Is it possible to get the SID when catching the Write IRP?
I am not sure what are you going to do,
but if you plan to deny write operation based on the user,
DON’T do that.
Lots of writes going down in the context of “System” user.
If you create memory mapped file, and write to it, then you
will not catch the write operation at all.
You need to check the user in the CREATE operation,
and eventually deny the operation at that time.
L.
Good advice Ladislav.
If you monitor and try to deny Paging I/O writes, which happen in the case of memory mapped /cached files, the originator will always be SYSTEM.
And then? You let it pass?
However, if you have checked for the requestor process during the Cached Write path, then you won’t have to check it during the Paging I/O Path anyways.
However, it is recommended that you should perform security checks in the Create Path itself.
Quote from WDK:
For a file system, most of the interesting security work occurs during IRP_MJ_CREATE processing. It is this step that must analyze the incoming request, determine whether the caller has appropriate rights to perform the operation, and grant or deny the operation as appropriate
And just in case you are doing it for logging purpose, you can do it. But remember that Paging I/O writes will come in context of SYSTEM, because they have originated from VMM.
Regards,
Ayush Gupta
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Friday, November 23, 2007 6:57 PM
To: Windows File Systems Devs Interest List
Subject: Re[2]: [ntfsd] Get the name of the user writing to a file
>Is it possible to get the SID when catching the Write IRP?
I am not sure what are you going to do,
but if you plan to deny write operation based on the user,
DON’T do that.
Lots of writes going down in the context of “System” user.
If you create memory mapped file, and write to it, then you
will not catch the write operation at all.
You need to check the user in the CREATE operation,
and eventually deny the operation at that time.
L.
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Generally you want to do this sort of thing in the create path, and not try
to acquire the information in the write path.
On Nov 23, 2007 6:28 AM, wrote:
> Is it possible to get the SID when catching the Write IRP?
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@hollistech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
–
Mark Roddy