Process and Thread SIDS

NTFSD
1

RE: [ntdev] usb interrupt data transferIn my FSFD dispatch routines I access
the process and thread sids by
ZwOpenProcess
ZwOpenProcessToken or ZwOpenThreadToken,
ZwQueryInformationToken
ZwClose token
ZwClose process
RtlValidSid.

All the calls are returning successfully, however, RtlValidSid sometimes
returns FALSE. Even though the earlier function returned STATUS_SUCCESS, is
there anything else I need to check for success?

Also, I assume I don’t need to increment the reference on the sid, through
the process or thread object, because the call is being made in the context
of the thread/process, is this a valid assumption? Or will I need to copy
the sid before closing the token and process handles?

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

RE: [ntdev] usb interrupt data transferDo not do this.
Use the IO_SECURITY_CONTEXT from CREATE IRP - a much better way.

Max

----- Original Message -----
From: Stanislaw Kowalczyk
To: File Systems Developers
Sent: Tuesday, February 12, 2002 8:20 PM
Subject: [ntfsd] Process and Thread SIDS

In my FSFD dispatch routines I access the process and thread sids by
ZwOpenProcess
ZwOpenProcessToken or ZwOpenThreadToken,
ZwQueryInformationToken
ZwClose token
ZwClose process
RtlValidSid.

All the calls are returning successfully, however, RtlValidSid sometimes returns FALSE. Even though the earlier function returned STATUS_SUCCESS, is there anything else I need to check for success?

Also, I assume I don’t need to increment the reference on the sid, through the process or thread object, because the call is being made in the context of the thread/process, is this a valid assumption? Or will I need to copy the sid before closing the token and process handles?

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

RE: [ntdev] usb interrupt data transferThanks for the reply. Now a few more
questions:

Out of curiosity, why should I not do this?

As long as I filter out paging and caching io, calling
IoGetRequestorProcessId() should return the usermode process that initiated
the call, correct?

It is my impression that this call would work even though a higher level
driver may have offloaded the IRP to another thread, which IIRC the
Solomon/Russinovich book says no FSFD should ever do.

The dispatch routine is trying to determine what user initiated the IRP.
IO_SECURITY_CONTEXT works for create but does not work for the other IRP's,
unless I am missing something here, which is entirely possible.

I would like to be able to get this information dynamically without having
to store and manage it between IRPs. Also, when a process gets created as
another user, any calls the child makes with the inherited handles I would
like to credit to the new user not the old user. That is why I chose this
approach, is there a better way?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Wednesday, February 13, 2002 11:25 AM
To: File Systems Developers
Subject: [ntfsd] Re: Process and Thread SIDS

Do not do this.
Use the IO_SECURITY_CONTEXT from CREATE IRP - a much better way.

Max

----- Original Message -----
From: Stanislaw Kowalczyk
To: File Systems Developers
Sent: Tuesday, February 12, 2002 8:20 PM
Subject: [ntfsd] Process and Thread SIDS

In my FSFD dispatch routines I access the process and thread sids by
ZwOpenProcess
ZwOpenProcessToken or ZwOpenThreadToken,
ZwQueryInformationToken
ZwClose token
ZwClose process
RtlValidSid.

All the calls are returning successfully, however, RtlValidSid
sometimes returns FALSE. Even though the earlier function returned
STATUS_SUCCESS, is there anything else I need to check for success?

Also, I assume I don't need to increment the reference on the sid,
through the process or thread object, because the call is being made in the
context of the thread/process, is this a valid assumption? Or will I need
to copy the sid before closing the token and process handles?

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@relicore.com
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com

You are currently subscribed to ntfsd as: $subst('Recip.EmailAddr')
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com

4

RE: [ntdev] usb interrupt data transferNo need at all to check security on read/write.
This is done on CREATE only.
The reason is that read/write can go from the Cache Manager, which will run under LocalSystem account.

Also - the Win32 and C runtime API rely on the fact that permission checks to a file are done in open() or CreateFile.

Max
----- Original Message -----
From: Stanislaw Kowalczyk
To: File Systems Developers
Sent: Wednesday, February 13, 2002 9:20 PM
Subject: [ntfsd] Re: Process and Thread SIDS

Thanks for the reply. Now a few more questions:

Out of curiosity, why should I not do this?

As long as I filter out paging and caching io, calling IoGetRequestorProcessId() should return the usermode process that initiated the call, correct?

It is my impression that this call would work even though a higher level driver may have offloaded the IRP to another thread, which IIRC the Solomon/Russinovich book says no FSFD should ever do.

The dispatch routine is trying to determine what user initiated the IRP. IO_SECURITY_CONTEXT works for create but does not work for the other IRP's, unless I am missing something here, which is entirely possible.

I would like to be able to get this information dynamically without having to store and manage it between IRPs. Also, when a process gets created as another user, any calls the child makes with the inherited handles I would like to credit to the new user not the old user. That is why I chose this approach, is there a better way?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Wednesday, February 13, 2002 11:25 AM
To: File Systems Developers
Subject: [ntfsd] Re: Process and Thread SIDS

Do not do this.
Use the IO_SECURITY_CONTEXT from CREATE IRP - a much better way.

Max

----- Original Message -----
From: Stanislaw Kowalczyk
To: File Systems Developers
Sent: Tuesday, February 12, 2002 8:20 PM
Subject: [ntfsd] Process and Thread SIDS

In my FSFD dispatch routines I access the process and thread sids by
ZwOpenProcess
ZwOpenProcessToken or ZwOpenThreadToken,
ZwQueryInformationToken
ZwClose token
ZwClose process
RtlValidSid.

All the calls are returning successfully, however, RtlValidSid sometimes returns FALSE. Even though the earlier function returned STATUS_SUCCESS, is there anything else I need to check for success?

Also, I assume I don't need to increment the reference on the sid, through the process or thread object, because the call is being made in the context of the thread/process, is this a valid assumption? Or will I need to copy the sid before closing the token and process handles?

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@relicore.com
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com

You are currently subscribed to ntfsd as: $subst('Recip.EmailAddr')
To unsubscribe send a blank email to leave-ntfsd-$subst('Recip.MemberIDChar')@lists.osr.com