2.1.5.14 Server Requests a Query of Security Information

  • Article

If the object store does not implement security, the operation MUST be failed with STATUS_INVALID_DEVICE_REQUEST.<166>

The server provides:

  • Open: The Open on which security information is being queried.

  • OutputBufferSize: The maximum number of bytes to return in OutputBuffer.

  • SecurityInformation: A SECURITY_INFORMATION data type, as defined in [MS-DTYP] section 2.4.7.

On completion, the object store MUST return:

  • Status: An NTSTATUS code that specifies the result.

  • OutputBuffer: An array of OutputBufferSize bytes formatted as a SECURITY_DESCRIPTOR structure in self-relative format, as described in [MS-DTYP] section 2.4.6.

  • ByteCount: If the operation returns STATUS_SUCCESS, this will be set to the count of bytes filled into OutputBuffer. If the operation returns STATUS_BUFFER_OVERFLOW, this will be set to the required size, in bytes, of OutputBuffer so that the security descriptor will fit.

This routine uses the following local variables:

  • A 32-bit unsigned integer used as a byte index into OutputBuffer: NextFree

  • 32-bit unsigned integers: SaclLength, MaclLength

Pseudocode for the operation is as follows:

  • Let sizeof(SECURITY_DESCRIPTOR_RELATIVE) equal the number of bytes occupied by the Revision, Sbz1, Control, OffsetOwner, OffsetGroup, OffsetSacl, and OffsetDacl fields of OutputBuffer (that is, the total size of those fields in a SECURITY_DESCRIPTOR in self-relative format, as described in [MS-DTYP] section 2.4.6).

  • The operation MUST be failed with STATUS_ACCESS_DENIED under either of the following conditions:

    • SecurityInformation contains any of OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION, LABEL_SECURITY_INFORMATION, or DACL_SECURITY_INFORMATION, and Open.GrantedAccess does not contain READ_CONTROL.

    • SecurityInformation contains SACL_SECURITY_INFORMATION and Open.GrantedAccess does not contain ACCESS_SYSTEM_SECURITY.

  • If Open.Stream.StreamType is DataStream and Open.Stream.Name is not empty, the operation MUST be failed with STATUS_INVALID_PARAMETER; security information can be may only be queried on a file or directory handle, not on a stream handle.

  • If Open.File.SecurityDescriptor is empty:

    • If OutputBufferSize is smaller than sizeof(SECURITY_DESCRIPTOR_RELATIVE), the object store MUST set ByteCount equal to sizeof(SECURITY_DESCRIPTOR_RELATIVE), and the operation MUST be failed with STATUS_BUFFER_OVERFLOW.

    • The object store MUST set OutputBuffer.Revision equal to 1; all other fields of OutputBuffer MUST be filled with NULL characters.

    • The object store MUST set the Self Relative (SR) bit in OutputBuffer.Control.

    • The operation returns STATUS_SUCCESS at this point.

  • EndIf

  • Set ByteCount equal to sizeof(SECURITY_DESCRIPTOR_RELATIVE).

  • If SecurityInformation contains OWNER_SECURITY_INFORMATION and Open.File.SecurityDescriptor.Owner is not NULL:

    • ByteCount += BlockAlign(SidLength(Open.File.SecurityDescriptor.Owner), 4)

  • EndIf

  • If SecurityInformation contains GROUP_SECURITY_INFORMATION and Open.File.SecurityDescriptor.Group is not NULL:

    • ByteCount += BlockAlign(SidLength (Open.File.SecurityDescriptor.Group), 4)

  • EndIf

  • If SecurityInformation contains DACL_SECURITY_INFORMATION and the DACL Present (DP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Dacl is not NULL:

    • ByteCount += BlockAlign(SidLength(Open.File.SecurityDescriptor.Dacl.AclSize), 4)

  • EndIf

  • If SecurityInformation contains SACL_SECURITY_INFORMATION|LABEL_SECURITY_INFORMATION and the SACL Present (SP) bit is set in Open.File.SecurityDescriptor.Control and

    • Open.File.SecurityDescriptor.Sacl is not NULL:

    • SaclLength = BlockAlign(SidLength(Open.File.SecurityDescriptor.Sacl.AclSize), 4)

    • ByteCount += SaclLength

  • Else

    • If SecurityInformation contains SACL_SECURITY_INFORMATION and the SACL Present (SP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Sacl is not NULL:

      • SaclLength = BlockAlign(SidLength(Open.File.SecurityDescriptor.Sacl.AclSize), 4)

      • For each access control entry (ACE) (as defined in [MS-DTYP] section 2.4.4) in Open.File.SecurityDescriptor.Sacl whose AceType field is SYSTEM_MANDATORY_LABEL_ACE_TYPE:

        • SaclLength -= this ACE's AceSize field

      • EndFor

      • ByteCount += SaclLength

    • EndIf

    • If SecurityInformation contains LABEL_SECURITY_INFORMATION and the SACL Present (SP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Sacl is not NULL:

      • MaclLength = BlockAlign( (size of ACL as defined in [MS-DTYP] section 2.4.5), 4)

      • For each ACE (as defined in [MS-DTYP] section 2.4.4) in Open.File.SecurityDescriptor.Sacl whose AceType field is SYSTEM_MANDATORY_LABEL_ACE_TYPE:

        • MaclLength += this ACE's AceSize field

      • EndFor

      • ByteCount += MaclLength

    • EndIf

  • EndIf

  • If ByteCount is greater than OutputBufferSize, the operation MUST be failed with STATUS_BUFFER_OVERFLOW.

