2.4.6 SECURITY_DESCRIPTOR
The SECURITY_DESCRIPTOR structure defines the security attributes of an object. These attributes specify who owns the object; who can access the object and what they can do with it; what level of audit logging can be applied to the object; and what kind of restrictions apply to the use of the security descriptor.
Security descriptors appear in one of two forms, absolute or self-relative.
A security descriptor is said to be in absolute format if it stores all of its security information via pointer fields, as specified in the RPC representation in section 2.4.6.1.
A security descriptor is said to be in self-relative format if it stores all of its security information in a contiguous block of memory and expresses all of its pointer fields as offsets from its beginning. The order of appearance of pointer target fields is not required to be in any particular order; the location of the OwnerSid, GroupSid, Sacl, and/or Dacl is only based on OffsetOwner, OffsetGroup, OffsetSacl, and/or OffsetDacl pointers found in the fixed portion of the relative security descriptor.<72>
The self-relative form of the security descriptor is required if one wants to transmit the SECURITY_DESCRIPTOR structure as an opaque data structure for transmission in communication protocols over a wire, or for storage on secondary media; the absolute form cannot be transmitted because it contains pointers to objects that are generally not accessible to the recipient.
When a self-relative security descriptor is transmitted over a wire, it is sent in little-endian format and requires no padding.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Revision |
Sbz1 |
Control |
|||||||||||||||||||||||||||||
|
OffsetOwner |
|||||||||||||||||||||||||||||||
|
OffsetGroup |
|||||||||||||||||||||||||||||||
|
OffsetSacl |
|||||||||||||||||||||||||||||||
|
OffsetDacl |
|||||||||||||||||||||||||||||||
|
OwnerSid (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
GroupSid (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Sacl (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Dacl (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Revision (1 byte): An unsigned 8-bit value that specifies the revision of the SECURITY_DESCRIPTOR structure. This field MUST be set to one.
Sbz1 (1 byte): An unsigned 8-bit value with no meaning unless the Control RM bit is set to 0x1. If the RM bit is set to 0x1, Sbz1 is interpreted as the resource manager control bits that contain specific information<73> for the specific resource manager that is accessing the structure. The permissible values and meanings of these bits are determined by the implementation of the resource manager.
Control (2 bytes): An unsigned 16-bit field that specifies control access bit flags. The Self Relative (SR) bit MUST be set when the security descriptor is in self-relative format.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5S
R
R
M
P
S
P
D
S
I
D
I
S
C
D
C
S
S
D
T
S
D
S
P
D
D
D
P
G
D
O
D
-
Where the bits are defined as:
-
Value
Description
SR
Self-Relative
Set when the security descriptor is in self-relative format. Cleared when the security descriptor is in absolute format.
RM
RM Control Valid
Set to 0x1 when the Sbz1 field is to be interpreted as resource manager control bits.
PS
SACL Protected
Set when the SACL will be protected from inherit operations.
PD
DACL Protected
Set when the DACL will be protected from inherit operations.
SI
SACL Auto-Inherited
Set when the SACL was created through inheritance.
DI
DACL Auto-Inherited
Set when the DACL was created through inheritance.
SC
SACL Computed Inheritance Required
Set when the SACL is to be computed through inheritance. When both SC and SI are set, the resulting security descriptor sets SI; the SC setting is not preserved.
DC
DACL Computed Inheritance Required
Set when the DACL is to be computed through inheritance. When both DC and DI are set, the resulting security descriptor sets DI; the DC setting is not preserved.
SS
Server Security
Set when the caller wants the system to create a Server ACL based on the input ACL, regardless of its source (explicit or defaulting).
DT
DACL Trusted
Set when the ACL that is pointed to by the DACL field was provided by a trusted source and does not require any editing of compound ACEs.
SD
SACL Defaulted
Set when the SACL was established by default means.
SP
SACL Present
Set when the SACL is present on the object.
DD
DACL Defaulted
Set when the DACL was established by default means.
DP
DACL Present
Set when the DACL is present on the object.
GD
Group Defaulted
Set when the group was established by default means.
OD
Owner Defaulted
Set when the owner was established by default means.
OffsetOwner (4 bytes): An unsigned 32-bit integer that specifies the offset to the SID. This SID specifies the owner of the object to which the security descriptor is associated. This must be a valid offset if the OD flag is not set. If this field is set to zero, the OwnerSid field MUST not be present.
OffsetGroup (4 bytes): An unsigned 32-bit integer that specifies the offset to the SID. This SID specifies the group of the object to which the security descriptor is associated. This must be a valid offset if the GD flag is not set. If this field is set to zero, the GroupSid field MUST not be present.
OffsetSacl (4 bytes): An unsigned 32-bit integer that specifies the offset to the ACL that contains system ACEs. Typically, the system ACL contains auditing ACEs (such as SYSTEM_AUDIT_ACE, SYSTEM_AUDIT_CALLBACK_ACE, or SYSTEM_AUDIT_CALLBACK_OBJECT_ACE), and at most one Label ACE (as specified in section 2.4.4.13). This must be a valid offset if the SP flag is set; if the SP flag is not set, this field MUST be set to zero. If this field is set to zero, the Sacl field MUST not be present.
OffsetDacl (4 bytes): An unsigned 32-bit integer that specifies the offset to the ACL that contains ACEs that control access. Typically, the DACL contains ACEs that grant or deny access to principals or groups. This must be a valid offset if the DP flag is set; if the DP flag is not set, this field MUST be set to zero. If this field is set to zero, the Dacl field MUST not be present.
OwnerSid (variable): The SID of the owner of the object. The length of the SID MUST be a multiple of 4. This field MUST be present if the OffsetOwner field is not zero.
GroupSid (variable): The SID of the group of the object. The length of the SID MUST be a multiple of 4. This field MUST be present if the GroupOwner field is not zero.<74>
Sacl (variable): The SACL of the object. The length of the SID MUST be a multiple of 4. This field MUST be present if the SP flag is set.
Dacl (variable): The DACL of the object. The length of the SID MUST be a multiple of 4. This field MUST be present if the DP flag is set.