SeSetSecurityDescriptorInfoEx function (ntifs.h)
The SeSetSecurityDescriptorInfoEx routine modifies an object's security descriptor and specifies whether the object supports automatic inheritance of access control entries (ACE).
Syntax
NTSTATUS SeSetSecurityDescriptorInfoEx(
[in, optional] PVOID Object,
[in] PSECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR ModificationDescriptor,
[in, out] PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
[in] ULONG AutoInheritFlags,
[in] POOL_TYPE PoolType,
[in] PGENERIC_MAPPING GenericMapping
);
Parameters
[in, optional] Object
Pointer to the object whose security descriptor is to be modified. This is used to update security quota information.
[in] SecurityInformation
Pointer to a value specifying which security information is to be set. Can be a combination of one or more of the following.
| Value | Meaning |
|---|---|
| DACL_SECURITY_INFORMATION | Indicates the discretionary access control list (DACL) of the object is being set. Requires WRITE_DAC access. |
| GROUP_SECURITY_INFORMATION | Indicates the primary group identifier of the object is being set. Requires WRITE_OWNER access. |
| OWNER_SECURITY_INFORMATION | Indicates the owner identifier of the object is being set. Requires WRITE_OWNER access. |
| SACL_SECURITY_INFORMATION | Indicates the system ACL (SACL) of the object is being set. Requires ACCESS_SYSTEM_SECURITY access. |
ModificationDescriptor
The input security descriptor to be applied to the object. The caller of this routine is expected to probe and capture the passed security descriptor before calling, and to release it after calling.
[in, out] ObjectsSecurityDescriptor
Pointer to a pointer to the object's security descriptor. The security descriptor must be in self-relative format. This structure must be deallocated by the caller.
[in] AutoInheritFlags
Bitmask that controls automatic inheritance of ACEs. Set to the logical OR of one or more of the following bit flags:
| Security Information Flags | Meaning |
|---|---|
| SEF_DACL_AUTO_INHERIT | If this flag is set, the DACL is treated as an auto-inherit DACL and is processed as described in the following Remarks section. This bit is ignored if DACL_SECURITY_INFORMATION is not set in the SecurityInformation parameter. |
| SEF_SACL_AUTO_INHERIT | If this flag is set, the SACL is treated as an auto-inherit SACL and is processed as described in the following Remarks section. This bit is ignored if SACL_SECURITY_INFORMATION is not set in the SecurityInformation parameter. |
[in] PoolType
Specifies the pool type to use when allocating a new security descriptor, which can be one of the following:
- NonPagedPool
- PagedPool
- NonPagedPoolCacheAligned
- PagedPoolCacheAligned
Usually, a caller specifies PagedPool, or else NonPagedPool if the buffer will be accessed at IRQL >= DISPATCH_LEVEL or in an arbitrary thread context.
The NonPagedPoolMustSucceed and NonPagedPoolCacheAlignedMustS pool types are obsolete and should no longer be used.
[in] GenericMapping
Pointer to a GENERIC_MAPPING structure that specifies the mapping of generic to specific and standard access types for the object being accessed. This mapping structure is expected to be safe to access (that is, captured if necessary) prior to be passed to this routine.
Return value
| Return code | Description |
|---|---|
| STATUS_SUCCESS | The object's security descriptor was successfully modified. |
| STATUS_BAD_DESCRIPTOR_FORMAT | The provided object's security descriptor was not in self-relative format. |
| STATUS_NO_SECURITY_ON_OBJECT | The object does not have a security descriptor. |
Remarks
If the AutoInheritFlags parameter is zero, the effect of calling SeSetSecurityDescriptorInfoEx is the same as that of calling SeSetSecurityDescriptorInfo.
If AutoInheritFlags specifies the SEF_DACL_AUTO_INHERIT bit, SeSetSecurityDescriptorInfoEx applies the following rules to the DACL to create the new security descriptor from the current descriptor:
If the SE_DACL_PROTECTED flag is not set in the control bits of the either the current security descriptor or the input SecurityDescriptor, SeSetSecurityDescriptorInfoEx constructs the output security descriptor from the inherited ACEs of the current security descriptor and noninherited ACEs of SecurityDescriptor. That is, it is impossible to change an inherited ACE by changing the ACL on an object. This behavior preserves the inherited ACEs as they were inherited from the parent container.
If SE_DACL_PROTECTED is set in the input SecurityDescriptor, the current security descriptor is ignored. The output security descriptor is built as a copy of the input SecurityDescriptor with any INHERITED_ACE bits turned off.
Ideally an ACL editor should turn off the INHERITED_ACE bits indicating to its caller that the ACEs inherited from the object's parent are now being explicitly set on the object.
- If SE_DACL_PROTECTED is set in the current security descriptor and not in the SecurityDescriptor, the current security descriptor is ignored. The output security descriptor is built as a copy of the SecurityDescriptor. It is the caller's responsibility to ensure that the correct ACEs have the INHERITED_ACE bit turned on.
If AutoInheritFlags specifies the SEF_SACL_AUTO_INHERIT bit, SeSetSecurityDescriptorInfoEx applies similar rules to the new SACL.
For more information about access control and ACE inheritance, see the Security section of the Microsoft Windows SDK documentation.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 2000 |
| Target Platform | Universal |
| Header | ntifs.h (include Ntifs.h) |
| Library | NtosKrnl.lib |
| DLL | NtosKrnl.exe |
| IRQL | PASSIVE_LEVEL |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for