Hello,
I’m working in this minifilter driver and I need to add an ACE to the DACL of files.
I get the ACL from the file’s Security Descriptor during pre function of the IRP_SET_MJ_SECURITY and then uses RtlAddAccessAllowedAce() to add a new ACE.
But I get the STATUS_ALLOTTED_SPACE_EXCEEDED error messages.
Doesn’t RtlAddAccessAllowedAce() alloacte an ACE object and add it to ACL?
Any suggestion on how to solve this issue without creating a new ACL list?
Thanks
Payman
Firstly, you have to allocate & create an ACL, see RtlCreateAcl function.
// for ONE sid
aclLength = sizeof( ACL ) + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(…)
dacl = (PACL) ExAllocatePoolWithTag( PagedPool, aclLength, TAG);
status = RtlCreateAcl( dacl, aclLength, ACL_REVISION );
status = RtlAddAccessAllowedAceEx( … );
Petr
wrote in message news:xxxxx@ntfsd…
> Hello,
> I’m working in this minifilter driver and I need to add an ACE to the DACL
> of files.
> I get the ACL from the file’s Security Descriptor during pre function of
> the IRP_SET_MJ_SECURITY and then uses RtlAddAccessAllowedAce() to add a
> new ACE.
> But I get the STATUS_ALLOTTED_SPACE_EXCEEDED error messages.
>
> Doesn’t RtlAddAccessAllowedAce() alloacte an ACE object and add it to ACL?
> Any suggestion on how to solve this issue without creating a new ACL list?
>
> Thanks
> Payman
>
On the contrary, STATUS_ALLOTTED_SPACE_EXCEEDED says ACL buffer is not
large enough for your ACL
“Petr Kurtin” wrote in message news:xxxxx@ntfsd…
> Firstly, you have to allocate & create an ACL, see RtlCreateAcl function.
>
> // for ONE sid
> aclLength = sizeof( ACL ) + sizeof(ACCESS_ALLOWED_ACE) +
> RtlLengthSid(…) + 8;
>
> dacl = (PACL) ExAllocatePoolWithTag( PagedPool, aclLength, TAG);
> status = RtlCreateAcl( dacl, aclLength, ACL_REVISION );
> status = RtlAddAccessAllowedAceEx( … );
>
> Petr
>
> wrote in message news:xxxxx@ntfsd…
>> Hello,
>> I’m working in this minifilter driver and I need to add an ACE to the
>> DACL of files.
>> I get the ACL from the file’s Security Descriptor during pre function of
>> the IRP_SET_MJ_SECURITY and then uses RtlAddAccessAllowedAce() to add a
>> new ACE.
>> But I get the STATUS_ALLOTTED_SPACE_EXCEEDED error messages.
>>
>> Doesn’t RtlAddAccessAllowedAce() alloacte an ACE object and add it to
>> ACL?
>> Any suggestion on how to solve this issue without creating a new ACL
>> list?
>>
>> Thanks
>> Payman
>>
>
>
>
Petr
If I create an ACL the way you wrote, doesn’t it remove the old ACL from that file an replace it with the new ACL with only one ACE?
I like to keep the old ACL and just add a new one on it.
Am I missing something here?
Thanks
Payman
xxxxx@hotmail.com wrote:
Petr
If I create an ACL the way you wrote, doesn’t it remove the old ACL from that file an replace it with the new ACL with only one ACE?
I like to keep the old ACL and just add a new one on it.
Am I missing something here?
You need to read the existing DACL, find out how large it is, then allocate
memory for a new DACL such that the memory allocation is the size of the old
DACL plus the size of the new ACE you want to add. You then need to copy
the ACEs from the old DACL to the new DACL, making sure to insert your new
ACE at the appropriate point to preserve proper sorted order of the ACEs.
Finally, you set the new DACL on the folder/file itself.
If the ACE you are adding is inheritable, then you have to be concerned with
whether or not propagation of the ACE is performed properly, too. I’m not
as familiar with the kernel mode Rtl*() routines that manage security, so I
don’t know if they automatically propagate the inheritable ACEs or if you
need to call a specific routine to make that happen. In user mode code,
there’s 2 different sets of security API functions; the low-level functions
don’t do the propagation, but the high-level functions [Win2k & later] do
the propagation automatically.
Guys thanks for your input,
So to delete the old ACL, I need to go thorough the ACL list and call RtlDeleteAce?
Does it free up the memory used by that ACE?
Is there any other way to do that?
Thanks again
Payman
xxxxx@hotmail.com wrote:
Guys thanks for your input,
So to delete the old ACL, I need to go thorough the ACL list and call RtlDeleteAce?
Does it free up the memory used by that ACE?
Is there any other way to do that?
Your original message at the start of this thread doesn’t mention deleting
ACEs from the DACL [Discretionary ACL]. You simply stated that you were
attempting to insert an additional ACE into the DACL and were receiving an
error message indicating that there wasn’t enough room in the DACL to
contain the ACE you were attempting to add.
You need to examine the MSDN docs that discuss NT Security, Security
Descriptors, ACLs and ACEs to that you can understand how to properly
manipulate them. Depending on whether or not the SD [Security Descriptor]
that you’re receiving is in Absolute or Self-relative format, the steps you
will take will vary somewhat to replace one ACL in the SD with a modified
ACL that contains more ACEs.
In answer to your direct question, yes, when you delete an ACE from an ACL,
the space in the ACL’s allocated memory that was used by the ACE is no
longer occupied by the deleted ACE. However, deleting ACEs from an ACL does
not guarantee that enough space will be freed up to allow your new ACE to
fit into the ACL. The proper thing to do is to obtain the ACL’s current
size, calculate how many more bytes the new ACE will occupy, then allocate
memory for a new ACL and then add all of the ACEs from the old ACL plus your
new ACE into the new ACL. The final step is to modify the SD so that it
makes use of the new ACL instead of the old one. As I said earlier,
Absolute vs. Self-relative formats for the SD & its contents will alter how
you go about doing the ACL replacement.
Charles , Thanks for your response
I think I did not explain very well my ACL delete scenario. What I meant was how to free up the old DACL memory block.
I think based on what you wrote these should be the steps:
Now my question is, what will happen to the memory block of the old DACL? Do I need to free that memory block? And if this is the case, Can I use the standard ExFreexxx functions?
Thanks again for spending time on my question.
Payman
xxxxx@hotmail.com wrote:
Charles , Thanks for your response
I think I did not explain very well my ACL delete scenario. What I meant was how to free up the old DACL memory block.
I think based on what you wrote these should be the steps:
- Reading the existing DACL, finding out how large it is, then allocating memory for a new DACL such that the memory allocation is the size of the old DACL plus the size of the new ACE I want to add.
2)Copying the ACEs from the old DACL to the new DACL.
3)Adding my new ACE
4)Modifying the SD so that it makes use of the new ACL instead of the old one.Now my question is, what will happen to the memory block of the old DACL? Do I need to free that memory block? And if this is the case, Can I use the standard ExFreexxx functions?
I can’t say for sure what, if anything, needs to be done in terms of
deallocating the memory consumed by the old DACL [and possibly SD]. You
didn’t allocate it, and I suspect that whatever thread initiated the I/O
operation that’s modifying the SD will be responsible, at some higher level,
for freeing up the memory that the SD occupies after the I/O operation has
completed, regardless of success or failure of the operation. What I think
is probably more important is making sure that you deallocate the memory
that your modified SD occupies after your filter has passed the IRP on to
the underlying driver stack and the IRP has been completed.
Please note, if the SD is in self-relative format, then you’re not just
allocating memory for the new DACL, you’re going to have to allocate memory
to contain the entire SD, including the header & body of the SD, the DACL
and possibly the SACL.
Thank you very much Charles
Payman