NTFSDOC 译文 第二章 ：NTFS 属性 （6）

6.4. ACL
Table 2.10. Layout of an ACL
Offset Size Description
0x00 1 ACL Revision
0x01 1 Padding (0x00)
0x02 2 ACL size
0x04 2 ACE count
0x06 2 Padding (0x0000)
The Access Control List (ACL) contains one or many ACEs.
The ACL revision is currently 0x02, on my machine.
The Win32 APIs suggest that 0x01 and 0x06 contain padding 0x00's for alignment purposes.

6.4 ACL
表2.10 ACL格式
偏移量 大小   描述
0x00      1   ACL修正
0x01      1   填充(0x00)
0x02      2   ACL大小
0x04      2   ACE总数
0x06      2   填充(0x0000)
一个访问控制列表(ACL)包含一个或多个ACE
ACL修正当前在我的机器上是0x02
Win32  API 暗示0x01 和 0x06 包含0x00的填充以保持对齐

6.5. ACE
Table 2.11. Layout of an ACE
Offset Size Description
0x00 1 Type
0x01 1 Flags
0x02 2 Size
0x04 4 Access mask
0x08 V SID

6.5 ACE

表2.11 一个ACE的格式
偏移量 大小  描述
0x00      1   类型
0x01      1   标志位
0x02      2   大小
0x04      2   访问控制掩码
0x08      V   SID

6.5.1. Types
The currently implemented (in NT) Types are:
Table 2.12. ACE types
Value Description
0x00 Access Allowed
0x01 Access Denied
0x02 System Audit

6.5.1 类型
当前在(NT)中实现的类型是
表2.12  ACE 类型
值    描述
0x00  允许访问
0x01  拒绝访问
0x02  系统审计

6.5.2. Flags
Flags is a bit field. The possible values of Flags depend on the value of Type. When applied to a direct-ory, Access Allowed or Access Denied can have flags of
Table 2.13. ACE flags
Value Description
0x01 Object inherits ACE
0x02 Container inherits ACE
0x04 Don't propagate 'Inherit ACE'
0x08 Inherit only ACE
If the Type is System Audit, then the flags can be
Table 2.14. ACE audit flags
Value Description
0x40 Audit on Success
0x80 Audit on Failure

6.5.2 标志
标志是一个位域。可能的标志值依赖于类型的值。当应用于一个直接作用的，访问允许或访问拒绝可以有表2.13中的标志
表2.1.3 ACE标志
值     描述
0x01   对象继承ACE
0x02   容器继承ACE
0x04   不要传播'继承ACE'
0x08   仅继承ACE
如果类型是系统审计，标志位可能是
表2.14 ACE审计标志
值     描述
0x40   审计成功
0x80   审计失败
6.5.3. Access Mask / Access Rights
The Access Mask / Rights is a bit field enumerating all the (dis)allowed actions.
Table 2.15. ACE access mask
Bit(Range) Meaning Description / Examples
0 - 15 Object Specific Access Rights Read data, Execute, Append data
16 - 22 Standard Access Rights Delete, Write ACL, Write Owner
23 Can access security ACL
24 - 27 Reserved
28 Generic ALL (Read, Write, Execute) Everything below
29 Generic Execute All things necessary to execute a pro-gram
30 Generic Write All things necessary to write to a file
31 Generic Read All things necessary to read a file

6.5.3 访问掩码/访问权限
访问掩码/访问权限 是一个位域 枚举出所有的允许或不允许的操作
表2.15.   ACE访问掩码
位（区域）    含义解释/例子
0-15          对象特定访问权限读取数据，执行，添加数据
16-22         标准访问权限 删除 写入 ACE 写入所有者
23            可以访问安全ACL
24-27         保留
28            一般所有（读，写，执行）下面所有的
29            一般执行 执行一个程序所需的
30            一般写入 写一个文件所需的
31            一般读   读一个文件所需的

6.6. SID (Security Identifier)
A typical SID looks like: S-1-5-21-646518322-1873620750-619646970-1110
It's composed of 'S-p-q-r-s-t-u-v'
Table 2.16. SID contents
S Security
p Revision number (currently 1)
q NT Authority. This number is divided into 6 bytes (48 bit big-endian number).
r-v NT Sub-authorities (there can be many of these)
On disk the SID is stored as follows:
in dec: S-1-5-21-646518322-1873620750-619646970-1110
in hex: S-1-5-15-26891632-6fad2f0e-24ef0ffa-456 (5 Sub-authorities)
Table 2.17. SID example
0x00 01 05 00 00 00 00 00 05
0x08 15 00 00 00 32 16 89 26
0x10 0e 2f ad 6f fa 0f ef 24
0x18 56 04 00 00
NB This is a variable length structure. The could have been more, or fewer, sub-authorities making the
structure larger, or smaller.

