3.2.5.11 File Security

  • Article

Each File Security setting MUST be set by applying the security descriptors, propagation mode, and security descriptor (AclString) for each setting.

If a FileOrDirectoryPath, PermPropagationMode, or AclString value is not valid as specified in section 2.2.9, the client SHOULD stop processing File Security settings and log an error.

The security descriptor on a file or subdirectory SHOULD be applied by performing external behavior consistent with locally invoking the Application Requests Applying File Security" task ([MS-SMB2] section 3.2.4.13) with the following parameters:

  • The Open MUST be set to an open returned by performing external behavior consistent with locally invoking the "Application Requests Opening a File" task ([MS-SMB2] section 3.2.4.3) using the FileOrDirectoryPath of the setting.

  • The security information MUST be set to the security descriptor provided in the "ACLString" setting. This security descriptor uses the self-relative form specified in [MS-DTYP] section 2.4.6.

  • The security attributes MUST be set to DACL_SECURITY_INFORMATION ([MS-SMB2] section 2.2.39).

The security descriptor on a file or subdirectory SHOULD be queried by performing external behavior consistent with locally invoking the "Application Requests Querying File Security" task ([MS-SMB2] section 3.2.4.12) with the following parameters:

  • The Open MUST be set to an open returned by performing external behavior consistent with locally invoking the "Application Requests Opening a File" task ([MS-SMB2] section 3.2.4.3) using the FileOrDirectoryPath of the setting.

  • The security attributes MUST be set to DACL_SECURITY_INFORMATION ([MS-SMB2] section 2.2.39).

If PermPropagationMode is "0", the security descriptor of every child file object SHOULD be recursively updated to allow propagation of inheritable permissions by calling CreateSecurityDescriptor ([MS-DTYP] section 2.5.3.4.1) and applying the resultant security descriptor on each corresponding child file object. The following arguments are used when calling CreateSecurityDescriptor:

  • ParentDescriptor is set to the security descriptor of the file object's parent.

  • CreatorDescriptor is set to the current security descriptor of the file object.

  • IsContainerObject is set to TRUE.

  • ObjectTypes is set to NULL.

  • AutoInheritFlags is set to DACL_AUTO_INHERIT | DEFAULT_OWNER_FROM_PARENT | DEFAULT_GROUP_FROMPARENT.

  • Token is a token containing S-1-5-18 (Local System well known SID).

  • GenericMapping is the generic mapping for file objects.

If PermPropagationMode is "1", the security descriptor of every child file object SHOULD be recursively updated to allow propagation of inheritable permissions by calling CreateSecurityDescriptor ([MS-DTYP] section 2.5.3.4.1) and applying the resultant security descriptor on each corresponding child file object. The following arguments are used when calling CreateSecurityDescriptor:

  • ParentDescriptor is set to the security descriptor of the file object's parent.

  • CreatorDescriptor is set to NULL.

  • IsContainerObject is set to TRUE.

  • ObjectTypes is set to NULL.

  • AutoInheritFlags is set to DACL_AUTO_INHERIT | DEFAULT_OWNER_FROM_PARENT | DEFAULT_GROUP_FROMPARENT.

  • Token is a token containing S-1-5-18 (Local System well known SID).

  • GenericMapping is the generic mapping for file objects.

If PermPropagationMode is "2", the security descriptor Control field bit PD, on the file object for the Setting is set to zero.