FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Mon Jun 21, 2021 03:45



Post new topic Reply to topic  [ 18 posts ] 
Security descriptor missing error 
Author Message

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Security descriptor missing error
Hello there,

i used ntfs3g on windows. (i trying porting for windows)

i have a question.

runed chkdsk. i met security missing error.

"security descriptor for file 512323 is missing or invalid.

so, i checked security descriptor by secaudit (for win).

that security descriptor contants some diffrent other files.

this is security descriptor maked ntfs3g.
"01000480 48000000 58000000 00000000 "
14000000 02003400 02000000 00001400
ff011f00 01010000 00000005 12000000
00001800 ff011f00 01020000 00000005
20000000 20020000 01020000 00000005
20000000 20020000 01010000 00000005
12000000

other file's security descriptor more long this.

could you advise for me?

thank you.
regards


Tue Nov 15, 2011 09:46
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi,

Quote:
i used ntfs3g on windows. (i trying porting for windows)
i have a question.
runed chkdsk. i met security missing error.

The security part of ntfs-3g is designed for mapping Unix-type protections onto ntfs. Most of it is not relevant when executing on Windows.

Quote:
"security descriptor for file 512323 is missing or invalid.

so, i checked security descriptor by secaudit (for win).
that security descriptor contants some diffrent other files.

this is security descriptor maked ntfs3g.
"01000480 48000000 58000000 00000000 "
14000000 02003400 02000000 00001400
ff011f00 01010000 00000005 12000000
00001800 ff011f00 01020000 00000005
20000000 20020000 01020000 00000005
20000000 20020000 01010000 00000005
12000000

The security descriptor above is (syntactically) correct, and I could not get chkdsk to output any error (I have tried two different chkdsk versions).

Quote:
other file's security descriptor more long this.

This is because the security descriptor is owned by built-in owner and group (administrator and system), whose SIDs are shorter than user-defined owner and group. Moreover no user is defined to be allowed to read, write or change permissions to the file. Only the administrator is allowed to access the file, and this makes the descriptor even shorter. Note : you can use the "-vv" option of secaudit to display the descriptor details.

This is probably not what you had wanted, and to fix it, you need to get the SIDs of the file owner and group, and define appropriate permissions. The usual way to define permissions in Windows is to inherit them from the parent directory. If this is what you want, you have to collect the descriptor for the parent directory and adapt the ntfs-3g code for processing the option "inherit".

Regards

Jean-Pierre


Tue Nov 15, 2011 15:54
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
thank you~ Jean

you advised to me,

"The usual way to define permissions in Windows is to inherit them from the parent directory"

I tried, change security descriptor contents, but i can't change that.

i tried change constant value (ex-ACL_REVISION and funtion ntfs_sd_add_everyone)

i used, call ntfs_fuse_unlink(FileName,NtfsFuseContext)->ntfs_fuse_create(FileName, S_IFREG , 0, NULL, (struct fuse_file_info*)NULL,NtfsFuseContext) -> ntfs_fuse_write(FileName, buf, size, offset, NULL, NtfsFuseContext) for make files.

* NtfsFuseContext is ctx (ntfs_fuse_context_t)

Did ntfs_fuse_write change security descriptor?

Regards


Tue Nov 22, 2011 16:35
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi Jessica,

I do not understand what you are trying to do on what base. Before considering security descriptors, do you have a working environment to create files and access them ? Maybe you explain why ntfs-3g does not suit your needs ?
Quote:
Did ntfs_fuse_write change security descriptor?

ntfs_fuse_write() does not change the security descriptor, it only accesses it to check whether the calling process is allowed to write to the file. For changing a security descriptor see ntfs_fuse_chmod() or ntfs_fuse_chown(). These functions expect Unix-type owner, group and permissions, what is your input like ?

