EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Testing with File Service for MacIntosh

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#5620
Posted: 03/26/2008 02:14:58
by Volodymyr Zinin (EldoS Corp.)

Thank you for the crushdump.
I have fixed something. Try the driver that is attached to this message (but uninstall the existing one before installing it). Will the system crush or not? If yes then please send me a new crushdump.
Thanks.



#5621
Posted: 03/26/2008 03:01:57
by Søren Kristensen (Basic support level)
Joined: 03/04/2008
Posts: 62

Hi

The system still chrashes, I attach the chrash dump.

Are you able to reproduce the problem?

Here is what I do:

On my C drive I create a directory named EldoS holding 3 subdirectories Dir1, Dir2 and Dir3. Dir1 holds some pictures.

Now I use your Mapper sample. I mount C:\Eldos and add Mounting point K:

Then I create a new share on K:\Dir1 whith Share name Dir1 for both Windows users and Macintosh users. Users are given read and write access.

Then I go to K:\Dir1 and delete one of the pictures. Now I am asked to confirm the deletion and when I accept, the blue screen appears.

Regards Soren


[ Download ]
#5646
Posted: 03/27/2008 12:12:58
by Volodymyr Zinin (EldoS Corp.)

The bug has been fixed. I have attached the fixed driver to this message. The nearest build will also contain this fix.


[ Download ]
#5649
Posted: 03/28/2008 00:12:44
by Søren Kristensen (Basic support level)
Joined: 03/04/2008
Posts: 62

Thanks :)

The problem has disappeared and I will continue testing and evaluating.

Regards Soren
#5705
Posted: 04/01/2008 06:45:39
by Søren Kristensen (Basic support level)
Joined: 03/04/2008
Posts: 62

Hi

I am getting further with my evluation. My next hurdle is to get the user who wants to access a file.

I thought I could use getOriginatorToken. This works fine as long as I access it form the server that runs CallbackFS, but when I share the volume and access it from another workstation, I and told that the user is SYSTEM. ( I use getTokenInformation to get the TokenUser from the token I get from getOriginatorToken)

I see the same problem with getOriginatorProcessName, it is OK when acessed ffrom the CallbackFS server, the processName is empty when accessed through the share.

Do you have any ideas how to get username and processname when accessing throug the share.

Regards Soren
#5706
Posted: 04/01/2008 07:02:39
by Volodymyr Zinin (EldoS Corp.)

Hello,

I will check it today later and answer you.
#5711
Posted: 04/02/2008 03:51:04
by Volodymyr Zinin (EldoS Corp.)

I have tested this and for SMB shares it works.
I have used the following code in his OnOpenCallback:

Code
HANDLE hToken = GetOriginatorToken(...);
if (hToken != INVALID_HANDLE_VALUE) {

  UCHAR TokenUserBuf[255];
  DWORD ReturnedLength;
  BOOL b;

  b = GetTokenInformation( hToken,
                           TokenUser,
                           TokenUserBuf,
                           sizeof(TokenUserBuf),
                           &ReturnedLength );
  LastError = GetLastError();
            
  if (b) {

    PTOKEN_USER TokenUser;
    SID_NAME_USE SidNameUse;
    WCHAR ReferencedDomainName[100];
    DWORD ReferencedDomainNameLength = sizeof(ReferencedDomainName)/sizeof(WCHAR);

    TokenUser = (PTOKEN_USER)TokenUserBuf;

    NameLen = sizeof(Name)/sizeof(WCHAR);
    BOOL b = LookupAccountSidW( NULL,
                                TokenUser->User.Sid,
                                Name,
                                &NameLen,
                                ReferencedDomainName,
                                &ReferencedDomainNameLength,
                                &SidNameUse );

    LastError = GetLastError();
  }

  CloseHandle(hToken);
}


But for Mac shares it doesn't work well. The name is returned always as "SYSTEM" :(

There are three place from which GetOriginatorToken obtains token (in relevance order):
1. From the security context that is associated with the create/open request passed to the driver.
Here a code chunk from the driver that performs it:
Token = SeQuerySubjectContextToken(&IrpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext);
2 and 3. If a token is necessary in other callbacks (not in the OnCreate/OnOpen) then it's obtained from originator thread (i.e. impersonation token). And if the impersonation token doesn't exist then a token is obtained from originator process.

