Security Descriptor String Format

发布时间:2016-12-9 12:32:28 编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"Security Descriptor String Format",主要涉及到Security Descriptor String Format方面的内容,对于Security Descriptor String Format感兴趣的同学可以参考一下。

The Security Descriptor String Format is a text format for storing or transporting information in a security descriptor. TheConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use this format. The format is a null-terminated string with tokens to indicate each of the four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:). Note  Access control entries (ACEs) and conditional ACEs have differing formats. For ACEs, see ACE Strings. For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs. C++ O:owner_sid G:group_sid D:dacl_flags(string_ace1)(string_ace2)... (string_acen) S:sacl_flags(string_ace1)(string_ace2)... (string_acen) owner_sid A SID string that identifies the object's owner. group_sid A SID string that identifies the object's primary group. dacl_flags Security descriptor control flags that apply to the DACL. For a description of these control flags, see the SetSecurityDescriptorControl function. The dacl_flags string can be a concatenation of zero or more of the following strings. Control Constant in Sddl.h Meaning "P" SDDL_PROTECTED The SE_DACL_PROTECTED flag is set. "AR" SDDL_AUTO_INHERIT_REQ The SE_DACL_AUTO_INHERIT_REQ flag is set. "AI" SDDL_AUTO_INHERITED The SE_DACL_AUTO_INHERITED flag is set. "NO_ACCESS_CONTROL" SSDL_NULL_ACL The ACL is null.   sacl_flags Security descriptor control flags that apply to the SACL. The sacl_flags string uses the same control bit strings as the dacl_flags string. string_ace A string that describes an ACE in the security descriptor's DACL or SACL. For a description of the ACE string format, see ACE strings. Each ACE string is enclosed in parentheses (()). Unneeded components can be omitted from the security descriptor string. For example, if the SE_DACL_PRESENT flag is not set in the input security descriptor,ConvertSecurityDescriptorToStringSecurityDescriptor does not include a D: component in the output string. You can also use the SECURITY_INFORMATION bit flags to indicate the components to include in a security descriptor string. The security descriptor string format does not support NULL ACLs. To denote an empty ACL, the security descriptor string includes the D: or S: token with no additional string information. The security descriptor string stores the SECURITY DESCRIPTOR CONTROL bits in different ways. The SE_DACL_PRESENT or SE_SACL_PRESENT bits are indicated by the presence of the D: or S: token in the string. Other bits that apply to the DACL or SACL are stored in dacl_flags and sacl_flags. The SE_OWNER_DEFAULTED, SE_GROUP_DEFAULTED, SE_DACL_DEFAULTED, and SE_SACL_DEFAULTED bits are not stored in a security descriptor string. The SE_SELF_RELATIVE bit is not stored in the string, but ConvertStringSecurityDescriptorToSecurityDescriptor always sets this bit in the output security descriptor. The following examples show security descriptor strings and the information in the associated security descriptors. String 1: C++ "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)" Security Descriptor 1: C++ Revision: 0x00000001 Control: 0x0004 SE_DACL_PRESENT Owner: (S-1-5-32-548) PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512) DACL Revision: 0x02 Size: 0x001c AceCount: 0x0001 Ace[00] AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE) AceSize: 0x0014 InheritFlags: 0x00 Access Mask: 0x100e003f READ_CONTROL WRITE_DAC WRITE_OWNER GENERIC_ALL Others(0x0000003f) Ace Sid : (S-1-0-0) SACL Not present String 2: C++ "O:DAG:DAD:(A;;RPWPCCDCLCRCWOWDSDSW;;;SY) (A;;RPWPCCDCLCRCWOWDSDSW;;;DA) (OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO) (OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO) (OA;;CCDC;6da8a4ff-0e52-11d0-a286-00aa003049e2;;AO) (OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO) (A;;RPLCRC;;;AU)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)" Security Descriptor 2: C++ Revision: 0x00000001 Control: 0x0014 SE_DACL_PRESENT SE_SACL_PRESENT Owner: (S-1-5-21-397955417-626881126-188441444-512) PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512) DACL Revision: 0x04 Size: 0x0104 AceCount: 0x0007 Ace[00] AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE) AceSize: 0x0014 InheritFlags: 0x00 Access Mask: 0x000f003f DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Others(0x0000003f) Ace Sid: (S-1-5-18) Ace[01] AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE) AceSize: 0x0024 InheritFlags: 0x00 Access Mask: 0x000f003f DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Others(0x0000003f) Ace Sid: (S-1-5-21-397955417-626881126-188441444-512) Ace[02] AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE) AceSize: 0x002c InheritFlags: 0x00 Access Mask: 0x00000003 Others(0x00000003) Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT ObjectType: GUID_C_USER InhObjectType: GUID ptr is NULL Ace Sid: (S-1-5-32-548) Ace[03] AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE) AceSize: 0x002c InheritFlags: 0x00 Access Mask: 0x00000003 Others(0x00000003) Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT ObjectType: GUID_C_GROUP InhObjectType: GUID ptr is NULL Ace Sid: (S-1-5-32-548) Ace[04] AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE) AceSize: 0x002c InheritFlags: 0x00 Access Mask: 0x00000003 Others(0x00000003) Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT ObjectType: GUID_C_LOCALGROUP InhObjectType: GUID ptr is NULL Ace Sid: (S-1-5-32-548) Ace[05] AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE) AceSize: 0x002c InheritFlags: 0x00 Access Mask: 0x00000003 Others(0x00000003) Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT ObjectType: GUID_C_PRINT_QUEUE InhObjectType: GUID ptr is NULL Ace Sid: (S-1-5-32-550) Ace[06] AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE) AceSize: 0x0014 InheritFlags: 0x00 Access Mask: 0x00020014 READ_CONTROL Others(0x00000014) Ace Sid: (S-1-5-11) SACL Revision: 0x02 Size: 0x001c AceCount: 0x0001 Ace[00] AceType: 0x02 (SYSTEM_AUDIT_ACE_TYPE) AceSize: 0x0014 InheritFlags: 0xc0 SUCCESSFUL_ACCESS_ACE_FLAG FAILED_ACCESS_ACE_FLAG Access Mask: 0x000d002b DELETE WRITE_DAC WRITE_OWNER Others(0x0000002b) Ace Sid: (S-1-1-0) Related topics ACE Strings Security Descriptor Definition Language for Conditional ACEs SDDL semantics will vary by context Note: When an SDDL string is applied to a securable object the semantics will vary depending on the context.   For example the high-level security APIs (SetNamedSecurityInfo,SetSecurityInfo) will apply the SDDL using cascade propagation while ignoring the AI and AR flags.  However, if you round-trip using the low-level security APIs (e.g.,GetFileSecurity/SetFileSecurity or RegGetKeySecurity/RegSetKeySecurity) the AI flag will be honored iff you include AR ("D:ARAI(A;OICI;FA;;;BU)").

上一篇:osmdroid监听地图操作事件(2)
下一篇:黑马程序员-------集合

相关文章

相关评论