Export (0) Print
Expand All

2.5.3.4.1 CreateSecurityDescriptor

This is the top-level routine that assembles the contributions from the parent security descriptor and the creator descriptor and possibly the default DACL from the token. This is fairly high-level, and relies primarily upon the subroutine ComputeACL, specified in section 2.5.3.4.2.

Parameters

  • ParentDescriptor: Security descriptor for the parent (container) object of the new object. If the object has no parent, this parameter is null.

  • CreatorDescriptor: Security descriptor for the new object provided by the creator of the object. Caller can pass null.

  • IsContainerObject: BOOLEAN: TRUE when the object is a container; otherwise, FALSE.

  • ObjectTypes: An array of pointers to GUID structures that identify the object types or classes of the object associated with NewDescriptor (the return value). For Active Directory objects, this array contains pointers to the class GUIDs of the object's structural class and all attached auxiliary classes. If the object for which this descriptor is being created does not have a GUID, this field MUST be set to null.

  • AutoInheritFlags: A set of bit flags that control how access control entries (ACEs) are inherited from ParentDescriptor. This parameter can be a combination of the following values:

    • DACL_AUTO_INHERIT: If set, inheritable ACEs from the parent security descriptor DACL are merged with the explicit ACEs in the CreatorDescriptor.

    • SACL_AUTO_INHERIT: If set, inheritable ACEs from the parent security descriptor SACL are merged with the explicit ACEs in the CreatorDescriptor.

    • DEFAULT_DESCRIPTOR_FOR_OBJECT: Selects the CreatorDescriptor as the default security descriptor provided that no object type specific ACEs are inherited from the parent. If such ACEs do get inherited, CreatorDescriptor is ignored.

    • DEFAULT_OWNER_FROM_PARENT: Relevant only when the owner field is not specified in CreatorDescriptor. If this flag is set, the owner field in NewDescriptor is set to the owner of ParentDescriptor. If not set, the owner from the token is selected.

    • DEFAULT_GROUP_FROM_PARENT: Relevant only when the primary group field is not specified in CreatorDescriptor. If this flag is set, the primary group of NewDescriptor is set to the primary group of ParentDescriptor. If not set, the default group from the token is selected.

  • Token: Authorization context supplied that contains the ownership information as well as the default DACL if the default DACL is necessary.

  • GenericMapping: Mapping of generic permissions to resource manager-specific permissions supplied by the caller.

Returns

  • NewDescriptor: Output security descriptor for the object computed by the algorithm.

// Step 1:Compute the Owner field. If there is no specified owner, 
// then determine an appropriate owner.
IF CreatorDescriptor.Owner is NULL THEN

    IF AutoInheritFlags contains DEFAULT_OWNER_FROM_PARENT THEN
        Set NewDescriptor.Owner to ParentDescriptor.Owner
    ELSE
        Set NewDescriptor.Owner to Token.SIDs[Token.OwnerIndex]
    ENDIF

ELSE
    Set NewDescriptor.Owner to CreatorDescriptor.Owner
ENDIF

// Step 2:Compute the Group field. If there is no specified groups,
// then determine the appropriate group.

IF CreatorDescriptor.Group is NULL THEN

    IF AutoInheritFlags contains DEFAULT_GROUP_FROM_PARENT THEN
        Set NewDescriptor.Group to ParentDescriptor.Group
    ELSE
        Set NewDescriptor.Group to Token.SIDs[Token.PrimaryGroup]
    ENDIF

ELSE
    Set NewDescriptor.Group to CreatorDescriptor.Group
ENDIF

// Step 3:Compute the DACL

CALL ComputeACL WITH
      ComputeType set to COMPUTE_DACL, 
      ParentACL set to ParentDescriptor.DACL, 
      AuthoInheritFlags set to AutoInheritFlags,
      ParentControl set to ParentDescriptor.Control,
      CreatorACL set to CreatorDescriptor.DACL,
      CreatorControl set to CreatorDescriptor.Control
      IsContainerObject set to IsContainerObject,
      ObjectTypes set to ObjectTypes, 
      GenericMapping set to GenericMapping,
      Owner set to NewDescriptor.Owner, 
      Group set to NewDescriptor.Group, 
      Token set to Token
RETURNING NewDACL, NewControl

Set NewDescriptor.DACL to NewDACL
Set NewDescriptor.Control to NewControl

// Step 4:Compute the SACL

CALL ComputeACL WITH

      ComputeType set to COMPUTE_SACL,
      ParentACL set to ParentDescriptor.SACL,
      AutoInheritFlags set to AutoInheritFlags,
      ParentControl set to ParentDescriptor.Control,
      CreatorACL set to CreatorDescriptor.SACL,
      CreatorControl set to CreatorDescriptor.Control,
      IsContainerObject set to IsContainerObject,
      ObjectTypes set to ObjectTypes,
      GenericMapping set to GenericMapping,
      Owner set to NewDescriptor.Owner,
      Group set to NewDescriptor.Group,
      Token set to Token
RETURNING NewSACL, NewControl

Set NewDescriptor.SACL to NewSACL
Set NewDescriptor.Control to (NewDescriptor.Control OR NewControl)

RETURN NewDescriptor
// END CreateSecurityDescriptor
 
Show:
© 2014 Microsoft