I can't open symbolic link if administrator not logged in(more)

NTFSD
1

Hi, I have a doubt. I wish someone can help me.
I create a symbolic link in my driver in this way:

RtlInitUnicodeString(&DriverDeviceName, L"\Device\TheName");
RtlInitUnicodeString(&UserVisibleName, L"\DosDevices\TheName");
IoCreateSymbolicLink(&UserVisibleName, &DriverDeviceName);

Later in user mode I open it in this way:
CreateFile(“\.\TheName”,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);

But I get Access Denied if I’m not logged in as Administrator. What should I
do?
Thanks.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

Download WinObj from www.sysinternals.com and look at security descriptor
for your device. The user account you use when having ACCESS_DENIED just
have not enough priviledge.

BR,
Vadim
www.ntndis.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ratmil
Sent: Thursday, January 17, 2002 6:04 PM
To: File Systems Developers
Subject: [ntfsd] I can’t open symbolic link if administrator not logged
in(more)

Hi, I have a doubt. I wish someone can help me.
I create a symbolic link in my driver in this way:

RtlInitUnicodeString(&DriverDeviceName, L"\Device\TheName");
RtlInitUnicodeString(&UserVisibleName, L"\DosDevices\TheName");
IoCreateSymbolicLink(&UserVisibleName, &DriverDeviceName);

Later in user mode I open it in this way:
CreateFile(“\.\TheName”,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);

But I get Access Denied if I’m not logged in as Administrator. What should I
do?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Thanks. I downloaded WinObj. I can’t the open symbolic a link with an
account that belongs to a domain and neither with an account that belongs to
group “Users” in the local machine.
How do I create a symbolic link that can be access (read and write) by
everybody.
Thanks again.

-----Mensaje original-----
De: Vadim Smirnov [mailto:xxxxx@pcausa.com]
Enviado el: jueves, 17 de enero de 2002 13:19
Para: File Systems Developers
Asunto: [ntfsd] RE: I can’t open symbolic link if administrator not
logged in(more)

Download WinObj from www.sysinternals.com and look at security
descriptor
for your device. The user account you use when having ACCESS_DENIED just
have not enough priviledge.

BR,
Vadim
www.ntndis.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ratmil
Sent: Thursday, January 17, 2002 6:04 PM
To: File Systems Developers
Subject: [ntfsd] I can’t open symbolic link if administrator not logged
in(more)

Hi, I have a doubt. I wish someone can help me.
I create a symbolic link in my driver in this way:

RtlInitUnicodeString(&DriverDeviceName, L"\Device\TheName");
RtlInitUnicodeString(&UserVisibleName, L"\DosDevices\TheName");
IoCreateSymbolicLink(&UserVisibleName, &DriverDeviceName);

Later in user mode I open it in this way:
CreateFile(“\.\TheName”,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);

But I get Access Denied if I’m not logged in as Administrator. What
should I
do?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: ratmil@ec.minbas.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

You problem is likely with the device object that the symbolic link
resolves to:
If the device object is created with the FILE_DEVICE_SECURE_OPEN
characterestic, i/o manager will authenticate the owner against the ACL
on the device object.
If the device object is of type FILE_DEVICE_DISK_FILE_SYSTEM - as most
filter device objects are, it has a default DACL which only allows Admin
& System access.

So check the DACL on the device object - if you must, you can turn off
the FILE_DEVICE_SECURE_OPEN flag on the device object in
IoCreateDevice().

I wouldn’t recommend this unless you are positively, positively sure
that you take precautions in all the interfaces you expose thence to
unprivileged users by validating their requests, buffers etc. & doing
all the necessary access checks yourself.

Ravi

This posting is provided “AS IS” with no warranties, and confers no
rights. You assume all risk for your use

-----Original Message-----
From: Ratmil [mailto:ratmil@ec.minbas.cu]
Sent: Thursday, January 17, 2002 1:38 PM
To: File Systems Developers
Subject: [ntfsd] RE: I can’t open symbolic link if administrator not
logged in(more)

Thanks. I downloaded WinObj. I can’t the open symbolic a link with an
account that belongs to a domain and neither with an account that
belongs to group “Users” in the local machine. How do I create a
symbolic link that can be access (read and write) by everybody. Thanks
again.

-----Mensaje original-----
De: Vadim Smirnov [mailto:xxxxx@pcausa.com]
Enviado el: jueves, 17 de enero de 2002 13:19
Para: File Systems Developers
Asunto: [ntfsd] RE: I can’t open symbolic link if administrator not
logged in(more)

Download WinObj from www.sysinternals.com and look at security
descriptor for your device. The user account you use when having
ACCESS_DENIED just have not enough priviledge.