Regards

Jean-Pierre


Tue Nov 22, 2011 23:21
Profile

Joined: Wed Nov 23, 2011 09:11
Posts: 35
Post Re: Security descriptor missing error
Hi Jessica,

I am planning to porting ntfs-3g for windows too. But I am not sure how to deal with the /dev/fuse file which is used on linux platform.
It seems that all communications between the user space ntfs-3g project and the FUSE kernel module are changed to operations of this file.
Is this file still needed on windows platform? Should I also porting the kernel FUSE fs and VFS functions to windows platform too?
Or, the file is not necessary any more because the low level functions are implemented in win32_io.c
I am curious about this. Really appreciated if any feedback from you or anyone else.
Thanks.

Ryan


Wed Nov 23, 2011 10:56
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
thanks jean.

I tied make some windows file use ntfs3g on boot time.

so i used some function (unlink / create / write / doesn't use setxattr).

and i succed make files. but that files have some problem (security descriptor missing error).

i want fix security descriptor missing error.

i think. that problem is my file's security descriptor is worng.
so tried change ntfs_sd_add_everyone function and security descriptor revision contents, but dosen't apply.

Regards.


Wed Nov 23, 2011 13:33
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi

@ryan :
Quote:
I am planning to porting ntfs-3g for windows too. But I am not sure how to deal with the /dev/fuse file which is used on linux platform.
It seems that all communications between the user space ntfs-3g project and the FUSE kernel module are changed to operations of this file.

/dev/fuse is a kind of mailbox to which the kernel posts the user requests to access a file (open, read, write, chmod, etc.). fuse then formats the requests and calls the appropriate function in a file system driver such as ntfs-3g.
Quote:
Is this file still needed on windows platform? Should I also porting the kernel FUSE fs and VFS functions to windows platform too?

Most likely you need not fuse or the Linux vfs, but you need something to hijack the user requests and forward them to ntfs-3g.
Quote:
Or, the file is not necessary any more because the low level functions are implemented in win32_io.c
I am curious about this.

The low level functions (actual read and write to device) have no relation to /dev/fuse. win32_io.c may be used for that (at least as a starting point).

Regards

Jean-Pierre


Wed Nov 23, 2011 16:13
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi Jessica,

Quote:
I tied make some windows file use ntfs3g on boot time.

Which operating system are you using ?
Quote:
and i succed make files. but that files have some problem (security descriptor missing error).

When you create a file, you must define who are its owner and group, and what are the permissions. This is what is needed to build the security descriptor. In your situation, where do you get this information from, and what are the formats used ?
Quote:
i think. that problem is my file's security descriptor is worng.

What makes you think that ? Do you get an error message ? in what circumstances ?

Maybe the operating system you are using requires you have some permission to set permissions on a file, or the current process must be the owner of the file being created.
Quote:
so tried change ntfs_sd_add_everyone function and security descriptor revision contents, but dosen't apply.

The function is probably correct, most likely you are calling it in a wrong way, such as calling with inappropriate arguments.

Regards

Jean-Pierre


Wed Nov 23, 2011 16:34
Profile

Joined: Wed Nov 23, 2011 09:11
Posts: 35
Post Re: Security descriptor missing error
Thanks Jean. Now I have a much clear understanding about the arch.


Thu Nov 24, 2011 03:29
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
Thanks Jean,

i want without an OS. and, make windows files. and use on windows.

so, i think, i can't get information. i want to use the default value or randomly set the value.

why am i think my files have problem, because run chkdsk have "security descriptor missing error"

in ntfs_sd_add_everyone function, i changed SID_REVISION / ACL_REVISION/ SECURITY_DESCRIPTOR_REVISION on layout.h but doesn't apply.

and i checked secaudit.exe on linux(ubuntu10.04) & windows7.
the value is diffrent two OS.

Regards
Jessica


Thu Nov 24, 2011 03:46
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
Jessica wrote:
Thanks Jean,

i want without an OS. and, make windows files. and use on windows.

so, i think, i can't get information. i want to use the default value or randomly set the value.

why am i think my files have problem, because run chkdsk have "security descriptor missing error"

in ntfs_sd_add_everyone function, i changed SID_REVISION / ACL_REVISION/ SECURITY_DESCRIPTOR_REVISION on layout.h but doesn't apply.

and i checked secaudit.exe on linux(ubuntu10.04) & windows7.
the value is diffrent two OS.


could you teach me reason security descriptor missing error?..

