Hi Alex,
I am facing another issue. The “ls -l” command which lists all the files
in directory is causing files to be brought back from secondary storage.
Reason is Directory Listing also open files with MAXIMUM_ALLOWED flag which
causes file to be brought back. Earlier, I added code to bring back the
file on MAXIMUM_ALLOWED flag to fix the File read operation. Please see the
calls (CreateFile) below from Procmon:
“System”,“4”,“QueryDirectory”,“NO MORE FILES”,“E:\cloud”,
“System”,“4”,“CreateFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“Desired Access:
Maximum Allowed, Disposition: Open, Options: Write Through, Open By ID,
Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a,
OpenResult: Opened”,“0.0292672”
“System”,“4”,“IRP_MJ_CLOSE”,“SUCCESS”,“E:\cloud\Test1.txt”,“”,“0.0000048”
“System”,“4”,“QueryBasicInformationFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“CreationTime:
5/18/2013 2:55:03 PM, LastAccessTime: 5/18/2013 2:55:03 PM, LastWriteTime:
5/18/2013 2:55:14 PM, ChangeTime: 5/24/2013 8:23:50 PM, FileAttributes:
A”,“0.0000034”
“System”,“4”,“QueryStandardInformationFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“AllocationSize:
184, EndOfFile: 184, NumberOfLinks: 1, DeletePending: False, Directory:
False”,“0.0000024”
“System”,“4”,“QueryFileInternalInformationFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“IndexNumber:
0x900000000003b”,“0.0000020”
“System”,“4”,“QuerySecurityFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“Information:
Owner, Group, DACL, SACL”,“0.0000019”
“System”,“4”,“QueryEAFile”,“SUCCESS”,“E:\cloud\Test1.txt”,
“System”,“4”,“QueryNameInformationFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“Name:
\cloud\Test1.txt”,“0.0000091”
“System”,“4”,“QueryBasicInformationFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“CreationTime:
5/18/2013 2:55:03 PM, LastAccessTime: 5/18/2013 2:55:03 PM, LastWriteTime:
5/18/2013 2:55:14 PM, ChangeTime: 5/24/2013 8:23:50 PM, FileAttributes:
A”,“0.0000024”
“System”,“4”,“QueryStandardInformationFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“AllocationSize:
184, EndOfFile: 184, NumberOfLinks: 1, DeletePending: False, Directory:
False”,“0.0000025”
“System”,“4”,“CloseFile”,“SUCCESS”,“E:\cloud\Test1.txt”,“5/24/2013 8:23:50
PM”,“”,“0.0000293”
“System”,“4”,“IRP_MJ_CLOSE”,“SUCCESS”,“E:\cloud\Test1.txt”,“5/24/2013
8:23:50 PM”,“”,“0.0000039”
“System”,“4”,“IRP_MJ_CLOSE”,“SUCCESS”,“E:\cloud\Test1.txt”,“5/24/2013
8:23:50 PM”,“”,“0.0000043”
Is there a way to make NFS not to use MAXIMUM_ALLOWED flag. It seems that
for all requests it uses MAXIMUM_ALLOWED flag. So if a user has WRITE
access then file will always be opened for WRITE access even though it is
not required.
On the other hand, Windows uses “Read Attribute” if directory is browsed in
Windows Explorer.
Thanks
Ash
On Tue, May 21, 2013 at 9:10 AM, Ashish Goyal wrote:
> Thanks Alex for confirming. Just want to hear if this might cause any
> security issue.
>
>
> On Mon, May 20, 2013 at 8:30 PM, Alex Carp wrote:
>
>> Hi Ashish,
>>
>> Glad to hear you figured out the problem! As to the MAXIMUM_ALLOWED, I
>> think you could simply add it to your list of desired accesses (the list
>> looks pretty generic anyway) and handle it in your filter. Or,
>> alternatively, you could wait until postCreate and remove it from the files
>> you track at that point. I’m not aware of any simple way to figure out what
>> MAXIMUM_ALLOWED will turn out to be.
>>
>> Thanks,
>> Alex.
>>
>> On May 20, 2013, at 6:24 AM, Ashish Goyal
>> wrote:
>>
>> Hi,
>> I found the issue and issue was due to permissions. NFS was using
>> MAXIMUM_ALLOWED which is defined as:
>> //
>> // MaximumAllowed access type
>> //
>>
>> #define MAXIMUM_ALLOWED (0x02000000L)
>>
>> I was comparing Desired access as FILE_EXECUTE | FILE_READ_DATA |
>> FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES and it was not
>> matching any one of them.
>>
>> The following link mentions usage of MAXIMUM_ALLOWED flag:
>>
>> http://blogs.msdn.com/b/openspecification/archive/2010/04/01/about-the-access-mask-structure.aspx
>>
>> “When used in an Access Request operation, the Maximum Allowed bit grants
>> the requestor the maximum permissions allowed to the object through the
>> Access Check Algorithm”
>>
>> See also this KB article:
>> http://support.microsoft.com/kb/115945
>>
>> So when MAXIMUM_ALLOWED is set then how it should be interpreted by
>> mini-filter as only filesystem can tell what type of access a user has. Or
>> is there any way we can map MAXIMUM_ALLOWED flag to FileSystem specific
>> desired access.
