EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Example for OnGetFileSecurity/OnSetFileSecurity

Posted: 08/25/2009 05:35:09
by web dev (Basic support level)
Joined: 07/14/2009
Posts: 3

Has anybody an example for using this callback function on virtual files? As described in the forum using the functions SetSecurityInfo and GetSecurityInfo.
Posted: 08/25/2009 12:30:52
by Eugene Mayevski (Team)

At the moment there are no examples available. The idea (in brief) is that you store security attributes in your backend storage when SetSecurityInfo() callback handler is invoked, and retrieve security attributes from your backend storage in GetSecurityInfo() callback handler. The "problem" with these events are that it's you who must check security when opening the files. Of course, we'd like if the OS retrieved security attributes when calling OnOpenFile() callback, but this doesn't happen. You need to read them, check them as described in the help file (I don't remember the exact OS function name) and open or not open the file.

In Callback File System 3.0 the samples will include implementation of *SecurityInfo() callback handlers and the above mentioned check. Until then, unfortunately, we can't do this because of huge amount of work that we have at the moment.

Sincerely yours
Eugene Mayevski
Posted: 08/25/2009 12:41:42
by Volodymyr Zinin (Team)

Just to add: there is a topic "Security checks" in the CallbackFS documentation.
Posted: 08/26/2009 10:14:43
by Sangmin Lee (Standard support level)
Joined: 06/03/2009
Posts: 57

I've been debugging OnGet/SetFileSecurity() events.
But, it does not do well on MS Word.

Creating a word in size of 0 is OK.
First saving is OK.
As soon as file closes, immediately open and secondly saving fails with file permission error.
At this time, the title of original word window changs to 'a(read-only)'. (a means a document name, that is a.docx).
As the result, saving fails.

I confirmed to write data to ~WRD0000.tmp and set file security information getting from OnGetFileSecurity() for a.docx to ~WRD0000.tmp.
But, On second saving, renaming a.docx to ~WRL0001.tmp and ~WRD000.tmp to a.docx is not requested.

What's the difference between first and second saving?

I think it may be up to metadata cache, and I disabled it.
But the result is same.
Posted: 08/27/2009 01:02:45
by Volodymyr Zinin (Team)

Thank you for the information. We will check it and write the answer here.
Posted: 08/27/2009 02:22:34
by Sangmin Lee (Standard support level)
Joined: 06/03/2009
Posts: 57

I catched and fixed the following case.

The problem is reading a word file opening only READ_CONTROL(0x20000) is permitted.
So on file open, DesiredAccess saves to FileHandleContext.
Then, on file read, first check if FILE_READ_DATA of DesiredAccess in FileHandleContext sets.

if (!(Ctx->DesiredAccess & FILE_READ_DATA))
    TRACE("\t*ERROR* ReadFile: throw ERROR_ACCESS_DENIED, DesiredAccess(%x)\n", Ctx->DesiredAccess);

But, it's not all of problems. There's another case.
To help your understanding, attach the log file.

[ Download ]
Posted: 08/27/2009 02:45:01
by Sangmin Lee (Standard support level)
Joined: 06/03/2009
Posts: 57

I found a strange thing.

During editing a word file, if windows explorer opens, word file read is requested.
But, if windows explorer closed, file read is not requested.
File permissio errors does not happen.

Posted: 08/27/2009 03:48:32
by Sangmin Lee (Standard support level)
Joined: 06/03/2009
Posts: 57

When mounted volume(eg. Z:\) is empty, if I save office file(word or ppt), the following error happens and volume opening fails.

The folder isn't accessible. The folder may be located in an unavailable location, protected with a password, or the filename contains a / or \.

It happened on the sample Mapper, too.

But, if the volume has one more files/dirs, the error does not happen.

I think it may be related with OnEnumerateDirectory() handling.
Posted: 08/27/2009 04:08:22
by Volodymyr Zinin (Team)

Does the error occur when OnGetFileSecurity/OnSetFileSecurity are absent?
Posted: 08/27/2009 04:10:54
by Volodymyr Zinin (Team)

Also please report errors to the helpdesk.



Topic viewed 8934 times

Number of guests: 2, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!