Windows System Programming Third Edition [Electronic resources] نسخه متنی

Security Overview: The Security Descriptor

Analyzing the security descriptor gives a good overview of essential Windows security elements. This section mentions the various elements and the names of the functions that manage them, starting with security descriptor structure.

A security descriptor is initialized with the function InitializeSecurityDescriptor, and it contains the following:

• The owner security identifier (SID) (described in the next section, which deals with the object's owner)

• The group SID

• A discretionary access control list (DACL)a list of entries explicitly granting and denying access rights. The term "ACL" without the "D" prefix will refer to DACLs in our discussion.

• A system ACL (SACL), sometimes called an audit access ACL

SetSecurityDescriptorOwner and SetSecurityDescriptorGroup associate SIDs with security descriptors, as described in the upcoming Security Identifiers section.

ACLs are initialized using the InitializeAcl function and are then associated with a security descriptor using SetSecurityDescriptorDacl or SetSecurityDescriptorSacl.

Security descriptors are classified as either absolute or self-relative. This distinction is ignored for now but is explained later in the chapter. Figure 15-1 shows the security descriptor and its components.

Access Control Lists

Each ACL is a set (list) of access control entries (ACEs). There are two types of ACEs: one for access allowed and one for access denied.

You first initialize an ACL with InitializeAcl and then add ACEs. Each ACE contains a SID and an access mask, which specifies rights to be granted or denied to the user or group specified by the SID. FILE_GENERIC_READ and DELETE are typical access rights for files.

The two functions used to add ACEs to discretionary ACLs are AddAccessAllowedAce and AddAccessDeniedAce. AddAuditAccessAce is for adding to an SACL, causing access by the specified SID to be audited.

Finally, you remove ACEs with DeleteAce and retrieve them with GetAce.

Using Windows Object Security

There are numerous details to be filled in, but Program 15-1, however, it is essential to mix allowed and denied ACEs to obtain the desired semantics. A denied ACE for all rights can be the last ACE to ensure that no one is allowed access unless specifically mentioned in an ACE.

Object Rights and Object Access

An object, such as a file, gets its rights when it is created, although the rights can be changed at a later time. A process requests access to the object when it asks for a handle using, for example, a call to CreateFile. The handle request contains the desired access, such as FILE_GENERIC_READ, in one of the parameters. If the process has the required rights to get the requested access, the request succeeds. Different handles to the same object may have different access. The values used for access flags are the same ones used to allow or deny rights when ACLs are created.

Standard UNIX (without C2 or other extensions) provides a simpler security model. It is limited to files and based on file permissions. The example programs in this chapter emulate the UNIX permissions.

Security Descriptor Initialization

The first step is to initialize the security descriptor using the InitializeSecurityDescriptor function. The pSecurityDescriptor parameter should be set to the address of a valid SECURITY_DESCRIPTOR structure. These structures are opaque and are managed with specific functions.

dwRevision is set to the constant SECURITY_DESCRIPTOR_REVISION.

BOOL InitializeSecurityDescriptor (
PSECURITY_DESCRIPTOR pSecurityDescriptor,
DWORD dwRevision)