EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CbFsGetFileSecurity Callback

Posted: 10/10/2012 11:52:44
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I'm trying to understand the Security aspects of CbFs by using your Mapper Sample.

I run the Sample and Install a Z: drive where I then copy a file. I then put break points into the CbFsGetFileSecurity and CbFsSetFileSecurity callbacks and no matter what I do (read the file, copy the file, right-click Properties on the file, etc.) the callback breakpoints never get hit. What external action must I perform on a file to cause Windows to trigger the callbacks?
Posted: 10/10/2012 12:02:11
by Vladimir Cherniga (Team)

These callbacks are optional. Check the source code on event handler assigning. It commented by default, just uncomment it.
Posted: 10/10/2012 13:02:03
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Sorry for the stupid question, I got it now.
Posted: 10/10/2012 17:41:28
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

OK, here's a new question about this stuff, hopefully not as dumb as the last one.

In your mapper sample you actually create Windows files, so there is naturally a Windows SecurityDescriptor created for you by Windows.

What if your application is a virtual disk, where the files it is creating are not really Windows files but some other entity not known to Windows (like a database table)? How would you implement security on those objects using the Windows Authorization mechanisms?

I looked into the CreatePrivateObjectSecurity API but it didn't seem to fit with what I was trying to do. It required a token as input and I wasn't quite sure where to get that token from. My idea was to create the new private security object in my CreateFile callback and pass the SecurityDescriptor pointer that it returns by placing it into the FileHandle Context. I thought I could then pick it up in the CbFsGetFileSecurity callback and return it in the PSECURITY_DESCRIPTOR field that is passed in. There are some obvious problems with this idea, namely that the SecurityDescriptor field passed to the CbFsGetFileSecurity callback is not a pointer to a pointer, so modifying it is problematical. The SecurityDescriptor created by CreatePrivateObjectSecurity is guaranteed by the documentation to be contiguous in memory, but the pointer that is passed in to the callback may not be a pointer to a contiguous block of memory. I think it most likely is so memcpy would probably work but I'm not certain of that.

Anyway have any of you out there tried anything like this? My idea basically stems from the fact that we want to be able to control the authorization of users on our database tables using our database internal security mechanisms, but to have those security mechanisms mapped to the Windows authorization structures so that we can have Windows help us manipulate them (e.g. use of the "Security" tab on the right-click Properties Window) and also involve Windows in the authorization process which may make us able to leverage in things like Active Directory.
Posted: 10/11/2012 03:45:14
by Vladimir Cherniga (Team)

but the pointer that is passed in to the callback may not be a pointer to a contiguous block of memory.

This is a pointer to memory block of size specified in Length parameter of callback. And you may copy your descriptor to the address specified in SecurityDescriptor parameter or return an error ERROR_INSUFFICIENT_BUFFER if your descriptor doesn't fit into the provided buffer.
Posted: 10/11/2012 04:50:07
by Volodymyr Zinin (Team)

There are two formats of SECURITY_DESCRIPTOR - absolute and self-relative. The Get/SetSecurity callbacks expects the self-relative format (i.e. when a security descriptor stores all its security information in a contiguous block of memory). In order to compose security descriptors use the system security API - MakeSelfRelativeSD, InitializeSecurityDescriptor, etc.
Also maybe this article helps - http://msdn.microsoft.com/en-us/libra...85%29.aspx

BTW: Usually it isn't necessary to have separate security descriptors for all files, because many files have the same descriptor. So in this case they all can share only one instance of a security descriptor.
Posted: 10/11/2012 04:55:58
by Volodymyr Zinin (Team)

Moreover Windows doesn't check the security itself for your files (for your virtual disk). It's necessary to use some checks in the OnCreate/OnOpen callbacks and return ERROR_ACCESS_DENIED if it fails. There is a good system API for it - AccessCheck.



Topic viewed 1132 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!