eric 
0 
2007-09-20 03:54:55 -04006.4. ACL
Table 2.10. Layout of an ACL
| Offset | Size | Description |
| 0x00 | 1 | ACL Revision |
| 0x01 | 1 | Padding (0x00) |
| 0x02 | 2 | ACL size |
| 0x04 | 2 | ACE count |
| 0x06 | 2 | Padding (0x0000) |
The Access Control List (ACL) contains one or many ACEs.
The ACL revision is currently 0x02, on my machine.
The Win32 APIs suggest that 0x01 and 0x06 contain padding 0x00'sfor alignment purposes.
6.5. ACE
Table 2.11. Layout of an ACE
| Offset | Size | Description |
| 0x00 | 1 | Type |
| 0x01 | 1 | Flags |
| 0x02 | 2 | Size |
| 0x04 | 4 | Access mask |
| 0x08 | V | SID |
6.5.1. Types
The currently implemented (in NT) Types are:
Table 2.12. ACE types
| Value | Description |
| 0x00 | Access Allowed |
| 0x01 | Access Denied |
| 0x02 | System Audit |
6.5.2. Flags
Flags are a bit domain. The possible values of Flags depend on the value of Type.
When applied to a directory, Access Allowed or Access Denied can have flags of
Table 2.13. ACE flags
| Value | Description |
| 0x01 | Object inherits ACE |
| 0x02 | Container inherits ACE |
| 0x04 | Don't propagate 'Inherit ACE' |
| 0x08 | Inherit only ACE |
If the Type is System Audit, then the flags can be
Table 2.14. ACE audit flags
| Value | Description |
| 0x40 | Audit on Success |
| 0x80 | Audit on Failure |
6.5.3. Access Mask / Access Rights
The Access Mask / Rights are a bit domain enumerating all the allowed or disallowed actions.
Table 2.15. ACE access mask
| Bit(Range) | Meaning | Description / Examples |
| 0 - 15 | Object Specific Access Rights | Read data, Execute, Append data |
| 16 - 22 | Standard Access Rights | Delete, Write ACL, Write Owner |
| 23 | Can access security ACL | |
| 24 - 27 | Reserved | |
| 28 | Generic ALL (Read, Write, Execute) | Everything below |
| 29 | Generic Execute | All things necessary to execute a program |
| 30 | Generic Write | All things necessary to write to a file |
| 31 | Generic Read | All things necessary to read a file |
6.6. SID (Security Identifier)
A typical SID looks like: S-1-5-21-646518322-1873620750-619646970-1110
It's composed of 'S-p-q-r-s-t-u-v'
Table 2.16. SID contents
| S | Security |
| p | Revision number (currently 1) |
| q | NT Authority. This number is divided into 6 bytes (48 bitbig-endian number). |
| r-v | NT Sub-authorities (there can be many of these) |
On disk the SID is stored as follows:
In dec: S-1-5-21-646518322-1873620750-619646970-1110
In hex: S-1-5-15-26891632-6fad2f0e-24ef0ffa-456 (5Sub-authorities)
S means SID, 1 is version number, 5 is authorization identifier, 21 is sub-authorization, 646518322 is SA (Security Association), 1873620750 is domain ID, 619646970 also is SA, 1110 is User ID
Table 2.17. SID example
| 0x00 | 01 | 05 | 00 | 00 | 00 | 00 | 00 | 05 |
| 0x08 | 15 | 00 | 00 | 00 | 32 | 16 | 89 | 26 |
| 0x10 | 0e | 2f | ad | 6f | fa | 0f | ef | 24 |
| 0x18 | 56 | 04 | 00 | 00 |
This is a variable length structure. They could have been more, or fewer, sub-authorities making the structure larger, or smaller.
Trackback: http://blog.easeus.com/action.php?action=tb&id=51
Tags: windows,NTFS,xp,ntfs,acl
