File-mapping security and access rights

The Windows security model lets you control access to file-mapping objects. For more information, see Access-Control Model.

You can specify a security descriptor for a file-mapping object when you call the CreateFileMapping function. If you specify NULL, the object gets a default security descriptor. The ACLs in the default security descriptor for a file-mapping object come from the primary or impersonation token of the creator.

To retrieve the security descriptor of a file-mapping object, call the GetNamedSecurityInfo or GetSecurityInfo function. To set the security descriptor of a file-mapping object, call the SetNamedSecurityInfo or SetSecurityInfo function.

The valid access rights for file-mapping objects include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. File mapping objects do not support the SYNCHRONIZE standard access right. The following table lists the access rights that are specific to file-mapping objects.

Access right Meaning
FILE_MAP_ALL_ACCESS Includes all access rights to a file-mapping object except FILE_MAP_EXECUTE. The MapViewOfFile and MapViewOfFileEx functions treat this the same as specifying FILE_MAP_WRITE.
FILE_MAP_EXECUTE Allows mapping of executable views of the file-mapping object. The object must have been created with page protection that allows execute access, such as PAGE_EXECUTE_READ, PAGE_EXECUTE_WRITECOPY, or PAGE_EXECUTE_READWRITE protection.
FILE_MAP_READ Allows mapping of read-only or copy-on-write views of the file-mapping object.
FILE_MAP_WRITE Allows mapping of read-only, copy-on-write, or read/write views of a file-mapping object. The object must have been created with page protection that allows write access, such as PAGE_READWRITE or PAGE_EXECUTE_READWRITE protection.

Mapping a copy-on-write view of a file-mapping object requires the same access as mapping a read-only view. The FILE_MAP_COPY flag is not an access right, and it should not be specified as part of a DACL in a security descriptor. This value can be used only with functions that map a view of a file-mapping object, such as the MapViewOfFile and MapViewOfFileEx functions, or with the OpenFileMapping function, which treats FILE_MAP_COPY the same way it treats FILE_MAP_READ.

You can request the ACCESS_SYSTEM_SECURITY access right to a file-mapping object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.