6.6 SID(安全标示符)
一个典型的SID看起来像这样: S-1-5-21-646518322-1873620750-619646970-1110
它由'S-p-q-r-s-t-u-v'组成

6.6.1. Security Descriptor Control Flags
Table 2.18. Security Descriptor Control Flags
Flag Description
0x0001 Owner Defaulted
0x0002 Group Defaulted
0x0004 DACL Present
0x0008 DACL Defaulted
0x0010 SACL Present
0x0020 SACL Defaulted
0x0100 DACL Auto Inherit Req
0x0200 SACL Auto Inherit Req
0x0400 DACL Auto Inherited
0x0800 SACL Auto Inherited
0x1000 DACL Protected
0x2000 SACL Protected
0x4000 RM Control Valid
0x8000 Self Relative

6.6.1安全描述控制位
表2.18 安全描述控制位
标志          描述
0x0001        所有者默认
0x0002        组默认
0x0004        当前DACL
0x0008        DACL默认
0x0010        当前SACL
0x0020        SACL默认
0x0100        DACL自动继承请求
0x0200        SACL自动继承请求
0x0400        DACL自动继承
0x0800        SACL自动继承
0x1000        DACL保护
0x2000        SACL保护
0x4000        RM控制有效
0x8000        自相关

6.6.1.1. OWNER DEFAULTED
This boolean flag, when set, indicates that the SID pointed to by the Owner field was provided by a de-faulting mechanism rather than explicitly provided by the

original provider of the security descriptor.
This may affect the treatment of the SID with respect to inheritence of an owner.

6.6.1.1  所有者默认
这是布尔标志，当这个标志位置位，意味着由所有者域指向的SID由一个缺省的机制所提供而不是显式的由安全描述符的原始提供者所提供。这将影响SID如何从一个所有者所继承的方式。

6.6.1.2. GROUP DEFAULTED
This boolean flag, when set, indicates that the SID in the Group field was provided by a defaulting
mechanism rather than explicitly provided by the original provider of the security descriptor. This may
affect the treatment of the SID with respect to inheritence of a primary group.

6.6.1.2  组默认
这是布尔标志，当这个标志位置位，意味着组域中的SID由一个缺省的机制所提供而不是显式的由安全描述符的原始提供者所提供。这将影响SID如何从一个基本组所继承的方式。

6.6.1.3. DACL PRESENT
This boolean flag, when set, indicates that the security descriptor contains a discretionary ACL. If this
flag is set and the Dacl field of the SECURITY DESCRIPTOR is null, then a null ACL is explicitly be-ing specified.

6.6.1.3 当前DACL
这是一个布尔标志，当这个标志位置位，意味着安全描述符包含一个任意的ACL。如果这个标志位置位并且安全描述符的DACL域为NULL，那么一个NULL ACL被显式的指定。

6.6.1.4. DACL DEFAULTED
This boolean flag, when set, indicates that the ACL pointed to by the Dacl field was provided by a de-faulting mechanism rather than explicitly provided by the

original provider of the security descriptor.
This may affect the treatment of the ACL with respect to inheritence of an ACL. This flag is ignored if
the DaclPresent flag is not set.

6.6.1.4 DACL默认
这是一个布尔标志，当这个标志位置位，意味着DACL域所指向的ACL由一个缺省的机制所提供而不是显式地由安全描述符的原始提供者所提供。这将影响ACL如何从一个ACL所继承的方式。当

DACL PRESENT 标志没有置位的时候，这个标志位被忽略。

6.6.1.5. SACL PRESENT
This boolean flag, when set, indicates that the security descriptor contains a system ACL pointed to by
the Sacl field. If this flag is set and the Sacl field of the SECURITY DESCRIPTOR is null, then an
empty (but present) ACL is being specified.

6.6.1.5 SACL 当前
这是一个布尔标志，当这个标志位置位，意味着安全描述符包含一个被SACL域所指向的系统ACL。
如果这个标志位被置位并且安全描述符的SACL域为空，那么一个空ACL被指定。

6.6.1.6. SACL DEFAULTED
This boolean flag, when set, indicates that the ACL pointed to by the Sacl field was provided by a de-faulting mechanism rather than explicitly provided by the

original provider of the security descriptor.
This may affect the treatment of the ACL with respect to inheritence of an ACL. This flag is ignored if
the SaclPresent flag is not set.

