Platform SDK: Files and I/O |
Windows NT/Windows 2000 security enables you to control access to file and directory objects stored on a secure file system, such as NTFS. For more information about security, see Access-Control Model.
You can specify a security descriptor for a file or directory when you call the CreateFile, CreateDirectory, or CreateDirectoryEx function. To retrieve the security descriptor of a file or directory object, call the GetNamedSecurityInfo or GetSecurityInfo function. To change the security descriptor of a file or directory object, call the SetNamedSecurityInfo or SetSecurityInfo function.
When a thread calls the CreateFile function to open a handle to a file or directory object, the thread requests a set of generic access rights to the object. The requested access rights determine the operations that the thread can perform with the returned handle. Before returning a handle to the object, CreateFile checks the thread's access token and the requested access rights against the DACL in the object's security descriptor.
For file and directory objects, GENERIC_READ access maps to the following standard and specific access rights.
Access right | Description |
---|---|
FILE_READ_ATTRIBUTES | Right to read file attributes. |
FILE_READ_DATA | Right to read data from the file. For a directory, the right to list the contents of the directory. |
FILE_READ_EA | Right to read extended attributes. |
STANDARD_RIGHTS_READ | Includes READ_CONTROL, which is the right to read the information in the object's security descriptor, not including the information in the SACL. |
SYNCHRONIZE | Right to specify a file handle in one of the wait functions. However, for asynchronous file I/O operations, you should wait on the event handle in an OVERLAPPED structure rather than using the file handle for synchronization. |
For file and directory objects, GENERIC_WRITE access maps to the following standard and specific access rights.
Access right | Description |
---|---|
FILE_APPEND_DATA | Right to append data to the file. For a directory, the right to create a subdirectory. |
FILE_WRITE_ATTRIBUTES | Right to write file attributes. |
FILE_WRITE_DATA | Right to write data to the file. For a directory, the right to create a file in the directory. |
FILE_WRITE_EA | Right to write extended attributes. |
STANDARD_RIGHTS_WRITE | Includes READ_CONTROL, which is the right to read the information in the object's security descriptor, not including the information in the SACL. |
SYNCHRONIZE | Right to specify a file handle in one of the wait functions. However, for asynchronous file I/O operations, you should wait on the event handle in an OVERLAPPED structure rather than using the file handle for synchronization. |
You cannot use an access-denied ACE to deny only GENERIC_READ or only GENERIC_WRITE access to a file. This is because for file objects, the generic mappings for both GENERIC_READ or GENERIC_WRITE include the SYNCHRONIZE access right. If an ACE denies GENERIC_WRITE access to a trustee, and the trustee requests GENERIC_READ access, the request will fail because the request implicitly includes SYNCHRONIZE access which is implicitly denied by the ACE. And vice versa, too. Instead of using access-denied ACEs, use access-allowed ACEs to explicitly allow the permitted access rights.
You can request the ACCESS_SYSTEM_SECURITY access right to a file or directory object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.