tags:

views:

40

answers:

1
+1  Q: 

MSDN Remark regards Security Descriptors

I'm trying to extract and restore a Security Descriptor of a NTFS file, via Windows API - XP SP3, I'm trying to understand which functions are actually able to do it properly, but I simply fail.

I found this Remark over MSDN: http://msdn.microsoft.com/en-us/library/aa379573%28VS.85%29.aspx

"Some SECURITY_INFORMATION members work only with the SetNamedSecurityInfo function. These members are not returned in the structure returned by other security functions such as GetNamedSecurityInfo..."

"Some members..." Which members? Why?

"Other Security functions such as..." Which functions? Why?

Anybody have any experience with extracting and restoring a security descriptor of a NTFS file?

Thanks in advance, Doori Bar

A: 

In general MSDN API documentation supposes a basic level of familiarity with programming and Win32.

You're supposed to understand that some security information can be inherited, for instance. That means that when setting it, you can tell Windows to copy it from the parent. But when you get it, you cannot determine why it has the value it has. Hence, the "inherit" flag is a typical example of a flag that only makes sense in a Set context, and not retrieval context. MSDN doesn't spell out exactly which functions belong in which context, as they assume you can figure that out.

MSalters  2010-05-28 09:07:56
You suggested that "Inherit" flag only makes sense while setting it, you're simply wrong. "Inherit" flag indicator is a non-existing protected control flag. Thanks for your time anyhow.
Doori Bar  2010-05-28 09:34:18
I've got no idea what you mean by "non-existing protected control flag". I was referring to flags like UNPROTECTED_DACL_SECURITY_INFORMATION.
MSalters  2010-05-28 12:38:21
PROTECTED_* and UNPROTECTED_* are actually toggles indicators for the descriptor's control flags. PROTECTED actually means: SE_*_PROTECTED , while UNPROTECTED means: SE_*_AUTO_INHERITED. Unfortunately the documentation is vague and simply lacking the fact that its behavior is limited by design. For example, the idea of using a special toggle flag, instead of the actual Control bit, means that one can not set a default state for an existing descriptor (there is no such flag).
Doori Bar  2010-05-28 15:18:11

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)