Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

2.1.5.16 Server Requests Setting of Security Information

If the object store does not implement security, the operation MUST be failed with STATUS_INVALID_DEVICE_REQUEST.

The server provides:

  • Open - The Open on which security information is being applied.

  • SecurityInformation - A SECURITY_INFORMATION data type as defined in [MS-DTYP] section 2.4.7.

  • InputBuffer - A buffer that contains the security descriptor to be applied to the object. The security descriptor is a SECURITY_DESCRIPTOR structure in self-relative format, as described in [MS-DTYP] section 2.4.6.

  • InputBufferSize - The size of the buffer provided.

On completion, the object store MUST return:

  • Status - An NTSTATUS code indicating the result of the operation.

This routine uses the following local variables:

  • Boolean values (initialized to FALSE): DisableOwnerAces, ServerObject, DaclUntrusted

The operation MUST be failed with STATUS_ACCESS_DENIED under any of the following conditions:

  • SecurityInformation contains any of OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION, or LABEL_SECURITY_INFORMATION, and Open.GrantedAccess does not contain WRITE_OWNER.

  • SecurityInformation contains DACL_SECURITY_INFORMATION and Open.GrantedAccess does not contain WRITE_DAC.

  • SecurityInformation contains SACL_SECURITY_INFORMATION and Open.GrantedAccess does not contain ACCESS_SYSTEM_SECURITY.

Pseudocode for the operation is as follows:

  • If Open.Stream.StreamType is DataStream and Open.Stream.Name is not zero-length, the operation MUST be failed with STATUS_INVALID_PARAMETER; security information may only be set on a file or directory handle, not on a stream handle.

  • The object store MUST post a USN change as per section 2.1.4.11 with File equal to File, Reason equal to USN_REASON_SECURITY_CHANGE, and FileName equal to Open.Link.Name.

  • If the Server Security (SS) bit is set in InputBuffer.Control, set ServerObject to TRUE, otherwise set it to FALSE.

  • If the DACL Trusted (DT) bit is set in InputBuffer.Control, set DaclUntrusted to FALSE, otherwise set it to TRUE.

  • If SecurityInformation contains OWNER_SECURITY_INFORMATION:

    • If SecurityInformation contains DACL_SECURITY_INFORMATION, set DisableOwnerAces to FALSE, otherwise set it to TRUE.

    • If InputBuffer.OwnerSid is not present, the operation MUST be failed with STATUS_INVALID_OWNER.

    • If InputBuffer.OwnerSid is not a valid owner SID for a file in the object store, as determined in an implementation-specific manner, the object store MUST return STATUS_INVALID_OWNER.

  • Else

    • If Open.File.SecurityDescriptor.Owner is NULL, the operation MUST be failed with STATUS_INVALID_OWNER.

  • EndIf

  • The object store MUST set Open.File.SecurityDescriptor to InputBuffer.

  • If Open.File.FileType is not DirectoryFile:

    • The object store MUST set Open.File.FileAttributes.FILE_ATTRIBUTE_ARCHIVE.

    • The object store MUST update Open.File.LastChangeTime.<133>

  • EndIf

  • The operation returns STATUS_SUCCESS.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.