4
* NTFS 1.2 - System files security decriptors
5
* ===========================================
7
* Create the security descriptor for system file number @sys_file_no and
8
* return a pointer to the descriptor.
10
* $MFT, $MFTMirr, $LogFile, $AttrDef, $Bitmap, $Boot, $BadClus, and $UpCase
13
* $Volume, $Quota, and system files 0xb-0xf are the same. They are almost the
14
* same as the above, the only difference being that the two SIDs present in
15
* the DACL grant GENERIC_WRITE and GENERIC_READ equivalent priviledges while
16
* the above only grant GENERIC_READ equivalent priviledges. (For some reason
17
* the flags for GENERIC_READ/GENERIC_WRITE are not set by NT4, even though
18
* the permissions are equivalent, so we comply.
20
* Root directory system file (".") is different altogether.
22
* The sd is recturned in *@sd_val and has length *@sd_val_len.
24
* Do NOT free *@sd_val as it is static memory. This also means that you can
25
* only use *@sd_val until the next call to this function.
28
void init_system_file_sd(int sys_file_no, char **sd_val, int *sd_val_len)
30
static char sd_array[0x68];
31
SECURITY_DESCRIPTOR_RELATIVE *sd;
34
ACCESS_ALLOWED_ACE *aa_ace;
37
if (sys_file_no < 0 || sys_file_no > 0xf) {
42
*sd_val = (char*)&sd_array;
43
sd = (SECURITY_DESCRIPTOR_RELATIVE*)&sd_array;
46
sd->control = SE_SELF_RELATIVE | SE_DACL_PRESENT;
47
if (sys_file_no == FILE_$root) {
49
sd->owner = cpu_to_le32(0x30);
50
sd->group = cpu_to_le32(0x40);
53
sd->owner = cpu_to_le32(0x48);
54
sd->group = cpu_to_le32(0x58);
56
sd->sacl = cpu_to_le32(0);
57
sd->dacl = cpu_to_le32(0x14);
59
* Now at offset 0x14, as specified in the security descriptor, we have
62
acl = (ACL*)((char*)sd + le32_to_cpu(sd->dacl));
65
if (sys_file_no == FILE_$root) {
66
acl->size = cpu_to_le16(0x1c);
67
acl->ace_count = cpu_to_le16(1);
69
acl->size = cpu_to_le16(0x34);
70
acl->ace_count = cpu_to_le16(2);
72
acl->alignment2 = cpu_to_le16(0);
74
* Now at offset 0x1c, just after the DACL's ACL, we have the first
75
* ACE of the DACL. The type of the ACE is access allowed.
77
aa_ace = (ACCESS_ALLOWED_ACE*)((char*)acl + sizeof(ACL));
78
aa_ace->type = ACCESS_ALLOWED_ACE_TYPE;
79
if (sys_file_no == FILE_$root)
80
aa_ace->flags = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE;
83
aa_ace->size = cpu_to_le16(0x14);
84
switch (sys_file_no) {
85
case FILE_$MFT: case FILE_$MFTMirr: case FILE_$LogFile:
86
case FILE_$AttrDef: case FILE_$Bitmap: case FILE_$Boot:
87
case FILE_$BadClus: case FILE_$UpCase:
88
aa_ace->mask = SYNCHRONIZE | STANDARD_RIGHTS_READ |
89
FILE_READ_ATTRIBUTES | FILE_READ_EA | FILE_READ_DATA;
91
case FILE_$Volume: case FILE_$Secure: case 0xb ... 0xf:
92
aa_ace->mask = SYNCHRONIZE | STANDARD_RIGHTS_WRITE |
93
FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES |
94
FILE_WRITE_EA | FILE_READ_EA | FILE_APPEND_DATA |
95
FILE_WRITE_DATA | FILE_READ_DATA;
98
aa_ace->mask = STANDARD_RIGHTS_ALL | FILE_WRITE_ATTRIBUTES |
99
FILE_READ_ATTRIBUTES | FILE_DELETE_CHILD |
100
FILE_TRAVERSE | FILE_WRITE_EA | FILE_READ_EA |
101
FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE |
105
aa_ace->sid.revision = 1;
106
aa_ace->sid.sub_authority_count = 1;
107
aa_ace->sid.identifier_authority.value[0] = 0;
108
aa_ace->sid.identifier_authority.value[1] = 0;
109
aa_ace->sid.identifier_authority.value[2] = 0;
110
aa_ace->sid.identifier_authority.value[3] = 0;
111