For Mac share I have checked all these places and found that the first token (i.e. from the security context of the driver's create/open request) is the same to the token associated with the originator process. And the impersonation token doesn't exist.

Unfortunately we don't know other ways how to obtain the information about the originator of the request for the Mac shares. Please inform us if you find anything and we will try to add this in CallbackFS.

BTW: The most preferable place where the security must be checked is the OnCreate/OnOpen callbacks. If they return some error then the process that is opening a file don't obtain a handle for the file . So it can't do any other operations on the file.
#5712
Posted: 04/02/2008 03:52:57
by Volodymyr Zinin (EldoS Corp.)

Quote
Søren Kristensen wrote:
I see the same problem with getOriginatorProcessName,­ it is OK when acessed ffrom the CallbackFS server, the processName is empty when accessed through the share.

Yes. The process is empty because it's the system process that doesn't have name.
#5713
Posted: 04/02/2008 06:53:55
by Søren Kristensen (Basic support level)
Joined: 03/04/2008
Posts: 62

Hi again

It does not work for me. I use the following code in Mapper procject CPP

Code
void CbFsOpenFile(CallbackFileSystem* Sender, LPCTSTR FileName,   DWORD FileAttributes, PVOID* FileHandleContext)
{
    PFILE_CONTEXT Ctx = NULL;
    LPTSTR FName = NULL;
    DWORD Error = NO_ERROR;
    int LastError;
   HANDLE hToken;
   hToken = g_CbFs.GetOriginatorToken();
if (hToken != INVALID_HANDLE_VALUE) {

  UCHAR TokenUserBuf[255];
  DWORD ReturnedLength;
  BOOL b;

  b = GetTokenInformation( hToken,
                           TokenUser,
                           TokenUserBuf,
                           sizeof(TokenUserBuf),
                           &ReturnedLength );
  LastError = GetLastError();
            
  if (b) {

    PTOKEN_USER TokenUser;
    SID_NAME_USE SidNameUse;
    WCHAR Name[100];
    DWORD NameLen = sizeof(Name)/sizeof(WCHAR);
    WCHAR ReferencedDomainName[100];
    DWORD ReferencedDomainNameLength = sizeof(ReferencedDomainName)/sizeof(WCHAR);

    TokenUser = (PTOKEN_USER)TokenUserBuf;

    BOOL b = LookupAccountSidW( NULL,
                                TokenUser->User.Sid,
                                Name,
                                &NameLen,
                                ReferencedDomainName,
                                &ReferencedDomainNameLength,
                                &SidNameUse );

    LastError = GetLastError();
  }

  CloseHandle(hToken);
}


    
    if(*FileHandleContext != NULL)
    {
        Ctx = (PFILE_CONTEXT)(*FileHandleContext);
        Ctx->OpenCount++;
        return;
    }
    else
    {
        Ctx = (PFILE_CONTEXT)malloc(sizeof(FILE_CONTEXT));
        if(Ctx == NULL) {

            throw ECBFSError(GetLastError());
        }
        FillMemory(Ctx, sizeof(FILE_CONTEXT), 0);
    }
    FName = static_cast<LPTSTR>(malloc((_tcslen(FileName) + _tcslen(g_RootPath)) * sizeof(TCHAR) + sizeof(TCHAR)));

    ASSERT(FName);
    
    _tcscpy(FName, g_RootPath);
    
    _tcscat(FName, FileName);

    if(FileAttributes & FILE_ATTRIBUTE_DIRECTORY)
    {
        if (_tcscmp(FileName, _T("\\")) &&
        (0xFFFFFFFF == GetFileAttributes(FName)))
        {
            SetLastError(ERROR_FILE_NOT_FOUND);
            free(Ctx);
            free(FName);
            FName = NULL;
            throw ECBFSError(ERROR_FILE_NOT_FOUND);
        }
        else
        {
            Ctx->hFile = (PVOID)CreateFile(
                FName,
                GENERIC_READ | FILE_WRITE_ATTRIBUTES,
                FILE_SHARE_READ | FILE_SHARE_WRITE,
                NULL,
                OPEN_EXISTING,
                FILE_FLAG_BACKUP_SEMANTICS,
                0);
                