  • The object store MUST set OutputBuffer.Revision equal to 1; all other fields of OutputBuffer MUST be filled with NULL characters.

  • The object store MUST set the Self Relative (SR) bit in OutputBuffer.Control.

  • Set NextFree to sizeof(SECURITY_DESCRIPTOR_RELATIVE) (that is, to the offset of OutputBuffer.OwnerSid).

  • If SecurityInformation contains OWNER_SECURITY_INFORMATION and Open.File.SecurityDescriptor.Owner is not NULL:

    • The object store MUST copy SidLength(Open.File.SecurityDescriptor.Owner) bytes from Open.File.SecurityDescriptor.Owner to OutputBuffer at the position of NextFree.

    • The object store MUST set OutputBuffer.OffsetOwner equal to NextFree.

    • The object store MUST set the state of the Owner Defaulted (OD) bit of OutputBuffer.Control equal to the state of the same bit in Open.File.SecurityDescriptor.Control.

    • NextFree += BlockAlign(SidLength(Open.File.SecurityDescriptor.Owner), 4).

  • EndIf

  • If SecurityInformation contains GROUP_SECURITY_INFORMATION and Open.File.SecurityDescriptor.Group is not NULL:

    • The object store MUST copy SidLength(Open.File.SecurityDescriptor.Group) bytes from Open.File.SecurityDescriptor.Group to OutputBuffer at the position of NextFree.

    • The object store MUST set OutputBuffer.OffsetGroup equal to NextFree.

    • The object store MUST set the state of the Group Defaulted (GD) bit of OutputBuffer.Control equal to the state of the same bit in Open.File.SecurityDescriptor.Control.

    • NextFree += BlockAlign(SidLength(Open.File.SecurityDescriptor.Group), 4).

  • EndIf

  • If SecurityInformation contains DACL_SECURITY_INFORMATION:

    • The object store MUST set the state of the DACL Present (DP), DACL Defaulted (DD), DACL Protected (PD), and DACL Auto-Inherited (DI) bits of OutputBuffer.Control equal to the state of the same bits in Open.File.SecurityDescriptor.Control.

    • If the DACL Present (DP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Dacl is not NULL:

      • The object store MUST copy Open.File.SecurityDescriptor.Dacl.AclSize bytes from Open.File.SecurityDescriptor.Dacl to OutputBuffer at the position of NextFree.

      • The object store MUST set OutputBuffer.OffsetDacl equal to NextFree.

      • NextFree += BlockAlign(Open.File.SecurityDescriptor.Dacl.AclSize, 4).

    • EndIf

  • EndIf

  • If SecurityInformation contains SACL_SECURITY_INFORMATION|LABEL_SECURITY_INFORMATION:

    • The object store MUST set the state of the SACL Present (SP), SACL Defaulted (SD), SACL Protected (PS), and SACL Auto-Inherited (SI) bits of OutputBuffer.Control equal to the state of the same bits in Open.File.SecurityDescriptor.Control.

    • If the SACL Present (SP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Sacl is not NULL:

      • The object store MUST copy Open.File.SecurityDescriptor.Sacl.AclSize bytes from Open.File.SecurityDescriptor.Sacl to OutputBuffer at the position of NextFree.

      • The object store MUST set OutputBuffer.OffsetSacl equal to NextFree.

      • NextFree += SaclLength.

    • EndIf

  • Else

    • If SecurityInformation contains SACL_SECURITY_INFORMATION:

      • The object store MUST set the state of the SACL Present (SP), SACL Defaulted (SD), SACL Protected (PS), and SACL Auto-Inherited (SI) bits of OutputBuffer.Control equal to the state of the same bits in Open.File.SecurityDescriptor.Control.

      • If the SACL Present (SP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Sacl is not NULL:

        • Perform an ACE copy according to the algorithm in section 2.1.5.14.1, setting the ACE copy algorithm's parameters as follows:

          • DestSacl equal to the position in OutputBuffer of NextFree.

          • SrcSacl equal to Open.File.SecurityDescriptor.Sacl.

          • CopyAudit set to TRUE.

        • The object store MUST set OutputBuffer.OffsetSacl equal to NextFree.

        • NextFree += SaclLength.

      • EndIf

    • Else If SecurityInformation contains LABEL_SECURITY_INFORMATION:

      • The object store MUST set the state of the SACL Present (SP), SACL Defaulted (SD), SACL Protected (PS), and SACL Auto-Inherited (SI) bits of OutputBuffer.Control equal to the state of the same bits in Open.File.SecurityDescriptor.Control.

      • If the SACL Present (SP) bit is set in Open.File.SecurityDescriptor.Control and Open.File.SecurityDescriptor.Sacl is not NULL:

        • Perform an ACE copy according to the algorithm in section 2.1.5.14.1, setting the ACE copy algorithm's parameters as follows:

          • DestSacl equal to the position in OutputBuffer of NextFree.

          • SrcSacl equal to Open.File.SecurityDescriptor.Sacl.

          • CopyAudit set to FALSE.

        • The object store MUST set OutputBuffer.OffsetSacl equal to NextFree.

        • NextFree += MaclLength.

      • EndIf

    • EndIf

  • EndIf

  • The operation returns STATUS_SUCCESS.