aa_ace->sid.identifier_authority.value[4] = 0;
112
if (sys_file_no == FILE_$root) {
113
/* SECURITY_WORLD_SID_AUTHORITY (S-1-1) */
114
aa_ace->sid.identifier_authority.value[5] = 1;
115
aa_ace->sid.sub_authority[0] =
116
cpu_to_le32(SECURITY_WORLD_RID);
117
/* This is S-1-1-0, the WORLD_SID. */
119
/* SECURITY_NT_SID_AUTHORITY (S-1-5) */
120
aa_ace->sid.identifier_authority.value[5] = 5;
121
aa_ace->sid.sub_authority[0] =
122
cpu_to_le32(SECURITY_LOCAL_SYSTEM_RID);
125
* Now at offset 0x30 within security descriptor, just after the first
126
* ACE of the DACL. All system files, except the root directory, have
129
if (sys_file_no != FILE_$root) {
130
/* The second ACE of the DACL. Type is access allowed. */
131
aa_ace = (ACCESS_ALLOWED_ACE*)((char*)aa_ace +
132
le16_to_cpu(aa_ace->size));
133
aa_ace->type = ACCESS_ALLOWED_ACE_TYPE;
135
aa_ace->size = cpu_to_le16(0x18);
136
switch (sys_file_no) {
137
case FILE_$MFT: case FILE_$MFTMirr:
138
case FILE_$LogFile: case FILE_$AttrDef:
139
case FILE_$Bitmap: case FILE_$Boot:
140
case FILE_$BadClus: case FILE_$UpCase:
141
aa_ace->mask = SYNCHRONIZE | STANDARD_RIGHTS_READ |
142
FILE_READ_ATTRIBUTES | FILE_READ_EA |
145
case FILE_$Volume: case FILE_$Secure:
147
aa_ace->mask = SYNCHRONIZE | STANDARD_RIGHTS_READ |
148
FILE_WRITE_ATTRIBUTES |
149
FILE_READ_ATTRIBUTES | FILE_WRITE_EA |
150
FILE_READ_EA | FILE_APPEND_DATA |
151
FILE_WRITE_DATA | FILE_READ_DATA;
154
aa_ace->sid.revision = 1;
155
aa_ace->sid.sub_authority_count = 2;
156
/* SECURITY_NT_SID_AUTHORITY (S-1-5) */
157
aa_ace->sid.identifier_authority.value[0] = 0;
158
aa_ace->sid.identifier_authority.value[1] = 0;
159
aa_ace->sid.identifier_authority.value[2] = 0;
160
aa_ace->sid.identifier_authority.value[3] = 0;
161
aa_ace->sid.identifier_authority.value[4] = 0;
162
aa_ace->sid.identifier_authority.value[5] = 5;
163
aa_ace->sid.sub_authority[0] =
164
cpu_to_le32(SECURITY_BUILTIN_DOMAIN_RID);
165
aa_ace->sid.sub_authority[1] =
166
cpu_to_le32(DOMAIN_ALIAS_RID_ADMINS);
167
/* Now at offset 0x48 into the security descriptor. */
169
/* As specified in the security descriptor, we now have the owner SID.*/
170
sid = (SID*)((char*)sd + le32_to_cpu(sd->owner));
172
sid->sub_authority_count = 2;
173
/* SECURITY_NT_SID_AUTHORITY (S-1-5) */
174
sid->identifier_authority.value[0] = 0;
175
sid->identifier_authority.value[1] = 0;
176
sid->identifier_authority.value[2] = 0;
177
sid->identifier_authority.value[3] = 0;
178
sid->identifier_authority.value[4] = 0;
179
sid->identifier_authority.value[5] = 5;
180
sid->sub_authority[0] = cpu_to_le32(SECURITY_BUILTIN_DOMAIN_RID);
181
sid->sub_authority[1] = cpu_to_le32(DOMAIN_ALIAS_RID_ADMINS);
183
* Now at offset 0x40 or 0x58 (root directory and the other system
184
* files, respectively) into the security descriptor, as specified in
185
* the security descriptor, we have the group SID.
187
sid = (SID*)((char*)sd + le32_to_cpu(sd->group));
189
sid->sub_authority_count = 2;
190
/* SECURITY_NT_SID_AUTHORITY (S-1-5) */
191
sid->identifier_authority.value[0] = 0;
192
sid->identifier_authority.value[1] = 0;
193
sid->identifier_authority.value[2] = 0;
194
sid->identifier_authority.value[3] = 0;
195
sid->identifier_authority.value[4] = 0;
196
sid->identifier_authority.value[5] = 5;
197
sid->sub_authority[0] = cpu_to_le32(SECURITY_BUILTIN_DOMAIN_RID);
198
sid->sub_authority[1] = cpu_to_le32(DOMAIN_ALIAS_RID_ADMINS);