            if(INVALID_HANDLE_VALUE == Ctx->hFile)
            {
                free(Ctx);
                free(FName);
                FName = NULL;
                throw ECBFSError(GetLastError());
            }
        }
    }
    else
    {
        Ctx->hFile = (PVOID)CreateFile(
            FName,
            GENERIC_READ | GENERIC_WRITE,
            FILE_SHARE_READ | FILE_SHARE_WRITE,
            NULL,
            OPEN_EXISTING,
            FileAttributes,
            0);
            
        if(INVALID_HANDLE_VALUE == Ctx->hFile)
        {
            Error = GetLastError();
        
            if(ERROR_ACCESS_DENIED == Error)
            {
                Ctx->hFile = (PVOID)CreateFile(
                    FName,
                    GENERIC_READ | FILE_WRITE_ATTRIBUTES,
                    FILE_SHARE_READ | FILE_SHARE_WRITE,
                    NULL,
                    OPEN_EXISTING,
                    FileAttributes,
                    0);
                if(INVALID_HANDLE_VALUE == Ctx->hFile)
                {
                    free(Ctx);
                    free(FName);
                    FName = NULL;
                    throw ECBFSError(GetLastError());
                }
            }        
            else
            {
                free(Ctx);
                free(FName);
                FName = NULL;
                SetLastError(Error);
                throw ECBFSError(Error);
            }
        }
    }
    Ctx->OpenCount++;
    *FileHandleContext = Ctx;
    
    if(FName)
    {
        free(FName);
    }
}


I map my physical drive c:\eldos to M:

Then I share M:\ as DocMan (windows share)

When I attach the M drive from my own computer I get get name skr which is my login.

When I ask a colleague to map to DocMan on my computer form his workstation, then I dont catch any name?

Have I missed something???


btw what do you mean with:
Quote

I have used the following code in his OnOpenCallback:



Regards Søren
#5717
Posted: 04/02/2008 13:05:20
by Volodymyr Zinin (EldoS Corp.)

I have checked your code with C++ Mapper and it works. I performed remote accessing from WinXP and Win2003 using different accounts and obtained either the names of the remote users or "guest" (it depends on settings on a remote computer).

Perhaps you are checking the user name information not for a remote request. Please try to check it for some certain file. For example so:
Code
#define CHECKED_FILE L"checked_file.txt"
#define CHECKED_FILE_LEN (sizeof(CHECKED_FILE)/sizeof(WCHAR)-1)

void CbFsOpenFile(CallbackFileSystem* Sender, LPCTSTR FileName,   DWORD FileAttributes, PVOID* FileHandleContext)
{
    PFILE_CONTEXT Ctx = NULL;
    LPTSTR FName = NULL;
    DWORD Error = NO_ERROR;

    if ( wcslen(FileName) > CHECKED_FILE_LEN &&
         wcsicmp(FileName+wcslen(FileName)-CHECKED_FILE_LEN, CHECKED_FILE)==0 ) {

        int LastError;
        HANDLE hToken;
        hToken = g_CbFs.GetOriginatorToken();
        if (hToken != INVALID_HANDLE_VALUE) {

          UCHAR TokenUserBuf[255];
          DWORD ReturnedLength;
          BOOL b;

          b = GetTokenInformation( hToken,
                                   TokenUser,
                                   TokenUserBuf,
                                   sizeof(TokenUserBuf),
                                   &ReturnedLength );
          LastError = GetLastError();
            
          if (b) {

            PTOKEN_USER TokenUser;
            SID_NAME_USE SidNameUse;
            WCHAR Name[100];
            DWORD NameLen = sizeof(Name)/sizeof(WCHAR);
            WCHAR ReferencedDomainName[100];
            DWORD ReferencedDomainNameLength = sizeof(ReferencedDomainName)/sizeof(WCHAR);

            TokenUser = (PTOKEN_USER)TokenUserBuf;

            BOOL b = LookupAccountSidW( NULL,
                                        TokenUser->User.Sid,
                                        Name,
                                        &NameLen,
                                        ReferencedDomainName,
                                        &ReferencedDomainNameLength,
                                        &SidNameUse );

            LastError = GetLastError();
          }

          CloseHandle(hToken);
        }
    }
    
    <skipped>
}


Also add a call SetCallAllOpenCloseCallbacks(TRUE) in the initialization part of the program.



Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 24237 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!