>>
>> Thanks
>> Ash
>>
>>
>>
>> On Sat, May 18, 2013 at 10:07 PM, Ashish Goyal wrote:
>>
>>> Hi Alex,
>>> I tried the code and it works fine with FileTest.exe utility. However,
>>> it is not working with NFS services for Windows. Further debugging I found
>>> that my PreCreate is not even called. Is there are any scenario in which
>>> open by NFS using FileID does not pass through mini-filter driver. From
>>> Procmon stack trace, I do see filter manager in stack.
>>>
>>>
>>> On Fri, May 17, 2013 at 10:50 PM, Alex Carp <
>>> xxxxx@gmail.com> wrote:
>>>
>>>> Hi Ashish,
>>>>
>>>> Yeah, that sounds like a good approach, however i’m still not sure if
>>>> that’s the problem since the buffer shouldn’t be null when opening by id.
>>>> But the approach you suggested is probably what you should do for
>>>> open-by-id anyway, so try that and see how it goes.
>>>>
>>>> Thanks,
>>>> Alex.
>>>>
>>>> On May 17, 2013, at 9:06 AM, Ashish Goyal
>>>> wrote:
>>>>
>>>> Hi Alex,
>>>> I have a filter driver which monitor file system events for
>>>> Hierarchical File Storage. The issue is NFS client is not able to access
>>>> OFFLINE files. Our filter driver should look for Open file operation in
>>>> PreCreate and bring back the file from Secondary storage. However, this is
>>>> not happening. It works fine on local host where filename is used.
>>>>
>>>> As you mentioned that FileObject->FileName should contain FileID then
>>>> how to get filename. From your description, I guess, we should:
>>>> 1) Check for Create options and see the flag FILE_OPEN_BY_FILE_ID
>>>> 2) Call FltGetFileNameInformation to get the filename
>>>>
>>>> and then use that filename. Is it correct?
>>>>
>>>>
>>>> On Fri, May 17, 2013 at 8:15 PM, Alex Carp <
>>>> xxxxx@gmail.com> wrote:
>>>>
>>>>> I’m not sure what exactly the problem you’re seeing is. FltMgr never
>>>>> changes the FileObject->FileName field in the preCreate path (and in
>>>>> general I think) because that would change the semantics of the open to the
>>>>> file systems. FltMgr only returns the full path to a filter that calls
>>>>> FltGetFileNameInformation but doesn’t actually change the request.
>>>>>
>>>>> The comment you quoted from Christian refers to querying the file name
>>>>> (by calling FltGetFileNameInformation) for files opened by id when called
>>>>> from preCreate.
>>>>>
>>>>> In a filter, for open-by-ID in preCreate you should see the
>>>>> FileObject->FileName populated with the file ID so FileName.Buffer should
>>>>> not be NULL. In general when FileObject->FileName.Buffer is null you should
>>>>> also look at FileObject->RelatedFileObject. What is that field in your case
>>>>> ?
>>>>>
>>>>> Thanks,
>>>>> Alex.
>>>>> On May 17, 2013, at 5:38 AM, Ashish Goyal
>>>>> wrote:
>>>>>
>>>>> Hi,
>>>>> I had a question regarding open file by FileID. If there is a open
>>>>> file by FileID, does FilterManager populates the complete path to File in
>>>>> PreCreate Callback or is it user’s responsibility. I searched previous
>>>>> posts and came across following post :
>>>>>
>>>>> http://www.osronline.com/showThread.CFM?link=230176
>>>>>
>>>>> There is a comment from Christian (Microsoft) :
>>>>> “BTW, for open-by-ID Filter Manager actually opens the file (bypassing
>>>>> lower filters), asks for the name, and closes the file. This doesn’t
>>>>> involve mount points, but I’m including it here for completeness.”
>>>>>
>>>>> However, I am seeing a scenario where a request from NFS driver (Which
>>>>> uses FileID for file operation) is not processed in my PreCreate handler.
>>>>> I have a code where I check FltObjects->FileObject->FileName.Buffer for
>>>>> NULL and skip if it is NULL. So I think processing is skipped due to this
>>>>> code.
>>>>>
>>>>> If FilterManager does not populates then what is the correct method to
>>>>> retrieve the complete name.
>>>>>
>>>>> Thanks
>>>>> Ash
>>>>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>>>>> http://www.osr.com/careers For our schedule of debugging and file
>>>>> system seminars visit: http://www.osr.com/seminars To unsubscribe,
>>>>> visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> NTFSD is sponsored by OSR
>>>>>
>>>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>>>
>>>>> For our schedule of debugging and file system seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>>>> http://www.osr.com/careers For our schedule of debugging and file
>>>> system seminars visit: http://www.osr.com/seminars To unsubscribe,
>>>> visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>>
>>>> —
>>>> NTFSD is sponsored by OSR
>>>>
>>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>>
>>>> For our schedule of debugging and file system seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>