EldoS | Feel safer!

Software components for data protection, secure storage and transfer

DesiredAccess of OpenFile

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#15136
Posted: 11/26/2010 09:42:15
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello,

I am using CBFS version 3.1.82 with C++. The OpenFile callback gets the desired access passed as type ACCESS_MASK. When a file is opened in read-write-mode, I get the following access mask: 0012019F. The "F" is the generic right containing "READ", "WRITE" and "EXECUTE".

I expected the generic rights on the highest bit, like they are defined in msdn:
Public Const GENERIC_ALL As Int32 = &H10000000
Public Const GENERIC_READ As Int32 = &H80000000
Public Const GENERIC_WRITE As Int32 = &H40000000
Public Const GENERIC_EXECUTE As Int32 = &H20000000
(see http://msdn.microsoft.com/en-us/library/aa446632.aspx)

How should I handle this?

Regards,
Robert
#15140
Posted: 11/26/2010 15:01:49
by Volodymyr Zinin (EldoS Corp.)

Hello Robert,

Below are definitions for access rights. I've taken them from "Microsoft Visual Studio 8\VC\PlatformSDK\include\winnt.h".

#define FILE_READ_DATA ( 0x0001 ) // file & pipe
#define FILE_LIST_DIRECTORY ( 0x0001 ) // directory

#define FILE_WRITE_DATA ( 0x0002 ) // file & pipe
#define FILE_ADD_FILE ( 0x0002 ) // directory

#define FILE_APPEND_DATA ( 0x0004 ) // file
#define FILE_ADD_SUBDIRECTORY ( 0x0004 ) // directory
#define FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) // named pipe


#define FILE_READ_EA ( 0x0008 ) // file & directory

#define FILE_WRITE_EA ( 0x0010 ) // file & directory

#define FILE_EXECUTE ( 0x0020 ) // file
#define FILE_TRAVERSE ( 0x0020 ) // directory

#define FILE_DELETE_CHILD ( 0x0040 ) // directory

#define FILE_READ_ATTRIBUTES ( 0x0080 ) // all

#define FILE_WRITE_ATTRIBUTES ( 0x0100 ) // all

#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)

#define FILE_GENERIC_READ (STANDARD_RIGHTS_READ |\
FILE_READ_DATA |\
FILE_READ_ATTRIBUTES |\
FILE_READ_EA |\
SYNCHRONIZE)


#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |\
FILE_WRITE_DATA |\
FILE_WRITE_ATTRIBUTES |\
FILE_WRITE_EA |\
FILE_APPEND_DATA |\
SYNCHRONIZE)


#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
FILE_READ_ATTRIBUTES |\
FILE_EXECUTE |\
SYNCHRONIZE)

#define DELETE (0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)

#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)

#define STANDARD_RIGHTS_READ (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)

#define STANDARD_RIGHTS_ALL (0x001F0000L)

#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
#15149
Posted: 11/29/2010 02:24:09
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello Vladimir,

thanks for posting the defines. Unfortunately, I can't use FILE_GENERIC_WRITE to evaluate if the file is opened in write-mode or not. FILE_GENERIC_WRITE is also set, when a file is opened in read-mode.

I think, that this is possible via generic rights (definition also from winnt.h):

#define GENERIC_READ (0x80000000L)
#define GENERIC_WRITE (0x40000000L)
#define GENERIC_EXECUTE (0x20000000L)
#define GENERIC_ALL (0x10000000L)

But strangely, the desired access mask looks like this: 0012019F.
It would work if access mask was e.g. F0120190.

Regards,
Robert
#15155
Posted: 11/30/2010 01:03:25
by Volodymyr Zinin (EldoS Corp.)

Don't use the "generic" read/write during access check. They are used just for file creation or opening. Instead of them use sets of the "strict" flags. For example so:

Code
BOOL ReadAccess = (DesiredAccess & ( READ_CONTROL |
                                     FILE_READ_DATA |
                                     FILE_READ_EA |
                                     FILE_READ_ATTRIBUTES |
                                     FILE_LIST_DIRECTORY )) != 0;
    
BOOL WriteAccess = (DesiredAccess & ( DELETE |
                                      WRITE_OWNER |
                                      WRITE_DAC |
                                      FILE_WRITE_EA |
                                      FILE_WRITE_ATTRIBUTES )) != 0;
#15160
Posted: 11/30/2010 03:42:27
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello,

thanks for the example code. It successfully evaluates if the file is opened with write-access. Unfortunately it doesn't work for read-access, when the file is only opened in write-mode (without read-access). ReadAccess is true in this case.

Why shouldn't I use generic read/write? I just need to check access in OpenFile and CreateFile method. Generic rights work fine and evaluate the desired access correctly - but at the moment I can't use the GENERIC_... defines of winnt.h.

Regards,
Robert
#15174
Posted: 11/30/2010 15:09:00
by Volodymyr Zinin (EldoS Corp.)

Quote
Robert Baer wrote:
Unfortunately it doesn't work for read-access, when the file is only opened in write-mode (without read-access).

Could you describe it in more details?

Quote
Robert Baer wrote:
Why shouldn't I use generic read/write?

Because before Windows passes an OnCreate/OnOpen request to the CallbackFS driver it converts the generic access rights (if they are specified by an user) to the set of "strict" flags (FILE_READ_DATA, FILE_READ_ATTRIBUTES, etc). And then the CallbackFS driver passes them unchanged to the OnCreate/OnOpen callback.
Try to select such flags that match your requirements.
#15290
Posted: 12/13/2010 07:09:40
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Quote
Vladimir Zinin wrote:
Could you describe it in more details?

When a file is opened with the following generic rights, this is how ReadAccess and WriteAccess evaluate:

1) GENERIC_READ -> ReadAccess == true, WriteAccess == false
2) GENERIC_READ | GENERIC_WRITE -> ReadAccess == true, WriteAccess == true
3) GENERIC_WRITE -> ReadAccess == true, WriteAccess == true

ReadAccess should be false in case 3 to conform my requirements.

I am using the following defines to evaluate the desired access. They work fine in every case!
Code
#define CBFS_GENERIC_READ                     (0x00000008L)
#define CBFS_GENERIC_WRITE                    (0x00000004L)
#define CBFS_GENERIC_EXECUTE                  (0x00000002L)
#define CBFS_GENERIC_ALL                      (0x00000001L)


Regards,
Robert
#15294
Posted: 12/13/2010 08:04:54
by Volodymyr Zinin (EldoS Corp.)

Quote
Robert Baer wrote:
I am using the following defines to evaluate the desired access. They work fine in every case!
#define CBFS_GENERIC_READ (0x00000008L)
#define CBFS_GENERIC_WRITE(0x00000004L)
#define CBFS_GENERIC_EXECUTE(0x00000002L)
#define CBFS_GENERIC_ALL(0x00000001L)

Where did you get these definitions from?
0x00000008L means FILE_READ_EA (see the definitions I posted above)
0x00000004L means FILE_APPEND_DATA
0x00000002L means FILE_WRITE_DATA
#15302
Posted: 12/14/2010 00:39:14
by Robert Baer (Basic support level)
Joined: 11/08/2010
Posts: 46

Hello Vladimir,

thanks a lot - now I understand. I've been on the wrong track...

As you suggested, I selected the fitting strict flags and it works:

ReadAccess = FILE_READ_DATA | FILE_READ_EA
WriteAccess = FILE_WRITE_DATA | FILE_WRITE_EA | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES

Thanks for your help and your patience ;)
Robert
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 4728 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!