file/directory, I do not see all parent DACL while I expected it to be inherited.

Thanks,

Ilya.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Since you are not seeing the parent ACLs (presuming that you have
setup non-null dacls on parent) I would suspect the first parameter to
SeAssignSecurityEx is not right.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@comcast.net
Sent: Monday, April 03, 2006 12:48 PM
To: Windows File Systems Devs Interest List
Cc: xxxxx@comcast.net
Subject: Re: [ntfsd] Advanced Security Permissions.

I am sure that someone had to implement the driver security before. Any
help regarding how to support the security inheritance and/or
propagation will be greatly appreciated.

-Ilya.

-------------- Original message --------------
From: xxxxx@comcast.net

Hi ALL,

I am trying to add the NTFS like security support to my driver.
I have succeeded so far to see the ACL lists in explorer security panel

  • I can modify users and groups, change their permissions, set/modify
    the owner, etc. However advanced options such as “Inherit from parent
    …” or/and “Replace permission entries on all child objects …” do not
    work. It fails silently, that is I do not see any errors in the driver.

Any help or reference regarding how one can add the support of
advanced security permissions will be greatly appreciated.

Also I have another issue that may be related …

When I create a new file, I assign a new relative descriptor to
it using the following API:

SeAssignSecurityEx( ParentRelativeSD, absoluteSD,
&assignedRelativeSD, NULL, IsDirectory,

SEF_AVOID_PRIVILEGE_CHECK | SEF_DACL_AUTO_INHERIT |
SEF_SACL_AUTO_INHERIT,

SubjectContext,

IoGetFileObjectGenericMapping(),

PagedPool),

however when I open the security properties of just created
file/directory, I do not see all parent DACL while I expected it to be
inherited.

Thanks,

Ilya.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to
xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@appstream.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

I initialize the root security descriptor using the pre-defined default. I can see it in explorer, and also I can modify it, for example add new users and groups. However, when I create the new directory/file under the root, I do not see all those users/groups that I just added to the root.

I will double check that the ParentRelativeSD passed in to the SeAssignSecurityEx is correct, however I am pretty sure it is.

-Ilya.

-------------- Original message --------------
From: “Satya Das”

Since you are not seeing the parent ACLs (presuming that you have setup non-null dacls on parent) I would suspect the first parameter to SeAssignSecurityEx is not right.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@comcast.net
Sent: Monday, April 03, 2006 12:48 PM
To: Windows File Systems Devs Interest List
Cc: xxxxx@comcast.net
Subject: Re: [ntfsd] Advanced Security Permissions.

I am sure that someone had to implement the driver security before. Any help regarding how to support the security inheritance and/or propagation will be greatly appreciated.

-Ilya.
-------------- Original message --------------
From: xxxxx@comcast.net
Hi ALL,

I am trying to add the NTFS like security support to my driver. I have succeeded so far to see the ACL lists in explorer security panel - I can modify users and groups, change their permissions, set/modify the owner, etc. However advanced options such as “Inherit from parent …” or/and “Replace permission entries on all child objects …” do not work. It fails silently, that is I do not see any errors in the driver.

Any help or reference regarding how one can add the support of advanced security permissions will be greatly appreciated.

Also I have another issue that may be related …

When I create a new file, I assign a new relative descriptor to it using the following API:

SeAssignSecurityEx( ParentRelativeSD, absoluteSD, &assignedRelativeSD, NULL, IsDirectory,
SEF_AVOID_PRIVILEGE_CHECK | SEF_DACL_AUTO_INHERIT | SEF_SACL_AUTO_INHERIT,
SubjectContext,
IoGetFileObjectGenericMapping(),
PagedPool),

however when I open the security properties of just created file/directory, I do not see all parent DACL while I expected it to be inherited.
Thanks,

Ilya.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@appstream.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

I’ve never used SeAssignSecurityEx, nor do any of the file systems of
which I’m aware use it, so I’m afraid I have no insight into how it
behaves. In the past I’ve always used SeAssignSecurity and those
parameters in common are essentially the same as what you indicate you
are using.

