Export (0) Print
Expand All

File Mapping Security and Access Rights

The Windows security model enables you to control access to file mapping objects. For more information, see Access-Control Model.

You can specify a security descriptor for a file mapping object when you call the CreateFileMapping function. If you specify NULL, the object gets a default security descriptor. The ACLs in the default security descriptor for a file mapping object come from the primary or impersonation token of the creator.

To retrieve the security descriptor of a file mapping object, call the GetNamedSecurityInfo or GetSecurityInfo function. To set the security descriptor of a file mapping object, call the SetNamedSecurityInfo or SetSecurityInfo function.

The valid access rights for file mapping objects include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. File mapping objects do not support the SYNCHRONIZE standard access right. The following table lists the specific access rights for file mapping objects.

Access rightMeaning

FILE_MAP_ALL_ACCESS

Includes all access rights to a file mapping object except FILE_MAP_EXECUTE. The MapViewOfFile and MapViewOfFileEx functions treat this the same as specifying FILE_MAP_WRITE.

FILE_MAP_EXECUTE

Allows mapping of executable views of the file mapping object. The object must have been created with page protection that allows execute access, such as PAGE_EXECUTE_READ, PAGE_EXECUTE_WRITECOPY, or PAGE_EXECUTE_READWRITE protection.

FILE_MAP_READ

Allows mapping of read-only or copy-on-write views of the file mapping object.

FILE_MAP_WRITE

Allows mapping of read-only, copy-on-write, or read/write views of a file mapping object. The object must have been created with page protection that allows write access, such as PAGE_READWRITE or PAGE_EXECUTE_READWRITE protection.

 

Mapping a copy-on-write view of a file mapping object requires the same access as mapping a read-only view. FILE_MAP_COPY is not an actual access right and should not be specified as part of a DACL in a security descriptor. This value can be used only with functions that map a view of a file mapping object, such as the MapViewOfFile and MapViewOfFileEx functions, or with the OpenFileMapping function, which treats FILE_MAP_COPY the same as FILE_MAP_READ.

You can request the ACCESS_SYSTEM_SECURITY access right to a file mapping object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.

 

 

Community Additions

ADD
Show:
© 2014 Microsoft