📄 security_descriptor.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><!-- http://linux-ntfs.sourceforge.net/ntfs/attributes/security_descriptor.html --><html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta name="description" content="NTFS Documentation"> <link rel="stylesheet" type="text/css" href="../style/ntfsdoc.css"> <link rel="start" type="text/html" href="../index.html" title="NTFS Documentation"> <title>$SECURITY_DESCRIPTOR (0x50) - Attribute - NTFS Documentation</title> </head> <body> <table border="0" class="toolbar" summary="" cellspacing="0"> <tr> <td class="toolbar"><a accesskey="1" class="toolbar" href="../index.html">Home</a></td> <td class="toolbar"> </td> <td class="toolbar"><a accesskey="2" class="toolbar" href="../files/index.html">Files</a></td> <td class="toolbar"> </td> <td class="toolbar"><a accesskey="3" class="toolbar" href="../attributes/index.html">Attributes</a></td> <td class="toolbar"> </td> <td class="toolbar"><a accesskey="4" class="toolbar" href="../concepts/index.html">Concepts</a></td> <td class="toolbar"> </td> <td class="toolbar"><a accesskey="5" class="toolbar" href="../help/glossary.html">Glossary</a></td> <td class="toolbar"> </td> <td class="toolbar"><a accesskey="6" class="toolbar" href="../help/index.html">Help</a></td> </tr> </table> <h1>Attribute - $SECURITY_DESCRIPTOR (0x50)</h1> <a class="prevnext" accesskey="," href="object_id.html">Previous</a> <a class="prevnext" accesskey="." href="volume_name.html">Next</a> <h2>Overview</h2> <pre>Standard Attribute Header?</pre> <p>The security descriptor can be summarised as:</p> <ul> <li>A header (may be flags), followed by one or two ACLs and two SIDs.</li> <li>The first ACL contains auditing information and may be absent.</li> <li>The second ACL contains permissions (who can do what).</li> <li>Each ACL contains one or many ACEs.</li> <li>Each ACE contains a SID.</li> <li>The last two SIDs show the owner of the object (User and Group)</li> </ul> <table border="1" summary="" cellspacing="0"> <tr> <th colspan="3">Component</th> <th>Description</th> </tr> <tr> <td colspan="3">Header</td> <td>Offsets to various structures</td> </tr> <tr> <td>Audit ACL</td> <td>ACE</td> <td>SID</td> <td>ACEs for the Audit ACL</td> </tr> <tr> <td valign="top" rowspan="3">Permissions ACL</td> <td>ACE</td> <td>SID</td> <td valign="top" rowspan="3">ACEs for the Permissions ACL</td> </tr> <tr> <td>ACE</td> <td>SID</td> </tr> <tr> <td>ACE</td> <td>SID</td> </tr> <tr> <td colspan="3">SID (User)</td> <td valign="top" rowspan="2">The owner of this object</td> </tr> <tr> <td colspan="3">SID (Group)</td> </tr> </table> <!-- ======================================================================== --> <p> The security descriptor is necessary to prevent unauthorised access to files. It stores information about: </p> <ul> <li>The owner of the file</li> <li>Permissions the owner has granted to other users</li> <li>What actions should be logged (auditing)</li> </ul> <h2>Layout of the Attribute</h2> <h2>Notes</h2> <h3>Size</h3> <p> As defined in <a href="../files/attrdef.html">$AttrDef</a>, this attribute has a no minimum or maximum size. </p> <h3>Other Information</h3> <h2>Layout of the stream</h2> <h2>Questions</h2> <ul> <li>How are the ACEs of directories inherited?</li> <li>How can we fit the ACEs into a normal looking Unix file system?</li> <li>How can we tie the file permissions into PAM or SMB?</li> <li>Can we use NT authentication, somehow?</li> </ul> <h2>To Do</h2> <ul> <li>Decide which Standard, and Specific, Rights relate to which filesystem activities, e.g. FILE_APPEND_DATA will allow a user to extend a file, but <b>not</b> create one.</li> <li>Experiment to see if the zeros we see <b>are</b> padding and that the flag-like fields are flags.</li> <li>Experiment with the Generic Read / Write / Execute / All flags.</li> </ul> <h3>Header</h3> <table border="1" summary="" cellspacing="0"> <tr> <th class="numeric">Offset</th> <th class="numeric">Size</th> <th>Description</th> </tr> <tr> <td class="numeric">0x00</td> <td class="numeric">1</td> <td>Header 1</td> </tr> <tr> <td class="numeric">0x01</td> <td class="numeric">1</td> <td>Header 2</td> </tr> <tr> <td class="numeric">0x02</td> <td class="numeric">1</td> <td>Header 3</td> </tr> <tr> <td class="numeric">0x03</td> <td class="numeric">1</td> <td>Header 4</td> </tr> <tr> <td class="numeric">0x04</td> <td class="numeric">4</td> <td>Offset to User SID</td> </tr> <tr> <td class="numeric">0x08</td> <td class="numeric">4</td> <td>Offset to Group SID</td> </tr> <tr> <td class="numeric">0x0C</td> <td class="numeric">4</td> <td>ACL Audit</td> </tr> <tr> <td class="numeric">0x10</td> <td class="numeric">4</td> <td>ACL Permissions</td> </tr> </table> <p>The header field is probably some flags, but I can't find any reference to them.<br> Header 1 always seems to be 0x01<br> Header 2 always seems to be 0x00<br> Header 3 is either 0x04 or 0x14. If it's 0x04 then there will be no auditing information; if it is 0x14, there will.<br> Header 4 always seems to be 0x80<br> There are four offset fields. If there are four bits set in the header field, then all four offsets are in use.<br> If there are three bits set, then three offsets are in use. Coincidence?</p> <h2>ACL</h2> <table border="1" summary="" cellspacing="0"> <tr> <th class="numeric">Offset</th> <th class="numeric">Size</th> <th>Description</th> </tr> <tr> <td class="numeric">0x00</td> <td class="numeric">1</td> <td>ACL Revision</td> </tr> <tr> <td class="numeric">0x01</td> <td class="numeric">1</td> <td>Padding (0x00)</td> </tr> <tr> <td class="numeric">0x02</td> <td class="numeric">2</td> <td>ACL size</td> </tr> <tr> <td class="numeric">0x04</td> <td class="numeric">2</td> <td>ACE count</td> </tr> <tr> <td class="numeric">0x06</td> <td class="numeric">2</td> <td>Padding (0x0000)</td> </tr> </table> <p>The Access Control List (ACL) contains one or many ACEs.<br> The ACL revision is currently 0x02, on my machine.<br> The Win32 APIs suggest that 0x01 and 0x06 contain padding 0x00's for alignment purposes.</p> <h3>ACE</h3> <table border="1" summary="" cellspacing="0"> <tr> <th class="numeric">Offset</th> <th class="numeric">Size</th> <th>Description</th> </tr> <tr> <td class="numeric">0x00</td> <td class="numeric">1</td> <td>Type</td> </tr> <tr> <td class="numeric">0x01</td> <td class="numeric">1</td> <td>Flags</td> </tr> <tr> <td class="numeric">0x02</td> <td class="numeric">2</td> <td>Size</td> </tr> <tr> <td class="numeric">0x04</td> <td class="numeric">4</td> <td>Access mask</td> </tr> <tr> <td class="numeric">0x08</td> <td class="numeric">V</td> <td>SID</td> </tr> </table> <h3>Flags</h3> <p>The currently implemented (in NT) Types are:</p> <table border="1" summary="" cellspacing="0"> <tr> <th class="numeric">Value</th> <th>Description</th> </tr> <tr> <td class="numeric">0x00</td> <td>Access Allowed</td> </tr> <tr> <td class="numeric">0x01</td> <td>Access Denied</td> </tr> <tr> <td class="numeric">0x02</td> <td>System Audit</td> </tr> </table> <p> Flags is a bit field. The possible values of Flags depend on the value of Type. When applied to a directory, Access Allowed or Access Denied can have flags of </p> <table border="1" summary="" cellspacing="0"> <tr> <th class="numeric">Value</th> <th>Description</th> </tr> <tr> <td class="numeric">0x01</td> <td>Object inherits ACE</td> </tr> <tr> <td class="numeric">0x02</td> <td>Container inherits ACE</td> </tr> <tr> <td class="numeric">0x04</td> <td>Don't propagate 'Inherit ACE'</td> </tr> <tr> <td class="numeric">0x08</td> <td>Inherit only ACE</td> </tr> </table> <p>If the Type is System Audit, then the flags can be</p> <table border="1" summary="" cellspacing="0"> <tr> <th class="numeric">Value</th> <th>Description</th> </tr> <tr> <td class="numeric">0x40</td> <td>Audit on Success</td> </tr> <tr> <td class="numeric">0x80</td> <td>Audit on Failure</td> </tr> </table> <h2>Access Mask / Access Rights</h2> <p> The Access Mask / Rights is a bit field enumerating all the (dis)allowed actions. </p> <table border="1" summary="" cellspacing="0"> <tr> <th>Bit (Range)</th> <th>Meaning</th> <th>Description / Examples</th> </tr> <tr> <td>0 - 15</td> <td>Object Specific Access Rights</td> <td>Read data, Execute, Append data</td> </tr> <tr> <td>16 - 22</td> <td>Standard Access Rights</td> <td>Delete, Write ACL, Write Owner</td> </tr> <tr> <td>23</td> <td>Can access security ACL</td> <td> </td> </tr> <tr> <td>24 - 27</td> <td>Reserved</td> <td> </td> </tr> <tr> <td>28</td> <td>Generic ALL (Read, Write, Execute)</td> <td>Everything below</td> </tr> <tr> <td>29</td> <td>Generic Execute</td> <td>All things necessary to execute a program</td> </tr> <tr> <td>30</td> <td>Generic Write</td> <td>All things necessary to write to a file</td> </tr> <tr> <td>31</td> <td>Generic Read</td> <td>All things necessary to read a file</td> </tr> </table> <h2>SID (Security Identifier)</h2> <p> A typical SID looks like: S-1-5-21-646518322-1873620750-619646970-1110 </p>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -