EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to apply ntfs security while copying file

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 02/15/2010 01:11:34
by Abhay Gumaste (Basic support level)
Joined: 01/27/2010
Posts: 14


I can view the Security tab.
Now I want to utilize the Set file security using OnSetFileSecurity same way in above post.
Using the string security descriptor I want to set file security for a specific file in Z:
Posted: 11/06/2012 14:57:30
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I can't seem to get this to work. I used a security descriptor string of "O:COG:DAD:(A;;GA;;;SY)(A::GR;;;WD)" and I got a good return code from ConvertStringSecurityDescriptorToSecurityDescriptor, but I still get the message that says "Cannot display Security information". Any of you two have any ideas for me? I know this post is two years old, but I just started on the security stuff recently.
Posted: 11/07/2012 01:20:37
by Volodymyr Zinin (EldoS Corp.)

Perhaps the security descriptor you specified doesn't contain requested information (see the parameter SecurityInformation of the OnGetFileSecurity callback).
Posted: 11/07/2012 10:36:30
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

That parameter value is "4" when I enter the callback. According to the MSDN documentation, "4" means DACL_SECURITY_INFORMATION, which means they are requesting a DACL, which I thought I was providing.

I changed my code to do exactly what your example does above, even though I didn't really understand it completely, and it still doesn't work. What I don't understand about your code is why you throw the ECBFSError(ERROR_MORE_DATA) at the end of your routine?
Posted: 11/08/2012 04:20:40
by Volodymyr Zinin (EldoS Corp.)

What the example are you talking about? And please specify versions of CallbackFS and Windows.
Posted: 11/08/2012 10:17:20
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Windows 7 and CBFS Version

The example I'm referring to is on the previous page, I cut and pasted it below.

void OnGetFileSecurity(void* Sender, CbFsFileInfo* FileInfo, void* FileHandleContext, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor, DWORD Length, DWORD * LengthNeeded)
LPWSTR sddl = L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)";
ULONG sdSize = 0;

BOOL b = ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl, SDDL_REVISION_1, &sd, &sdSize);
if (!b) throw ECBFSError(GetLastError());[code]

*LengthNeeded = sdSize;
if (Length >= sdSize) {
  memcpy(SecurityDescriptor, sd, sdSize);
Posted: 11/09/2012 02:09:39
by Volodymyr Zinin (EldoS Corp.)

CallbackFS does nothing extra in handling the system file security requests (to be strict these are IRP_MJ_SET_SECURITY and IRP_MJ_QUERY_SECURITY). It just calls the OnGetFileSecurity and OnSetFileSecurity callbacks with data requested by the system.
During development try to create the same folder hierarchy on your system disk (for example "C:") and in your security callbacks just call the system API GetFileSecurity and SetFileSecurity with the same arguments as requested by the callbacks, but for the mirrored "C:" physical folders (so that the security information for your root folder is requested from "C:\", and so on). Then you can investigate the difference between what this code returned and your string security descriptor conversion.
The same can be performed with the Mapper sample. I have tried it with the 32-bit C++ Mapper sample on Win7 x64 and it works. Uncomment the setting of the security callbacks there, run it as administrator (because some calls of the system GetFileSecurity and SetFileSecurity API inside these callback require administrator right when they call for the foledr "C:"), and "map" not the "C:\1" folder (which is set by default), but "C:".
Posted: 11/12/2012 11:25:22
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

OK, I will try your suggestions and let you know what happens. Thank you very much.
Posted: 11/12/2012 13:41:50
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285


I compared the output from GetFileSecurity with the output from ConvertStringSecurityDescriptorToSecurityDescriptor and determined why my strings were not converting correctly. Apparently the second parameter of the string cannot be left out, so when I changed my string to include that parameter everything worked the way I would have expected. My new string looks as follows;


Thank you for all your help.
Posted: 11/12/2012 18:44:39
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Ok, now I've moved on to the next step.

Once the system presents the Security Tab to the user, the user might change some things on that tab, for example he could check the check box for adding write access to the virtual file. When he does that, I would like to intercept it and do the necessary things in my database system to set the security for the object.

I thought that changing something on that Security Tab and then clicking the Apply button would trigger the CbFsSetFileSecurity callback, but running in debug told me that wasn't the case. In fact, it seems to trigger CbFsGetFileSecurity again, which didn't really make sense to me.

Any ideas about this?
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.



Topic viewed 7755 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!