6.6.1.6 SACL 默认
这是一个布尔标志，当这个标志位置位，意味着SACL域所指向的ACL由一个默认的机制所提供而不是显式的由安全描述符的原始提供者所提供。这将可能影响ACL如何从一个ACL所继承的方式。

如果SACL PRESENT标志位没有被置位那么这个标志位将被忽略。

6.6.1.7. SELF RELATIVE
This boolean flag, when set, indicates that the security descriptor is in self-relative form. In this form, all
fields of the security descriptor are contiguous in memory and all pointer fields are expressed as offsets
from the beginning of the security descriptor.

6.6.1.7 自解析
这是一个布尔标志，当这个标志位置位，意味着安全描述符处于一种自解析的格式。这种格式下，所有的安全描述符的域都是在内存中连续的，并且所有的指针域都被表示为安全描述符起始位置的偏移量。

The SID structure is a variable-length structure used to uniquely identify
users or groups. SID stands for security identifier.
The standard textual representation of the SID is of the form:
S-R-I-S-S...

SID 的结构是一个变长的结构用于唯一地标示用户或组。SID代表安全标识。
标准的文本格式的SID表示形式如下：
S-R-I-S-S...

Where:
- The first "S" is the literal character 'S' identifying the following
digits as a SID.
- R is the revision level of the SID expressed as a sequence of digits
either in decimal or hexadecimal (if the later, prefixed by "0x").
- I is the 48-bit identifier_authority, expressed as digits as R above.
- S... is one or more sub_authority values, expressed as digits as above.

那么：
-第一个"S"是原始字符"S"标志者后面的数字是一个SID。
-R是SID的版本级别指明SID以一个十进制或十六进制的数字序列来表示（如果是后一种，则以0x为前缀）。
-I是48位的标识符权限，以上面的R的数字形式表示。
-S... 是一个或更多的子权限值，以上面的R的数字形式表示。

Example SID; the domain-relative SID of the local Administrators group on
Windows NT/2k:
S-1-5-32-544
This translates to a SID with:
revision = 1,
sub_authority_count = 2,
identifier_authority = {0,0,0,0,0,5}, SECURITY_NT_AUTHORITY
sub_authority[0] = 32, SECURITY_BUILTIN_DOMAIN_RID
sub_authority[1] = 544 DOMAIN_ALIAS_RID_ADMINS

SID的例子：Window　NT/2k 系统,本地管理员组中的域相关的SID
S-1-5-32-544
这个SID可以翻译为:
版本号=1
子权限总数=2
标识符权限 = {0,0,0,0,0,5}，SECURITY_NT_AUTHORITY
sub_authority[0] = 32, SECURITY_BUILTIN_DOMAIN_RID
sub_authority[1] = 544 DOMAIN_ALIAS_RID_ADMINS



ACE Types
ACCESS_MIN_MS_ACE_TYPE = 0
ACCESS_ALLOWED_ACE_TYPE = 0
ACCESS_DENIED_ACE_TYPE = 1
SYSTEM_AUDIT_ACE_TYPE = 2
SYSTEM_ALARM_ACE_TYPE = 3 Not implemented as of Win2k.
ACCESS_MAX_MS_V2_ACE_TYPE = 3
ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4
ACCESS_MAX_MS_V3_ACE_TYPE = 4
The following are Win2k only.
ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5
ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5
ACCESS_DENIED_OBJECT_ACE_TYPE = 6
SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7
SYSTEM_ALARM_OBJECT_ACE_TYPE = 8
ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8
ACCESS_MAX_MS_V4_ACE_TYPE = 8
This one is for WinNT&2k.
ACCESS_MAX_MS_ACE_TYPE = 8

ACE 类型
ACCESS_MIN_MS_ACE_TYPE = 0
ACCESS_ALLOWED_ACE_TYPE = 0
ACCESS_DENIED_ACE_TYPE = 1
SYSTEM_AUDIT_ACE_TYPE = 2
SYSTEM_ALARM_ACE_TYPE = 3 在win2k中未声明
ACCESS_MAX_MS_V2_ACE_TYPE = 3
ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 4
ACCESS_MAX_MS_V3_ACE_TYPE = 4
下面的只有在Win2k中才有 .
ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5
ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5
ACCESS_DENIED_OBJECT_ACE_TYPE = 6
SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7
SYSTEM_ALARM_OBJECT_ACE_TYPE = 8
ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8
ACCESS_MAX_MS_V4_ACE_TYPE = 8
这一个在WinNT&2k中才有.
ACCESS_MAX_MS_ACE_TYPE = 8