Information
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

File Mapping Security and Access Rights

The Windows security model enables you to control access to file mapping objects. For more information, see Access-Control Model.

You can specify a security descriptor for a file mapping object when you call the CreateFileMapping function. If you specify NULL, the object gets a default security descriptor. The ACLs in the default security descriptor for a file mapping object come from the primary or impersonation token of the creator.

To retrieve the security descriptor of a file mapping object, call the GetNamedSecurityInfo or GetSecurityInfo function. To set the security descriptor of a file mapping object, call the SetNamedSecurityInfo or SetSecurityInfo function.

The valid access rights for file mapping objects include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. File mapping objects do not support the SYNCHRONIZE standard access right. The following table lists the specific access rights for file mapping objects.

Access rightMeaning

FILE_MAP_ALL_ACCESS

Includes all access rights to a file mapping object except FILE_MAP_EXECUTE. The MapViewOfFile and MapViewOfFileEx functions treat this the same as specifying FILE_MAP_WRITE.

FILE_MAP_EXECUTE

Allows mapping of executable views of the file mapping object. The object must have been created with page protection that allows execute access, such as PAGE_EXECUTE_READ, PAGE_EXECUTE_WRITECOPY, or PAGE_EXECUTE_READWRITE protection.

FILE_MAP_READ

Allows mapping of read-only or copy-on-write views of the file mapping object.

FILE_MAP_WRITE

Allows mapping of read-only, copy-on-write, or read/write views of a file mapping object. The object must have been created with page protection that allows write access, such as PAGE_READWRITE or PAGE_EXECUTE_READWRITE protection.

 

Mapping a copy-on-write view of a file mapping object requires the same access as mapping a read-only view. FILE_MAP_COPY is not an actual access right and should not be specified as part of a DACL in a security descriptor. This value can be used only with functions that map a view of a file mapping object, such as the MapViewOfFile and MapViewOfFileEx functions, or with the OpenFileMapping function, which treats FILE_MAP_COPY the same as FILE_MAP_READ.

You can request the ACCESS_SYSTEM_SECURITY access right to a file mapping object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.

 

 

Community Additions

Show:
© 2014 Microsoft