Owner SID of FILE

NTFSD
1

Hi,

I was wondering if somebody could help me out please. I have a filter
driver (on NT4) that filters the IRP_MJ_CREATE, and I wish to get the SID
of the owner of the file that is being accessed and NOT the SID of the
calling user. I have managed to handle the recursion of the ZwCreateFile.
With the handle returned from ZwCreateFile I try and use this handle to
ZwQuerySecurityObject, I keep getting back INVALID_PARAMETER. I have tried
using RtlCreateSecurityDescriptor and using the result to also pass in to
ZwQuerySecurityObject.

I was hoping that somebody would be able to point me in the right
direction.

Thanks for any help in advance

Stephan Boome
xxxxx@amsjv.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

Hi,

If underlying file system is FAT you have no way to do this because FAT
doesn’t maintain this information. For NTFS you can build your own IRP
with major function IRP_MJ_QUERY_SECURITY. You should set Irp->UserBuffer
to the buffer that will get security descriptor, you don’t need to
initialize content of this buffer . You have to set
Parameters.QuerySecurity.SecurityInformation in irp stack to
OWNER_SECURITY_INFORMATION to get owner.

I was wondering if somebody could help me out please. I have a filter
driver (on NT4) that filters the IRP_MJ_CREATE, and I wish to get the SID
of the owner of the file that is being accessed and NOT the SID of the
calling user. I have managed to handle the recursion of the ZwCreateFile.
With the handle returned from ZwCreateFile I try and use this handle to
ZwQuerySecurityObject, I keep getting back INVALID_PARAMETER. I have
tried
using RtlCreateSecurityDescriptor and using the result to also pass in to
ZwQuerySecurityObject.

I was hoping that somebody would be able to point me in the right
direction.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Thanks for the reply, however I do not have much experience in creating my
own IRP’s, I have taken on the source of a filter driver, from a colleague
who has left. That is why I was hoping to use the ZwQuerySecurityObject.
I keep getting invalid parameter being returned, I am wondering if this is
because I do not have SeSecurityPrivilege for the thread.

Apart from this I am completely stuck. I thought it would be quite easy to
get the Owner SID for a file, it seems that I am wrong. I have look
through all the archives trying different search entries.

Stephan Boome
xxxxx@amsjv.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

I have managed to get a SID from a FILE, I was wondering can I just pass
the SID information back up to an application I have running in User Mode
and use the SID in the Win32 environment or do I have to convert the SID
first(somehow) and then pass back up in to my User area.

Stephan Boome

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

Stephan,

Yes, You can pass the sid back to user mode without any sort of
transformation.

-Joel

-----Original Message-----
From: xxxxx@amsjv.com [mailto:xxxxx@amsjv.com]
Sent: Wednesday, February 20, 2002 3:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

I have managed to get a SID from a FILE, I was wondering can I just pass
the SID information back up to an application I have running in User Mode
and use the SID in the Win32 environment or do I have to convert the SID
first(somehow) and then pass back up in to my User area.

Stephan Boome

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

6

Are you talking about a SID or a security descriptor? If you’re talking about a security descriptor, you need to make sure the security descriptor is in self-relative format, so there is only one block of memory to copy to the user’s virtual address space, and you don’t need to dissect the security descriptor. The API that does this is RtlAbsoluteToSelfRelativeSD, prototyped in some version of either NTIFS.H or NTDDK.H. I don’t have that handy at the moment.

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, February 20, 2002 8:51 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Stephan,

Yes, You can pass the sid back to user mode without any sort of transformation.

-Joel

-----Original Message-----
From: xxxxx@amsjv.com [mailto:xxxxx@amsjv.com]
Sent: Wednesday, February 20, 2002 3:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

I have managed to get a SID from a FILE, I was wondering can I just pass
the SID information back up to an application I have running in User Mode
and use the SID in the Win32 environment or do I have to convert the SID
first(somehow) and then pass back up in to my User area.

Stephan Boome

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

7

Stephan,

If you used the routine I had sent you before to extract the sd the sd
will be in self relative format.

-Joel

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Wednesday, February 20, 2002 10:01 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Are you talking about a SID or a security descriptor? If you’re talking
about a security descriptor, you need to make sure the security descriptor
is in self-relative format, so there is only one block of memory to copy to
the user’s virtual address space, and you don’t need to dissect the security
descriptor. The API that does this is RtlAbsoluteToSelfRelativeSD,
prototyped in some version of either NTIFS.H or NTDDK.H. I don’t have that
handy at the moment.

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, February 20, 2002 8:51 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Stephan,

Yes, You can pass the sid back to user mode without any sort of
transformation.

-Joel

-----Original Message-----
From: xxxxx@amsjv.com [ mailto:xxxxx@amsjv.com
mailto:xxxxx ]
Sent: Wednesday, February 20, 2002 3:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

I have managed to get a SID from a FILE, I was wondering can I just pass
the SID information back up to an application I have running in User Mode
and use the SID in the Win32 environment or do I have to convert the SID
first(somehow) and then pass back up in to my User area.

Stephan Boome


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx>

8

What routine is that?

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, February 20, 2002 10:21 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Stephan,

If you used the routine I had sent you before to extract the sd the sd will be in self relative format.

-Joel

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Wednesday, February 20, 2002 10:01 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Are you talking about a SID or a security descriptor? If you’re talking about a security descriptor, you need to make sure the security descriptor is in self-relative format, so there is only one block of memory to copy to the user’s virtual address space, and you don’t need to dissect the security descriptor. The API that does this is RtlAbsoluteToSelfRelativeSD, prototyped in some version of either NTIFS.H or NTDDK.H. I don’t have that handy at the moment.

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, February 20, 2002 8:51 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Stephan,

Yes, You can pass the sid back to user mode without any sort of transformation.

-Joel

-----Original Message-----
From: xxxxx@amsjv.com [mailto:xxxxx@amsjv.com]
Sent: Wednesday, February 20, 2002 3:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

I have managed to get a SID from a FILE, I was wondering can I just pass
the SID information back up to an application I have running in User Mode
and use the SID in the Win32 environment or do I have to convert the SID
first(somehow) and then pass back up in to my User area.

Stephan Boome

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

9

I had sent a routine on the list last week which rolled a
IRP_MJ_QUERY_SECURITY irp in response to a previous request from this
poster.

-Joel

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Wednesday, February 20, 2002 10:33 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

What routine is that?

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, February 20, 2002 10:21 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Stephan,

If you used the routine I had sent you before to extract the sd the sd
will be in self relative format.

-Joel

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Wednesday, February 20, 2002 10:01 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Are you talking about a SID or a security descriptor? If you’re talking
about a security descriptor, you need to make sure the security descriptor
is in self-relative format, so there is only one block of memory to copy to
the user’s virtual address space, and you don’t need to dissect the security
descriptor. The API that does this is RtlAbsoluteToSelfRelativeSD,
prototyped in some version of either NTIFS.H or NTDDK.H. I don’t have that
handy at the moment.

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, February 20, 2002 8:51 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

Stephan,

Yes, You can pass the sid back to user mode without any sort of
transformation.

-Joel

-----Original Message-----
From: xxxxx@amsjv.com [ mailto:xxxxx@amsjv.com
mailto:xxxxx ]
Sent: Wednesday, February 20, 2002 3:37 AM
To: File Systems Developers
Subject: [ntfsd] Re: Owner SID of FILE

I have managed to get a SID from a FILE, I was wondering can I just pass
the SID information back up to an application I have running in User Mode
and use the SID in the Win32 environment or do I have to convert the SID
first(somehow) and then pass back up in to my User area.

Stephan Boome


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx>