security_descriptor.html

这是NTFS文件0.5版本技术文件

    <p>It's composed of 'S-p-q-r-s-t-u-v'</p>

    <table border="1" summary="" cellspacing="0">
      <tr>
        <td>S</td>
        <td>Security</td>
      </tr>
      <tr>
        <td>p</td>
        <td>Revision number (currently 1)</td>
      </tr>
      <tr>
        <td>q</td>
        <td>NT Authority. This number is divided into 6 bytes (48 bit big-endian
        number).</td>
      </tr>
      <tr>
        <td>r&nbsp;-&nbsp;v</td>
        <td>NT Sub-authorities (there can be many of these)</td>
      </tr>
    </table>

    <p>On disk the SID is stored as follows:<br>
     &nbsp;&nbsp;&nbsp;S-1-5-21-646518322-1873620750-619646970-1110<br>
     in hex:<br>
     &nbsp;&nbsp;&nbsp;S-1-5-15-26891632-6fad2f0e-24ef0ffa-456 (5 Sub-authorities)</p>

    <table border="1" summary="" cellspacing="0">
      <tr>
        <td>0x00</td>
        <td>01</td>
        <td>05</td>
        <td>00</td>
        <td>00</td>
        <td>00</td>
        <td>00</td>
        <td>00</td>
        <td>05</td>
      </tr>
      <tr>
        <td>0x08</td>
        <td>15</td>
        <td>00</td>
        <td>00</td>
        <td>00</td>
        <td>32</td>
        <td>16</td>
        <td>89</td>
        <td>26</td>
      </tr>
      <tr>
        <td>0x10</td>
        <td>0e</td>
        <td>2f</td>
        <td>ad</td>
        <td>6f</td>
        <td>fa</td>
        <td>0f</td>
        <td>ef</td>
        <td>24</td>
      </tr>
      <tr>
        <td>0x18</td>
        <td>56</td>
        <td>04</td>
        <td>00</td>
        <td>00</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
    </table>

    <p>NB This is a variable length structure. The could have been more, or
    fewer, sub-authorities making the structure larger, or smaller.</p>

    <h3>Security Descriptor Control Flags</h3>

    <table border="1" summary="" cellspacing="0">
      <tr>
        <th class="numeric">Flag</th>
        <th>Description</th>
      </tr>
      <tr>
        <td class="numeric">0x0001</td>
        <td>Owner Defaulted</td>
      </tr>
      <tr>
        <td class="numeric">0x0002</td>
        <td>Group Defaulted</td>
      </tr>
      <tr>
        <td class="numeric">0x0004</td>
        <td>DACL Present</td>
      </tr>
      <tr>
        <td class="numeric">0x0008</td>
        <td>DACL Defaulted</td>
      </tr>
      <tr>
        <td class="numeric">0x0010</td>
        <td>SACL Present</td>
      </tr>
      <tr>
        <td class="numeric">0x0020</td>
        <td>SACL Defaulted</td>
      </tr>
      <tr>
        <td class="numeric">0x0100</td>
        <td>DACL Auto Inherit Req</td>
      </tr>
      <tr>
        <td class="numeric">0x0200</td>
        <td>SACL Auto Inherit Req</td>
      </tr>
      <tr>
        <td class="numeric">0x0400</td>
        <td>DACL Auto Inherited</td>
      </tr>
      <tr>
        <td class="numeric">0x0800</td>
        <td>SACL Auto Inherited</td>
      </tr>
      <tr>
        <td class="numeric">0x1000</td>
        <td>DACL Protected</td>
      </tr>
      <tr>
        <td class="numeric">0x2000</td>
        <td>SACL Protected</td>
      </tr>
      <tr>
        <td class="numeric">0x4000</td>
        <td>RM Control Valid</td>
      </tr>
      <tr>
        <td class="numeric">0x8000</td>
        <td>Self Relative</td>
      </tr>
    </table>

    <h3>OWNER DEFAULTED</h3>
    <p>
    This boolean flag, when set, indicates that the
    SID pointed to by the Owner field was provided by a
    defaulting mechanism rather than explicitly provided by the
    original provider of the security descriptor.  This may
    affect the treatment of the SID with respect to inheritence
    of an owner.
    </p>

    <h3>GROUP DEFAULTED</h3>
    <p>
    This boolean flag, when set, indicates that the
    SID in the Group field was provided by a defaulting mechanism
    rather than explicitly provided by the original provider of
    the security descriptor.  This may affect the treatment of
    the SID with respect to inheritence of a primary group.
    </p>

    <h3>DACL PRESENT</h3>
    <p>
    This boolean flag, when set, indicates that the
    security descriptor contains a discretionary ACL.  If this
    flag is set and the Dacl field of the SECURITY DESCRIPTOR is
    null, then a null ACL is explicitly being specified.
    </p>

    <h3>DACL DEFAULTED</h3>
    <p>
    This boolean flag, when set, indicates that the
    ACL pointed to by the Dacl field was provided by a defaulting
    mechanism rather than explicitly provided by the original
    provider of the security descriptor.  This may affect the
    treatment of the ACL with respect to inheritence of an ACL.
    This flag is ignored if the DaclPresent flag is not set.
    </p>

    <h3>SACL PRESENT</h3>
    <p>
    This boolean flag, when set,  indicates that the
    security descriptor contains a system ACL pointed to by the
    Sacl field.  If this flag is set and the Sacl field of the
    SECURITY DESCRIPTOR is null, then an empty (but present)
    ACL is being specified.
    </p>

    <h3>SACL DEFAULTED</h3>
    <p>
    This boolean flag, when set, indicates that the
    ACL pointed to by the Sacl field was provided by a defaulting
    mechanism rather than explicitly provided by the original
    provider of the security descriptor.  This may affect the
    treatment of the ACL with respect to inheritence of an ACL.
    This flag is ignored if the SaclPresent flag is not set.
    </p>

    <h3>SELF RELATIVE</h3>
    <p>
    This boolean flag, when set, indicates that the
    security descriptor is in self-relative form.  In this form,
    all fields of the security descriptor are contiguous in memory
    and all pointer fields are expressed as offsets from the
    beginning of the security descriptor.
    </p>

    <pre>
    The SID structure is a variable-length structure used to uniquely identify
    users or groups. SID stands for security identifier.

    The standard textual representation of the SID is of the form:
        S-R-I-S-S...
    Where:
       - The first "S" is the literal character 'S' identifying the following
        digits as a SID.
       - R is the revision level of the SID expressed as a sequence of digits
     either in decimal or hexadecimal (if the later, prefixed by "0x").
       - I is the 48-bit identifier_authority, expressed as digits as R above.
       - S... is one or more sub_authority values, expressed as digits as above.

    Example SID; the domain-relative SID of the local Administrators group on
    Windows NT/2k:
        S-1-5-32-544

    This translates to a SID with:
        revision = 1,
        sub_authority_count = 2,
        identifier_authority = {0,0,0,0,0,5},   SECURITY_NT_AUTHORITY
        sub_authority[0] = 32,                  SECURITY_BUILTIN_DOMAIN_RID
        sub_authority[1] = 544                  DOMAIN_ALIAS_RID_ADMINS

    ACE Types
    ACCESS_MIN_MS_ACE_TYPE           = 0
    ACCESS_ALLOWED_ACE_TYPE          = 0
    ACCESS_DENIED_ACE_TYPE           = 1
    SYSTEM_AUDIT_ACE_TYPE            = 2
    SYSTEM_ALARM_ACE_TYPE            = 3 Not implemented as of Win2k.
    ACCESS_MAX_MS_V2_ACE_TYPE        = 3

    ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4
    ACCESS_MAX_MS_V3_ACE_TYPE        = 4

    The following are Win2k only.
    ACCESS_MIN_MS_OBJECT_ACE_TYPE    = 5
    ACCESS_ALLOWED_OBJECT_ACE_TYPE   = 5
    ACCESS_DENIED_OBJECT_ACE_TYPE    = 6
    SYSTEM_AUDIT_OBJECT_ACE_TYPE     = 7
    SYSTEM_ALARM_OBJECT_ACE_TYPE     = 8
    ACCESS_MAX_MS_OBJECT_ACE_TYPE    = 8

    ACCESS_MAX_MS_V4_ACE_TYPE        = 8

    This one is for WinNT&amp;2k.
    ACCESS_MAX_MS_ACE_TYPE           = 8

    The ACE flags (8-bit) for audit and inheritance

    SUCCESSFUL_ACCESS_ACE_FLAG is only used with system audit and alarm ACE
    types to indicate that a message is generated (in Windows!) for successful
    accesses.

    FAILED_ACCESS_ACE_FLAG is only used with system audit and alarm ACE types
    to indicate that a message is generated (in Windows!) for failed accesses.

    The inheritance flags.
    OBJECT_INHERIT_ACE           = 0x01
    CONTAINER_INHERIT_ACE        = 0x02
    NO_PROPAGATE_INHERIT_ACE     = 0x04
    INHERIT_ONLY_ACE             = 0x08
    INHERITED_ACE                = 0x10  Win2k only
    VALID_INHERIT_FLAGS          = 0x1f

    The audit flags.
    SUCCESSFUL_ACCESS_ACE_FLAG   = 0x40
    FAILED_ACCESS_ACE_FLAG       = 0x80

    The access mask defines the access rights.

    The standard rights.
    DELETE                   = 0x00010000
    READ_CONTROL             = 0x00020000
    WRITE_DAC                = 0x00040000
    WRITE_OWNER              = 0x00080000
    SYNCHRONIZE              = 0x00100000

    STANDARD_RIGHTS_REQUIRED = 0x000f0000

    STANDARD_RIGHTS_READ     = 0x00020000
    STANDARD_RIGHTS_WRITE    = 0x00020000
    STANDARD_RIGHTS_EXECUTE  = 0x00020000

    STANDARD_RIGHTS_ALL      = 0x001f0000

    The access system ACL and maximum allowed access types.
    ACCESS_SYSTEM_SECURITY   = 0x01000000
    MAXIMUM_ALLOWED          = 0x02000000

    The generic rights.
    GENERIC_ALL              = 0x10000000
    GENERIC_EXECUTE          = 0x20000000
    GENERIC_WRITE            = 0x40000000
    GENERIC_READ             = 0x80000000

    The object ACE flags (32-bit).
    ACE_OBJECT_TYPE_PRESENT            = 1
    ACE_INHERITED_OBJECT_TYPE_PRESENT  = 2

    ACL_CONSTANTS
    Current revision.
    ACL_REVISION         = 2
    ACL_REVISION_DS      = 4

    History of revisions.
    ACL_REVISION1        = 1
    MIN_ACL_REVISION     = 2
    ACL_REVISION2        = 2
    ACL_REVISION3        = 3
    ACL_REVISION4        = 4
    MAX_ACL_REVISION     = 4

   Absolute security descriptor. Does not contain the owner and group SIDs, nor
   the sacl and dacl ACLs inside the security descriptor. Instead, it contains
   pointers to these structures in memory. Obviously, absolute security
   descriptors are only useful for in memory representations of security
   descriptors. On disk, a self-relative security descriptor is used.

   Attribute: Security descriptor (0x50). A standard self-relative security
   descriptor.

   NOTE: Always resident.
   NOTE: Not used in NTFS 3.0+, as security descriptors are stored centrally
   in FILE_$Secure and the correct descriptor is found using the security_id
   from the standard information attribute.

   On NTFS 3.0+, all security descriptors are stored in FILE_$Secure. Only one
   referenced instance of each unique security descriptor is stored.

   FILE_$Secure contains no unnamed data attribute, i.e. it has zero length. It
   does, however, contain two indexes ($SDH and $SII) as well as a named data
   stream ($SDS).

   Every unique security descriptor is assigned a unique security identifier
   (security_id, not to be confused with a SID). The security_id is unique for
   the NTFS volume and is used as an index into the $SII index, which maps
   security_ids to the security descriptor's storage location within the $SDS
   data attribute. The $SII index is sorted by ascending security_id.

   A simple hash is computed from each security descriptor. This hash is used
   as an index into the $SDH index, which maps security descriptor hashes to
   the security descriptor's storage location within the $SDS data attribute.
   The $SDH index is sorted by security descriptor hash and is stored in a B+
   tree. When searching $SDH (with the intent of determining whether or not a
   new security descriptor is already present in the $SDS data stream), if a
   matching hash is found, but the security descriptors do not match, the
   search in the $SDH index is continued, searching for a next matching hash.

   When a precise match is found, the security_id coresponding to the security
   descriptor in the $SDS attribute is read from the found $SDH index entry and
   is stored in the $STANDARD_INFORMATION attribute of the file/directory to
   which the security descriptor is being applied. The $STANDARD_INFORMATION
   attribute is present in all base mft records (i.e. in all files and
   directories).

   If a match is not found, the security descriptor is assigned a new unique
   security_id and is added to the $SDS data attribute. Then, entries
   referencing the this security descriptor in the $SDS data attribute are
   added to the $SDH and $SII indexes.

   Note: Entries are never deleted from FILE_$Secure, even if nothing
   references an entry any more.

   The $SDS data stream contains the security descriptors, aligned on 16-byte
   boundaries, sorted by security_id in a B+ tree. Security descriptors cannot
   cross 256kib boundaries (this restriction is imposed by the Windows cache
   manager). Each security descriptor is contained in a SDS_ENTRY structure.
   Also, each security descriptor is stored twice in the $SDS stream with a
   fixed offset of 0x40000 bytes (256kib, the Windows cache manager's max size)
   between them; i.e. if a SDS_ENTRY specifies an offset of 0x51d0, then the
   the first copy of the security descriptor will be at offset 0x51d0 in the
   $SDS data stream and the second copy will be at offset 0x451d0.

   $SII index. The collation type is COLLATION_NTOFS_ULONG.
   $SDH index. The collation rule is COLLATION_NTOFS_SECURITY_HASH.
   </pre>

    <br>
    <a class="contact" href="http://linux-ntfs.sourceforge.net/ntfs/attributes/security_descriptor.html">Online</a>
    <!-- The two validators will only work if this page is visible on the web -->
    <a class="contact" href="http://validator.w3.org/check/referer">Validate HTML</a>
    <a class="contact" href="http://jigsaw.w3.org/css-validator/check/referer">Validate CSS</a>
    <a class="contact" href="mailto:webmaster@flatcap.org">$Id: security_descriptor.html,v 1.9 2001/07/11 11:04:05 flatcap Exp $</a>
  </body>
</html>