Re: Customizable security in NTFS? Needs to be extensible & dynamic
- From: "Alexander Grigoriev" <alegr@xxxxxxxxxxxxx>
- Date: Wed, 18 Jul 2007 07:17:02 -0700
Have a service open files for the user app. A service can combine user's
token with whatever rules you want, open or not open the file, and duplicate
a handle back to the app.
"Chuck Chopp" <ChuckChopp@xxxxxxxxxxx> wrote in message
news:u$hxfwTyHHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
Alexander Grigoriev wrote:
Your approach seems convoluted. What your ultimate problem? Not the
problem how to change file permissions on the fly, but the problem behind
it?
OK, the problem definition was buried in the description...
In a nutshell, access-tokens are static... once one is created, any
changes to a user's group membership in AD don't take effect until the
user logs out & logs on again. Thus, making a user a member of a group
and adding ACEs for that group to the DACL of a folder does not result in
immediate access to the folder for the user.
I'm porting an application from a Novell eDir / NetWare environment over
to an AD / Windows environment. With eDir & NetWare, a different
implementation is used when computing effective access rights. Making a
user a member of a group results in the user becoming "security
equivalent" to the group. eDir implements security equivalence in a very
broad way, veyr generic, such that *every* object in the eDir tree can be
a security principal, and "trustee assignments" [the equivalent of adding
ACEs to a DACL on NTFS] can be assigned dynamically in the file system on
an NSS or TFS volume. When effective access rights are calculated, full
traversal from the root of the volume, as well as summation of all
security equivalences, are both performed. This allows for changes in
security equivalence to have an immediate impact on effective access
rights w/o requiring the user to logout & logon again.
I know, this is the exact opposite of how the NT platform does things with
AD and NTFS... I'm intimately familiar familiar with how the Win32
Security API functions work, and I've been doing software development
using them since the mid 1990's. I'm well aware of how ACL inheritance
*really* works as of Win2K, and any change to an inheritable ACE requires
a cascading operation where the ACE is applied to the DACL of every
descendent that doesn't have a protected DACL. So, in the case of NTFS,
effective rights are determined by reading only the DACL of the
folder/file being accessed, and comparing that against all the
security-enabled SIDs in the user's access-token. This may or may not
result in a performance improvement compared to how NetWare performs the
same task, since the traversal & summation task need not be performed at
the time that effective access rights need to be calculated, but it can
incur a *huge* performance penalty if inheritable rights are being
modified on a NTFS folder hiercharchy that is, well, let's say "massive"
in terms of it's depth, breadth and # of files.
The non-dynamic nature of access tokens makes it very difficult for me to
port this application. The implicitly dynamic nature of effective rights
determination on NetWare & NSS / TFS volumes is critical to the proper
functioning of this application.
This need has lead me to investigate methods by which I can augment the
existing NTFS security features with something more dynamic. Let's just
accept that there are a potentially complex set of rules that exist, based
on some sort of security policy, that exist somewhere as an object in AD.
I need to have those rules effectively implemented such that any given
user's access to a particular folder or file is enabled or disabled based
on the intersection of those rules with the existing ACEs in the DACL on
the folder or file in question. I'm not going to go into any more detail
about what those rules are, or how they are determined or derived, but
suffice it to say that they exist and I need to find a way to enforce
them.
The mechanisms that come to mind are file system filter drivers and API
function hooks in the file system. Most certainly, Anti-Virus products
make use of API function hooking and can certainly deny access to a folder
or file, but I'm not certain that they can effectively provide additional
"access allowed" functionality that combines with and/or overrides the
DACL on a folder or file.
Is that a clear enough description of the problem that I'm trying to
solve?
Any hints or insights into the proper mechanisms to use would be
appreciated.
TIA,
Chuck
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
Do not send me unsolicited commercial email.
.
- Follow-Ups:
- Re: Customizable security in NTFS? Needs to be extensible & dynamic
- From: Chuck Chopp
- Re: Customizable security in NTFS? Needs to be extensible & dynamic
- References:
- Customizable security in NTFS? Needs to be extensible & dynamic
- From: Chuck Chopp
- Re: Customizable security in NTFS? Needs to be extensible & dynamic
- From: Alexander Grigoriev
- Re: Customizable security in NTFS? Needs to be extensible & dynamic
- From: Chuck Chopp
- Customizable security in NTFS? Needs to be extensible & dynamic
- Prev by Date: Re: WDK 6000 compilation issue
- Next by Date: Re: Reset USB from firmware
- Previous by thread: Re: Customizable security in NTFS? Needs to be extensible & dynamic
- Next by thread: Re: Customizable security in NTFS? Needs to be extensible & dynamic
- Index(es):
Relevant Pages
|
