EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to apply ntfs security while copying file

Posted: 02/11/2010 06:24:55
by Abhay Gumaste (Basic support level)
Joined: 01/27/2010
Posts: 14

While copying a file NTFS security is not applied to destination file.
Would you please suggest any reference code (or can you please point me to correct direction i.e. link, articles etc) to apply NTFS security to destination folder.
Posted: 02/11/2010 06:44:10
by Volodymyr Zinin (Team)


It's necessary to implement optional OnGetSecurity and OnSetSecurity callbacks to achieve it. There is no any samples now where it's done but we are going to add it in future.
The idea is the following - the SECURITY_DESCRIPTOR data should be associated with files (for example in SDDL format). For details about this structure see MSDN.
Posted: 02/11/2010 10:21:00
by Abhay Gumaste (Basic support level)
Joined: 01/27/2010
Posts: 14


As per your suggestion, I reviewed SECURITY_DESCRIPTOR data in SSDL
format, for example I have string security descriptor of file
C:\1\temp.txt. Now I have copied that to Z:\, but in GetFileSecurity
method I need to add file path of temp.txt, but as I have string SSDL
format of security descriptor and do not want to use GetFileSecurity,
can you please suggest me any other method for viewing the security
information of Z:\temp.txt using string security descriptor not by path of C:\1\temp.txt
Posted: 02/11/2010 11:02:53
by Eugene Mayevski (Team)

You should not "view" security descriptor. What you need to do is:
1) In OnSetFileSecurity take the security descriptor block and store it somewhere, for example where your file is stored.
2) In OnGetFileSecurity your return this security descriptor block to the OS
3) In OnOpen or OnCreate request you check the security descriptor, i.e. whether the calling process is allowed to access the file in requested mode. Unfortunately the OS doesn't perform such checks itself. Please do the search in this forum for OnGetFileSecurity, Vladimir described checking procedure here before.
4) Be sure to set CallAllOpenCloseCallbacks to true, if you perform security checks.

Sincerely yours
Eugene Mayevski
Posted: 02/11/2010 11:22:13
by Abhay Gumaste (Basic support level)
Joined: 01/27/2010
Posts: 14

Thanks for a quick reply.

Actually I want to see security tab, which I am not able to see when I use string security descriptor. When I tried to view security tab it gives me error like "Security is unavailable or not have permissions". I have attached exact error message here.
I will check OnGetFileSecurity procedure in forums.

Can you please clarify the step 2.

Posted: 02/11/2010 11:58:35
by Eugene Mayevski (Team)

You return whatever was set in OnSetFileSecurity. I guess that if this information is not available, you need to create and return security descriptor of the parent object OR default security descriptor that you would create yourself and that will provide all access rights.

Sincerely yours
Eugene Mayevski
Posted: 02/12/2010 00:31:36
by Abhay Gumaste (Basic support level)
Joined: 01/27/2010
Posts: 14


Thanks for update.

I have already return string security descriptor (string security descriptor in SSDL format using ConvertStringSecurityDescriptorToSecurityDescriptor API) but still having same issue when I click on Security tab of a file. The error is shown in above post.

Is there any alternative way to see the information on security tab?
Posted: 02/12/2010 01:46:48
by Volodymyr Zinin (Team)

The OnGetFileSecurity callback asks to return security descriptor as SECURITY_DESCRIPTOR structure in the self-relative format (i.e. all the security descriptor's information must be stored in a contiguous block of memory).
Do you convert the SDDL string into the SECURITY_DESCRIPTOR structure before you return data from the OnGetFileSecurity callback?
BTW try to return from this callback something that is definitely correct (just for test). For example get the security information from a NTFS file by means of the system GetFileSecurity API.
Posted: 02/12/2010 07:14:14
by Abhay Gumaste (Basic support level)
Joined: 01/27/2010
Posts: 14

Let you explain my problem, I have string security descriptor in SSDL format of a file say C:\1\temp.txt (i.e. O:BAG:S-1-5-21-2050085053-1656512420-3026380890-513D:AI(A;ID;FA;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;BU) I got this by using ConvertSDToStringSD method.)

Now I want to see security information of a file Z:\temp.txt file, so I clicked on security tab on a file. Here I do not want to use GetFileSecurity API because it uses mRootPath + FileInfo.FileName (As it is not working with Z:\temp.txt). As I have string security descriptor in SSDL format, I can get security descriptor by using ConvertStringSecurityDescriptorToSecurityDescriptor API to get IntPtr SecurityDescriptor.

I observed that Length and LengthNeeded are getting the valid lengths like GetFileSecurity API, but IntPtr SecurityDescriptor is not same as SecurityDescriptor parameter so I think due to this security tab doesn't allow to show security Information.

Please suuggest me how to convert SDDL string into the SECURITY_DESCRIPTOR structure to return that from OnGetFileSecurity.

When I use GetFileSecurity method by passing parameter mRootPath + FileInfo.FileName, security information shows valid information, but instead of that I want to use SDDL string.
Posted: 02/12/2010 11:19:01
by Volodymyr Zinin (Team)

ConvertStringSecurityDescriptorToSecurityDescriptor itself allocates a memory chunk for the SECURITY_DESCRIPTOR structure and returns a pointer to it via the SecurityDescriptor parameter. It's then necessary to copy this data to the location specified by the IntPtr SecurityDescriptor parameter (but don't forget to check if there is enough memory there).
Do something like this:
void OnGetFileSecurity(void* Sender, CbFsFileInfo* FileInfo, void* FileHandleContext, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor, DWORD Length, DWORD * LengthNeeded)
LPWSTR sddl = L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)";
ULONG sdSize = 0;

BOOL b = ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl, SDDL_REVISION_1, &sd, &sdSize);
if (!b) throw ECBFSError(GetLastError());

*LengthNeeded = sdSize;
if (Length >= sdSize) {
  memcpy(SecurityDescriptor, sd, sdSize);



Topic viewed 8701 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!