EldoS | Feel safer!

Software components for data protection, secure storage and transfer

cbflt over nfs

Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.
Posted: 09/18/2012 03:15:16
by Daniel Wehrle (Basic support level)
Joined: 08/08/2008
Posts: 32

We have a windows nfs server and share a location.

Locally we attach the CallbackFilter above this share location using the "FileMon"-Example.

Now we change the acl of a file from a red hat distribution.

In our example the filter didn't recognize the change although the acls was visibly changed.

Is there an example where it works?
Posted: 09/18/2012 04:28:04
by Vladimir Cherniga (EldoS Corp.)

Do you observe any other activity in callbacks, such as OpenFile/CloseFile ? What type of share do you use ?
Posted: 09/19/2012 03:51:26
by Daniel Wehrle (Basic support level)
Joined: 08/08/2008
Posts: 32

There is a small list of observed activities as attachement.

I use Windows 2012 NFS Server but without User Mapping yet.
Posted: 09/19/2012 04:11:49
by Vladimir Cherniga (EldoS Corp.)

Cannot find the attachment.
Posted: 09/19/2012 04:51:39
by Daniel Wehrle (Basic support level)
Joined: 08/08/2008
Posts: 32


Here it is.

Posted: 09/19/2012 05:24:09
by Vladimir Cherniga (EldoS Corp.)

Can i ask you to check the filtered paths using a CallbackFiler::GetFilterRule(). It is possible that with a network provider other than LanmanWorkstation filter will not work properly, or may be not all fs requests are filtered properly.
Posted: 09/19/2012 06:51:33
by Daniel Wehrle (Basic support level)
Joined: 08/08/2008
Posts: 32

Attaching the filter with

                                           CbFltCallbackFlags.ReadNotify |
                                           CbFltCallbackFlags.WriteNotify |
                                           CbFltCallbackFlags.CreateNotify |
                                           CbFltCallbackFlags.RenameNotify |
                                           CbFltCallbackFlags.SetSizesNotify |
                                           CbFltCallbackFlags.DeleteNotify |
                                           CbFltCallbackFlags.SetBasicInfoNotify |
                                           CbFltCallbackFlags.EnumerateDirectoryNotify |
                                           CbFltCallbackFlags.OpenNotify |
                                           CbFltCallbackFlags.CloseNotify |

The Output of
mFilter.GetFilterRule(0, out mask, out accessFlag, out callBackFlag);


  • mask = "\\Device\\HarddiskVolume1\\nfstest\\*.*"
  • accessFlag = 0
  • callBackFlag = 2047
Posted: 09/19/2012 10:37:47
by Vladimir Cherniga (EldoS Corp.)

Thank you.
When you change acl locally, does it call appropriate callback ?
Posted: 09/20/2012 02:48:48
by Daniel Wehrle (Basic support level)
Joined: 08/08/2008
Posts: 32


i added logging of Control events

Output of change acl locally on nfs and smb:

  • SetFileSecurityC C:\nfstest\YAYA.txt
  • SetFileSecurityN C:\nfstest\YAYA.txt

  • SetFileSecurityC C:\smbtest\YAYA.txt
  • SetFileSecurityN C:\smbtest\YAYA.txt

chmod command from remote red hat mounting smb-share

  • SetFileAttributesC C:\smbtest\LLLL.txt
  • SetFileAttributesC C:\smbtest\LLLL.txt
  • SetFileAttributesN C:\smbtest\LLLL.txt

chmod command from remote red hat mounting nfs-share

Posted: 09/20/2012 03:46:12
by Vladimir Cherniga (EldoS Corp.)

Could you compare logs produced with ProcMon utility from sysinternals, when you access file locally and remotely ? It may helps a lot.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages



Topic viewed 5540 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!