weird thing about SID

NTFSD
1

Dear all,

I retrieve the SID and store it in a linklist, the procedures are as the
following:

  1. I got the user SID successfully as below:
    first I get the Token by:
    irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContex
    t
    then, I use ZwQueryInformationToken to get the security information,from
    there recover the user SID.

  2. I create a new node, and set the value for every variable within it one
    bye one except the next pointer (I copy the SID into the node by
    RtlCopySid). At this point, the copied SID is still correct, the node
    structure is desribed as below:

struct LNODE {
PVOID pFileObject; // log fileobject address
ULONG readOpr; // keep track of “read” operation
ULONG writeOpr; // keep track of “write” operation
SID userSID; // log file user SID
struct LNODE *next;
};

typedef struct LNODE LNode;
LNode* loglist; // log information linklist

  1. Then I insert this node to the linklist, ofcourse I need to set the next
    pointer to a value at this point. then weird thing happen after that:

the correct Subauthority of SID: 21-1409082233-839522115-1060284298-1003
was changed to : 21-4280967400-839522115-1060284298-1003

I was just wonderfing that, maybe the SID is not in self-relative format, so
the “next” pointer of the node will occupy SID subcomponent address, is that
the reason?

if so, how can I get self-relative format SID from Token information?

Thanks.

Bill

2

SID is a variable length structure and its actual size is bigger then
sizeof(SID).
By assiging a value to the next pointer you are overwriting actual content
of the SID.

Alexei.

“Bill Deng” wrote in message news:xxxxx@ntfsd…
>
> Dear all,
>
> I retrieve the SID and store it in a linklist, the procedures are as the
> following:
>
> 1. I got the user SID successfully as below:
> first I get the Token by:
>
irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContex
> t
> then, I use ZwQueryInformationToken to get the security information,from
> there recover the user SID.
>
> 2. I create a new node, and set the value for every variable within it one
> bye one except the next pointer (I copy the SID into the node by
> RtlCopySid). At this point, the copied SID is still correct, the node
> structure is desribed as below:
>
> struct LNODE {
> PVOID pFileObject; // log fileobject address
> ULONG readOpr; // keep track of “read” operation
> ULONG writeOpr; // keep track of “write” operation
> SID userSID; // log file user SID
> struct LNODE next;
> };
>
> typedef struct LNODE LNode;
> LNode loglist; // log information linklist
>
> 3. Then I insert this node to the linklist, ofcourse I need to set the
next
> pointer to a value at this point. then weird thing happen after that:
>
> the correct Subauthority of SID:
21-1409082233-839522115-1060284298-1003
> was changed to :
21-4280967400-839522115-1060284298-1003
>
>
> I was just wonderfing that, maybe the SID is not in self-relative format,
so
> the “next” pointer of the node will occupy SID subcomponent address, is
that
> the reason?
>
> if so, how can I get self-relative format SID from Token information?
>
> Thanks.
>
> Bill
>
>
>
>

3

Thank you, Alexei, I think what you said is correct, but how can I solve
this problem?

“Alexei Jelvis” дÈëÏûÏ¢ÐÂÎÅ:xxxxx@ntfsd…
>
> SID is a variable length structure and its actual size is bigger then
> sizeof(SID).
> By assiging a value to the next pointer you are overwriting actual content
> of the SID.
>
> Alexei.
>
> “Bill Deng” wrote in message news:xxxxx@ntfsd…
> >
> > Dear all,
> >
> > I retrieve the SID and store it in a linklist, the procedures are as the
> > following:
> >
> > 1. I got the user SID successfully as below:
> > first I get the Token by:
> >
>
irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContex
> > t
> > then, I use ZwQueryInformationToken to get the security information,from
> > there recover the user SID.
> >
> > 2. I create a new node, and set the value for every variable within it
one
> > bye one except the next pointer (I copy the SID into the node by
> > RtlCopySid). At this point, the copied SID is still correct, the node
> > structure is desribed as below:
> >
> > struct LNODE {
> > PVOID pFileObject; // log fileobject address
> > ULONG readOpr; // keep track of “read” operation
> > ULONG writeOpr; // keep track of “write” operation
> > SID userSID; // log file user SID
> > struct LNODE next;
> > };
> >
> > typedef struct LNODE LNode;
> > LNode loglist; // log information linklist
> >
> > 3. Then I insert this node to the linklist, ofcourse I need to set the
> next
> > pointer to a value at this point. then weird thing happen after that:
> >
> > the correct Subauthority of SID:
> 21-1409082233-839522115-1060284298-1003
> > was changed to :
> 21-4280967400-839522115-1060284298-1003
> >
> >
> > I was just wonderfing that, maybe the SID is not in self-relative
format,
> so
> > the “next” pointer of the node will occupy SID subcomponent address, is
> that
> > the reason?
> >
> > if so, how can I get self-relative format SID from Token information?
> >
> > Thanks.
> >
> > Bill
> >
> >
> >
> >
>
>
>
>

4

Measure the length of the SID (using RtlLengthSid), allocate memory for
it, and copy it.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bill Deng
Sent: Monday, October 06, 2003 11:22 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Re: weird thing about SID

Thank you, Alexei, I think what you said is correct, but how can I solve
this problem?