Sorry I can’t provide any further insight. Were I in your position, I’d
be walking through the call with the debugger to try and understand how
the ACL is being processed.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@comcast.net
Sent: Monday, April 03, 2006 3:48 PM
To: ntfsd redirect
Cc: xxxxx@comcast.net
Subject: Re: [ntfsd] Advanced Security Permissions.

I am sure that someone had to implement the driver security before. Any
help regarding how to support the security inheritance and/or
propagation will be greatly appreciated.

-Ilya.

-------------- Original message --------------
From: xxxxx@comcast.net

Hi ALL,

I am trying to add the NTFS like security support to my driver.
I have succeeded so far to see the ACL lists in explorer security panel

  • I can modify users and groups, change their permissions, set/modify
    the owner, etc. However advanced options such as “Inherit from parent
    …” or/and “Replace permission entries on all child objects …” do not
    work. It fails silently, that is I do not see any errors in the driver.

Any help or reference regarding how one can add the support of
advanced security permissions will be greatly appreciated.

Also I have another issue that may be related …

When I create a new file, I assign a new relative descriptor to
it using the following API:

SeAssignSecurityEx( ParentRelativeSD, absoluteSD,
&assignedRelativeSD, NULL, IsDirectory,

SEF_AVOID_PRIVILEGE_CHECK | SEF_DACL_AUTO_INHERIT |
SEF_SACL_AUTO_INHERIT,

SubjectContext,

IoGetFileObjectGenericMapping(),

PagedPool),

however when I open the security properties of just created
file/directory, I do not see all parent DACL while I expected it to be
inherited.

Thanks,

Ilya.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to
xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

Tony and Satya,

Thanks for the reply.

Apparently I was doing everything right for the security, however the change exposed another culprit that was causing the explorer to fail “silently”. Somehow the possibility that my support of the security was correct, and something else was broken did not occur to me … till now :).

Regards,

Ilya.

-------------- Original message --------------
From: “Tony Mason”

I’ve never used SeAssignSecurityEx, nor do any of the file systems of which I’m aware use it, so I’m afraid I have no insight into how it behaves. In the past I’ve always used SeAssignSecurity and those parameters in common are essentially the same as what you indicate you are using.

Sorry I can’t provide any further insight. Were I in your position, I’d be walking through the call with the debugger to try and understand how the ACL is being processed.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Boston, MA April 18-21, 2006.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@comcast.net
Sent: Monday, April 03, 2006 3:48 PM
To: ntfsd redirect
Cc: xxxxx@comcast.net
Subject: Re: [ntfsd] Advanced Security Permissions.

I am sure that someone had to implement the driver security before. Any help regarding how to support the security inheritance and/or propagation will be greatly appreciated.

-Ilya.
-------------- Original message --------------
From: xxxxx@comcast.net
Hi ALL,

I am trying to add the NTFS like security support to my driver. I have succeeded so far to see the ACL lists in explorer security panel - I can modify users and groups, change their permissions, set/modify the owner, etc. However advanced options such as “Inherit from parent …” or/and “Replace permission entries on all child objects …” do not work. It fails silently, that is I do not see any errors in the driver.

Any help or reference regarding how one can add the support of advanced security permissions will be greatly appreciated.

Also I have another issue that may be related …

When I create a new file, I assign a new relative descriptor to it using the following API:

SeAssignSecurityEx( ParentRelativeSD, absoluteSD, &assignedRelativeSD, NULL, IsDirectory,
SEF_AVOID_PRIVILEGE_CHECK | SEF_DACL_AUTO_INHERIT | SEF_SACL_AUTO_INHERIT,
SubjectContext,
IoGetFileObjectGenericMapping(),
PagedPool),

however when I open the security properties of just created file/directory, I do not see all parent DACL while I expected it to be inherited.
Thanks,

Ilya.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com