Copying security descriptors

OSR_Community_User · February 16, 2001, 10:47am

When I copy a file in kernel mode, I want to be able to apply the
same security attributes to the destination file as were on the
original file.

I was looking at using ObReferenceObjectByHandle() to convert the handle
from ZwCreateFile to a file object pointer, and then using
ObGetObjectSecurity() to get a security descriptor for the source file.
When I create the destination file, I had hoped to just set this
descriptor in the OBJECT_ATTRIBUTES structure I pass to ZwCreateFile().
Unfortunately one requires the relative form and the other requires the
absolute form. I can’t seem to find a function to convert one to the
other in kernel mode. Is there one?

I also noticed that there are IRP_MJ_SET/GET_SECURITY request functions.
It is not clear what form of security descriptor these take. Is this a
better way to do it?

Thanks
Shaun

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Don_Burn_1 · February 16, 2001, 11:07am

Shaun,

These are undocumented, but I believe work:

NTSTATUS RtlAbsoluteToSelfRelativeSD (
IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
IN PULONG BufferLength);

NTSTATUS RtlSelfRelativeToAbsoluteSD (
PSECURITY_DESCRIPTOR SelfRelativeSD,
PSECURITY_DESCRIPTOR AbsoluteSD,
PULONG AbsoluteSDSize,
PACL Dacl,
PULONG DaclSize,
PACL Sacl,
PULONG SaclSize,
PSID Owner,
PULONG OwnerSize,
PSID PrimaryGroup,
PULONG PrimaryGroupSize);

Don Burn
Windows 2000 Device Driver and Filesystem consulting

----- Original Message -----
From: “Shaun”
To: “File Systems Developers”
Sent: Friday, February 16, 2001 10:43 AM
Subject: [ntfsd] Copying security descriptors

> When I copy a file in kernel mode, I want to be able to apply the
> same security attributes to the destination file as were on the
> original file.
>
> I was looking at using ObReferenceObjectByHandle() to convert the handle
> from ZwCreateFile to a file object pointer, and then using
> ObGetObjectSecurity() to get a security descriptor for the source file.
> When I create the destination file, I had hoped to just set this
> descriptor in the OBJECT_ATTRIBUTES structure I pass to ZwCreateFile().
> Unfortunately one requires the relative form and the other requires the
> absolute form. I can’t seem to find a function to convert one to the
> other in kernel mode. Is there one?
>
> I also noticed that there are IRP_MJ_SET/GET_SECURITY request functions.
> It is not clear what form of security descriptor these take. Is this a
> better way to do it?
>
> Thanks
> Shaun
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 16, 2001, 11:14am

Also, the format for IRP_MJ_SET_SECURITY/IRP_MJ_GET_SECURITY is
self-relative

-----Original Message-----
From: Don Burn [mailto:xxxxx@acm.org]
Sent: Friday, February 16, 2001 11:02 AM
To: File Systems Developers
Subject: [ntfsd] Re: Copying security descriptors

Shaun,

These are undocumented, but I believe work:

NTSTATUS RtlAbsoluteToSelfRelativeSD (
IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
IN PULONG BufferLength);

NTSTATUS RtlSelfRelativeToAbsoluteSD (
PSECURITY_DESCRIPTOR SelfRelativeSD,
PSECURITY_DESCRIPTOR AbsoluteSD,
PULONG AbsoluteSDSize,
PACL Dacl,
PULONG DaclSize,
PACL Sacl,
PULONG SaclSize,
PSID Owner,
PULONG OwnerSize,
PSID PrimaryGroup,
PULONG PrimaryGroupSize);

Don Burn
Windows 2000 Device Driver and Filesystem consulting

----- Original Message -----
From: “Shaun”
To: “File Systems Developers”
Sent: Friday, February 16, 2001 10:43 AM
Subject: [ntfsd] Copying security descriptors

> When I copy a file in kernel mode, I want to be able to apply the
> same security attributes to the destination file as were on the
> original file.
>
> I was looking at using ObReferenceObjectByHandle() to convert the handle
> from ZwCreateFile to a file object pointer, and then using
> ObGetObjectSecurity() to get a security descriptor for the source file.
> When I create the destination file, I had hoped to just set this
> descriptor in the OBJECT_ATTRIBUTES structure I pass to ZwCreateFile().
> Unfortunately one requires the relative form and the other requires the
> absolute form. I can’t seem to find a function to convert one to the
> other in kernel mode. Is there one?
>
> I also noticed that there are IRP_MJ_SET/GET_SECURITY request functions.
> It is not clear what form of security descriptor these take. Is this a
> better way to do it?
>
> Thanks
> Shaun
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com