QUERY_SECURITY for a volume

NTFSD
1

Hi,

(I had problems posting it last time, hence am

posting this again).

Here is my situation:

  1. Bring up winobj.exe (from sysinternals). My windows (NTFS)

drive is “C:”, and I also have my own FSD running with a volume

mounted as “Q:”

  1. So winobj.exe shows that “c:” is a symbolic link to

\Device\HarddiskVolume1. Double-click on “c:” & properties show

the “Details” & “Security” tabs. Choose “Security” and it shows

the security-descriptor info for this object. It seems to have 4

ACEs (1 for Administrators, Everyone, RESTRICTED & SYSTEM).

Let me call this as SD1

  1. Do the same for “Q:” in winobj, and its SD seems to be the same

as SD1

  1. So, now I bring up Explorer & bring-up properties of “C:”.

This shows the volume information (tabs like General, Tools,

Sharing, Security, Quota etc…). So click on the

Security Tab & it shows up the security descriptor info.

This SD has 1 ACE (Everyone with full control allowed). I’ll

call this SD2

  1. Next time, I also bring-up filemon.exe (sysinternals again),

and observe that when I click to see the “Security” tab of

volume-info, the following IRPs are sent to “C:” :

CREATE, QUERY_SECURITY (fails with BUFFER OVERFLOW to be called

again with a large-enough buffer), QUERY_SECURITY,

QUERY_INFORMATION (FileNameInformation), CLEANUP, CLOSE.

  1. Redo step 4. for “Q:” drive. The volume-info shows same tabs.

So I click on Security… it shows up SD which looks like SD1

(and NOT like SD2)

  1. So I monitor the IRPs to my FSD via Filemon as in step 5.

I only see these: CREATE, QUERY_INFORMATION (FileNameInfo),

CLEANUP & CLOSE.

So my FSD never gets the QUERY_SECURITY IRP when showing the

security info for my volume.

Rest of the security features work fine. My FSD does have the

FILE_PERSISTENT_ACLS bit ON when returning

QUERY_VOLUME_INFORMATION (FileFsAttributeInformation).

I’m NOT installing my FSD via a INF file. But am always

passing FILE_DEVICE_SECURE_OPEN to all IoCreateDevice()

calls. Also, my FSD is NOT PnP or WDM - it is a legacy driver.

Any clues?

Thanks,

-Vipul.

Join Excite! - http://www.excite.com
The most personalized portal on the Web!

2

The FILE_DEVICE_SECURE_OPEN bit should only be set on device objects that do
NOT provide their own parsing and security logic for names within the
device.

For example “\Ntfs” has the FILE_DEVICE_SECURE_OPEN bit set for it, but the
unnamed device object created by NTFS and associated with
“\Device\HarddiskVolume1” does not.

FILE_DEVICE_SECURE_OPEN requests that the I/O Manager ensure security of the
device open operation (I’m not sure what effect, if any, it has on querying
security.)

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Vipul [mailto:xxxxx@excite.com]
Sent: Monday, June 24, 2002 7:13 PM
To: File Systems Developers
Subject: [ntfsd] QUERY_SECURITY for a volume

Hi,

(I had problems posting it last time, hence am

posting this again).

Here is my situation:

  1. Bring up winobj.exe (from sysinternals). My windows (NTFS)

drive is “C:”, and I also have my own FSD running with a volume

mounted as “Q:”

  1. So winobj.exe shows that “c:” is a symbolic link to

\Device\HarddiskVolume1. Double-click on “c:” & properties show

the “Details” & “Security” tabs. Choose “Security” and it shows

the security-descriptor info for this object. It seems to have 4

ACEs (1 for Administrators, Everyone, RESTRICTED & SYSTEM).

Let me call this as SD1

  1. Do the same for “Q:” in winobj, and its SD seems to be the same

as SD1

  1. So, now I bring up Explorer & bring-up properties of “C:”.

This shows the volume information (tabs like General, Tools,

Sharing, Security, Quota etc…). So click on the

Security Tab & it shows up the security descriptor info.

This SD has 1 ACE (Everyone with full control allowed). I’ll

call this SD2

  1. Next time, I also bring-up filemon.exe (sysinternals again),

and observe that when I click to see the “Security” tab of

volume-info, the following IRPs are sent to “C:” :

CREATE, QUERY_SECURITY (fails with BUFFER OVERFLOW to be called

again with a large-enough buffer), QUERY_SECURITY,

QUERY_INFORMATION (FileNameInformation), CLEANUP, CLOSE.

  1. Redo step 4. for “Q:” drive. The volume-info shows same tabs.

So I click on Security… it shows up SD which looks like SD1

(and NOT like SD2)

  1. So I monitor the IRPs to my FSD via Filemon as in step 5.

I only see these: CREATE, QUERY_INFORMATION (FileNameInfo),

CLEANUP & CLOSE.

So my FSD never gets the QUERY_SECURITY IRP when showing the

security info for my volume.

Rest of the security features work fine. My FSD does have the

FILE_PERSISTENT_ACLS bit ON when returning

QUERY_VOLUME_INFORMATION (FileFsAttributeInformation).

I’m NOT installing my FSD via a INF file. But am always

passing FILE_DEVICE_SECURE_OPEN to all IoCreateDevice()

calls. Also, my FSD is NOT PnP or WDM - it is a legacy driver.

Any clues?

Thanks,

-Vipul.

Join Excite! - http://www.excite.com
The most personalized portal on the Web!

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%