EldoS | Feel safer!

Software components for data protection, secure storage and transfer

DesiredAccess of OpenFile

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#15136
Posted: 11/26/2010 09:42:15
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello,

I am using CBFS version 3.1.82 with C++. The OpenFile callback gets the desired access passed as type ACCESS_MASK. When a file is opened in read-write-mode, I get the following access mask: 0012019F. The "F" is the generic right containing "READ", "WRITE" and "EXECUTE".

I expected the generic rights on the highest bit, like they are defined in msdn:
Public Const GENERIC_ALL As Int32 = &H10000000
Public Const GENERIC_READ As Int32 = &H80000000
Public Const GENERIC_WRITE As Int32 = &H40000000
Public Const GENERIC_EXECUTE As Int32 = &H20000000
(see http://msdn.microsoft.com/en-us/library/aa446632.aspx)

How should I handle this?

Regards,
Robert
#15140
Posted: 11/26/2010 15:01:49
by Volodymyr Zinin (EldoS Corp.)

Hello Robert,

Below are definitions for access rights. I've taken them from "Microsoft Visual Studio 8\VC\PlatformSDK\include\winnt.h".

#define FILE_READ_DATA ( 0x0001 ) // file & pipe
#define FILE_LIST_DIRECTORY ( 0x0001 ) // directory

#define FILE_WRITE_DATA ( 0x0002 ) // file & pipe
#define FILE_ADD_FILE ( 0x0002 ) // directory

#define FILE_APPEND_DATA ( 0x0004 ) // file
#define FILE_ADD_SUBDIRECTORY ( 0x0004 ) // directory
#define FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) // named pipe


#define FILE_READ_EA ( 0x0008 ) // file & directory

#define FILE_WRITE_EA ( 0x0010 ) // file & directory

#define FILE_EXECUTE ( 0x0020 ) // file
#define FILE_TRAVERSE ( 0x0020 ) // directory

#define FILE_DELETE_CHILD ( 0x0040 ) // directory

#define FILE_READ_ATTRIBUTES ( 0x0080 ) // all

#define FILE_WRITE_ATTRIBUTES ( 0x0100 ) // all

#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)

#define FILE_GENERIC_READ (STANDARD_RIGHTS_READ |\
FILE_READ_DATA |\
FILE_READ_ATTRIBUTES |\
FILE_READ_EA |\
SYNCHRONIZE)


#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |\
FILE_WRITE_DATA |\
FILE_WRITE_ATTRIBUTES |\
FILE_WRITE_EA |\
FILE_APPEND_DATA |\
SYNCHRONIZE)


#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
FILE_READ_ATTRIBUTES |\
FILE_EXECUTE |\
SYNCHRONIZE)

#define DELETE (0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)

#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)

#define STANDARD_RIGHTS_READ (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)

#define STANDARD_RIGHTS_ALL (0x001F0000L)

#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
#15149
Posted: 11/29/2010 02:24:09
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello Vladimir,

thanks for posting the defines. Unfortunately, I can't use FILE_GENERIC_WRITE to evaluate if the file is opened in write-mode or not. FILE_GENERIC_WRITE is also set, when a file is opened in read-mode.

I think, that this is possible via generic rights (definition also from winnt.h):

#define GENERIC_READ (0x80000000L)
#define GENERIC_WRITE (0x40000000L)
#define GENERIC_EXECUTE (0x20000000L)
#define GENERIC_ALL (0x10000000L)

But strangely, the desired access mask looks like this: 0012019F.
It would work if access mask was e.g. F0120190.

Regards,
Robert
#15155
Posted: 11/30/2010 01:03:25
by Volodymyr Zinin (EldoS Corp.)

Don't use the "generic" read/write during access check. They are used just for file creation or opening. Instead of them use sets of the "strict" flags. For example so:

Code
BOOL ReadAccess = (DesiredAccess & ( READ_CONTROL |
                                     FILE_READ_DATA |
                                     FILE_READ_EA |
                                     FILE_READ_ATTRIBUTES |
                                     FILE_LIST_DIRECTORY )) != 0;
    
BOOL WriteAccess = (DesiredAccess & ( DELETE |
                                      WRITE_OWNER |
                                      WRITE_DAC |
                                      FILE_WRITE_EA |
                                      FILE_WRITE_ATTRIBUTES )) != 0;
#15160
Posted: 11/30/2010 03:42:27
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello,

thanks for the example code. It successfully evaluates if the file is opened with write-access. Unfortunately it doesn't work for read-access, when the file is only opened in write-mode (without read-access). ReadAccess is true in this case.

Why shouldn't I use generic read/write? I just need to check access in OpenFile and CreateFile method. Generic rights work fine and evaluate the desired access correctly - but at the moment I can't use the GENERIC_... defines of winnt.h.

Regards,
Robert
#15174
Posted: 11/30/2010 15:09:00
by Volodymyr Zinin (EldoS Corp.)

Quote
Robert Baer wrote:
Unfortunately it doesn't work for read-access, when the file is only opened in write-mode (without read-access).

Could you describe it in more details?

Quote
Robert Baer wrote:
Why shouldn't I use generic read/write?

Because before Windows passes an OnCreate/OnOpen request to the CallbackFS driver it converts the generic access rights (if they are specified by an user) to the set of "strict" flags (FILE_READ_DATA, FILE_READ_ATTRIBUTES, etc). And then the CallbackFS driver passes them unchanged to the OnCreate/OnOpen callback.
Try to select such flags that match your requirements.
#15290
Posted: 12/13/2010 07:09:40
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Quote
Vladimir Zinin wrote:
Could you describe it in more details?

When a file is opened with the following generic rights, this is how ReadAccess and WriteAccess evaluate:

1) GENERIC_READ -> ReadAccess == true, WriteAccess == false
2) GENERIC_READ | GENERIC_WRITE -> ReadAccess == true, WriteAccess == true
3) GENERIC_WRITE -> ReadAccess == true, WriteAccess == true

ReadAccess should be false in case 3 to conform my requirements.

I am using the following defines to evaluate the desired access. They work fine in every case!
Code
#define CBFS_GENERIC_READ                     (0x00000008L)
#define CBFS_GENERIC_WRITE                    (0x00000004L)
#define CBFS_GENERIC_EXECUTE                  (0x00000002L)
#define CBFS_GENERIC_ALL                      (0x00000001L)


Regards,
Robert
#15294
Posted: 12/13/2010 08:04:54
by Volodymyr Zinin (EldoS Corp.)

Quote
Robert Baer wrote:
I am using the following defines to evaluate the desired access. They work fine in every case!
#define CBFS_GENERIC_READ (0x00000008L)
#define CBFS_GENERIC_WRITE(0x00000004L)
#define CBFS_GENERIC_EXECUTE(0x00000002L)
#define CBFS_GENERIC_ALL(0x00000001L)

Where did you get these definitions from?
0x00000008L means FILE_READ_EA (see the definitions I posted above)
0x00000004L means FILE_APPEND_DATA
0x00000002L means FILE_WRITE_DATA
#15302
Posted: 12/14/2010 00:39:14
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello Vladimir,

thanks a lot - now I understand. I've been on the wrong track...

As you suggested, I selected the fitting strict flags and it works:

ReadAccess = FILE_READ_DATA | FILE_READ_EA
WriteAccess = FILE_WRITE_DATA | FILE_WRITE_EA | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES

Thanks for your help and your patience ;)
Robert
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 4730 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!