Hi all -
I noticed that when a user on the local machine causes a
IRP_MJ_QUERY_VOLUME_INFORMATION with the request type of
FILE_FS_VOLUME_INFORMATION, the IRP contains the user’s SID, but when a
user over the network causes the same thing to happen, the SID is the
SYSTEM SID. Is there a way to obtain the user’s SID in this case?
Thanks - GAP
Grab it at IRP_MJ_CREATE time.
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Hope to see you at the next OSR file systems class in San Jose, CA September
16, 2002!
-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Tuesday, August 20, 2002 4:13 PM
To: File Systems Developers
Subject: [ntfsd] IRP_MJ_QUERY_VOLUME_INFORMATION and SIDs
Hi all -
I noticed that when a user on the local machine causes a
IRP_MJ_QUERY_VOLUME_INFORMATION with the request type of
FILE_FS_VOLUME_INFORMATION, the IRP contains the user’s SID, but when a
user over the network causes the same thing to happen, the SID is the
SYSTEM SID. Is there a way to obtain the user’s SID in this case?
Thanks - GAP
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%
Tony,
I’ll try that (I guess I’ll never get past the newbie questions… I
should have known that)!?
Thanks!
Greg
I tried what you suggested Tony, but something still doesn’t make sense.
When I connect to the drive (map a drive to it from a remote machine), I
don’t see any create/opens for the volume.
If a user logs on locally and asks for properties of the drive, then the
SID supplied for query_volume_information is the user’s. But if the user
remotely connects to the drive and asks for properties, the SID is for
SYSTEM, and no IRP_MJ_CREATE happens.
Is this how it’s supposed to work?
I don’t know how someone does something without opening it - that isn’t even
possible in this OS, since all I/O is handle based. Are you sure that you
aren’t missing some I/O here?
I have never looked at this particular call sequence before, so I can’t
apply any first-hand experience with it. Sorry!
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Hope to see you at the next OSR file systems class in San Jose, CA September
16, 2002!
-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Wednesday, August 21, 2002 3:43 PM
To: File Systems Developers
Subject: [ntfsd] Re: IRP_MJ_QUERY_VOLUME_INFORMATION and SIDs
I tried what you suggested Tony, but something still doesn’t make sense.
When I connect to the drive (map a drive to it from a remote machine), I
don’t see any create/opens for the volume.
If a user logs on locally and asks for properties of the drive, then the
SID supplied for query_volume_information is the user’s. But if the user
remotely connects to the drive and asks for properties, the SID is for
SYSTEM, and no IRP_MJ_CREATE happens.
Is this how it’s supposed to work?
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%
Hi Tony and everyone else…
It seems as though if a remote user maps a drive to a share point which is
my FSD, then I don’t see any volume create/opens. There might be opens
for root, but not the volume. After some more thought, it seems to make
sense that you’d only open the volume once, under the system sid.
Sorry about the poorly worded question in the first place.
Thanks - Greg
> FILE_FS_VOLUME_INFORMATION, the IRP contains the user’s SID, but
when a
user over the network causes the same thing to happen, the SID is
the
SYSTEM SID. Is there a way to obtain the user’s SID in this case?
What does it mean “IRP contains SID”? It does not contain any SIDs, it
contains the security context, and only the CREATE IRP.
Use the impersonation part of it, not the primary one.
Max