BR,
Vadim
www.ntndis.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ratmil
Sent: Thursday, January 17, 2002 6:04 PM
To: File Systems Developers
Subject: [ntfsd] I can’t open symbolic link if administrator not logged
in(more)

Hi, I have a doubt. I wish someone can help me.
I create a symbolic link in my driver in this way:

RtlInitUnicodeString(&DriverDeviceName, L"\Device\TheName");
RtlInitUnicodeString(&UserVisibleName, L"\DosDevices\TheName");
IoCreateSymbolicLink(&UserVisibleName, &DriverDeviceName);

Later in user mode I open it in this way:
CreateFile(“\.\TheName”,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);

But I get Access Denied if I’m not logged in as Administrator. What
should I do? Thanks.

You are currently subscribed to ntfsd as: xxxxx@pcausa.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: ratmil@ec.minbas.cu To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

This device is to be used by an unique program, but this program must be
able to be used by any user, or else it would be a program only for
administrators. I guess I have to set the symbolic link in a way that every
user can open it. Then I would have to take care of protection.

The device is created with the DeviceCharacterestic parameter set to 0
(FILE_DEVICE_SECURE_OPEN is turned off), and device type is
FILE_DEVICE_FILE_SYSTEM. I passed this values because I burrowed the code
from Rajeev Nagar’s book. I hope these parameters are the key of the
problem.
Thank you.

-----Mensaje original-----
De: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Enviado el: jueves, 17 de enero de 2002 18:57
Para: File Systems Developers
Asunto: [ntfsd] RE: I can’t open symbolic link if administrator not
logged in(more)

You problem is likely with the device object that the symbolic link
resolves to:
If the device object is created with the FILE_DEVICE_SECURE_OPEN
characterestic, i/o manager will authenticate the owner against the ACL
on the device object.
If the device object is of type FILE_DEVICE_DISK_FILE_SYSTEM - as most
filter device objects are, it has a default DACL which only allows Admin
& System access.

So check the DACL on the device object - if you must, you can turn off
the FILE_DEVICE_SECURE_OPEN flag on the device object in
IoCreateDevice().

I wouldn’t recommend this unless you are positively, positively sure
that you take precautions in all the interfaces you expose thence to
unprivileged users by validating their requests, buffers etc. & doing
all the necessary access checks yourself.

Ravi

This posting is provided “AS IS” with no warranties, and confers no
rights. You assume all risk for your use

-----Original Message-----
From: Ratmil [mailto:ratmil@ec.minbas.cu]
Sent: Thursday, January 17, 2002 1:38 PM
To: File Systems Developers
Subject: [ntfsd] RE: I can’t open symbolic link if administrator not
logged in(more)

Thanks. I downloaded WinObj. I can’t the open symbolic a link with an
account that belongs to a domain and neither with an account that
belongs to group “Users” in the local machine. How do I create a
symbolic link that can be access (read and write) by everybody. Thanks
again.

-----Mensaje original-----
De: Vadim Smirnov [mailto:xxxxx@pcausa.com]
Enviado el: jueves, 17 de enero de 2002 13:19
Para: File Systems Developers
Asunto: [ntfsd] RE: I can’t open symbolic link if administrator not
logged in(more)

Download WinObj from www.sysinternals.com and look at security
descriptor for your device. The user account you use when having
ACCESS_DENIED just have not enough priviledge.

BR,
Vadim
www.ntndis.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ratmil
Sent: Thursday, January 17, 2002 6:04 PM
To: File Systems Developers
Subject: [ntfsd] I can’t open symbolic link if administrator not logged
in(more)

Hi, I have a doubt. I wish someone can help me.
I create a symbolic link in my driver in this way:

RtlInitUnicodeString(&DriverDeviceName, L"\Device\TheName");
RtlInitUnicodeString(&UserVisibleName, L"\DosDevices\TheName");
IoCreateSymbolicLink(&UserVisibleName, &DriverDeviceName);

Later in user mode I open it in this way:
CreateFile(“\.\TheName”,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);

But I get Access Denied if I’m not logged in as Administrator. What
should I do? Thanks.

You are currently subscribed to ntfsd as: xxxxx@pcausa.com To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: ratmil@ec.minbas.cu To
unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: ratmil@ec.minbas.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com