Regards
Jessica


Thu Nov 24, 2011 09:44
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi Jessica,
Quote:
could you teach me reason security descriptor missing error?..

I will probably not be able to do so, unless I have the details of how you are creating a file. ntfs-3g does insert a security descriptor when creating a file, but is designed for Linux and fuse, so you have to adapt to your environment.

Regards

Jean-Pierre


Thu Nov 24, 2011 11:10
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
thanks Jean-Pierre,

i create file before OS start(during the boot).

If security descriptor is created by default from ntfs_sd_add_everyone, is it possible to have security descriptor missing error occurred with chkdsk?

When I create file to Windows partition, I don't fully use/ put up the Linux kernel but using part of ntfs-3g driver.
And I think this is why(not enough information from Linux kernel) security descriptor error is occurred. So, I'm wondering, is there any reference information from Linux kernel when ntfs-3g driver create file to ntfs partition?

Can you please advise?
Regards,
Jessica


Thu Nov 24, 2011 11:44
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi Jessica,
Quote:
And I think this is why(not enough information from Linux kernel) security descriptor error is occurred. So, I'm wondering, is there any reference information from Linux kernel when ntfs-3g driver create file to ntfs partition?

The only information needed for creating a security descriptor are the owner, group and permissions.
Quote:
Can you please advise?

In ntfs-3g the security descriptor is built while creating a file. You must have skipped something when adapting to your configuration, and you have to debug your code to identify why the descriptor is not built or not written.

Regards

Jean-Pierre


Thu Nov 24, 2011 23:20
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
Hi Jean-Pierre

i'll check my function.

and if i have some more question. i'll write reply.

thanks your advise.

Regards.

Jessica


Mon Nov 28, 2011 03:10
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post Re: Security descriptor missing error
Hi Jean-Pierre,

Now i do check function ntfs_fuse_create(),

my code run no kernel. so, i set gid/ uid = 0, (acls.c ntfs_do_grouptmapping()'s getgrnam() --> 0; / security.c link_single_group()'s getgrgid() --> 0 / ntfs_initialize_file_security()'s getuid() & getgid() -->0)

so, my code doesn't inherit(because in ntfs_fuse_create's NtfsFuseContext->security.mapping[MAPUSERS]is 0) . i think, only use ntfs_sd_add_everyone().

but i do test on windows secaudit.exe -v value's defferent ntfs_sd_add_everyone().

in ntfs_fuse_create(), have other security descriptor change function?

and i did set gid/ uid =0 is it ok?

Best Regards.
Jessica


Mon Nov 28, 2011 07:23
Profile

Joined: Tue Nov 15, 2011 09:28
Posts: 9
Post if doesn't create security descriptor, it have problem?
Hi there,

i doing porting on doesn't use Kernel.

in this situation. maked files occured security descriptor missing error.

and, this situation create security descriptor using ntfs_sd_add_everyone()

but that occured security descriptor missing error,

so, i tried pass this sentence. like this.

dir.c L.1489

#if 0 //Jessica passed create Security descriptor
if (!securid) {
if (ntfs_sd_add_everyone(ni)) {
err = errno;
goto err_out;
}
}
#endif //_Jessica


doesn't create security descriptor, windows chkdsk doesn't have security descriptor missing or invalid error.

is it okay? if it is have problem?

Can you please advise?
Regards,
Jessica


Fri Dec 02, 2011 08:45
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Security descriptor missing error
Hi Jessica

Quote:
Can you please advise?

You have to debug your code, I cannot do it for you, that is your job. I do not have your code and I do not have your execution environment. ntfs-3g is designed for a Linux type environment and it builds security descriptors when creating a file,... but you have to make adaptations to your specific environment.

Regards

Jean-Pierre


Fri Dec 02, 2011 13:54
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.