Search code examples
c++windowssecurityntfsfilter-driver

Can't access reparse point directory of mounted filter driver from user account in windows xp x64 prof


I created a "special file system" for a very special security application.

I create a reparse point using an empty directory. Behind this reparse point is a filter driver, which handels the communication between NTFS and a usermode program, which is doing some encryption/decryption and control work (a mixture between FUSE, TrueCrypt, RamDisc,...). The whole thing is native in C/C++ and works fine unter Win7 x64.

Now I have the nice task to make it work for windwos xp x64 professional. When the whole application is running with admin rights it works fine, but when I switch to user account, I can't access the mounted directory.

The mounter and the "special file system" (lets name it sfs) are system services and an other app have to run under user account (COM relevant), the mount operation is successfull (when I switch to admin account after mount operation I can access the directory), the other parts of the application works fine too, but the only thing I can't manage is to get access to this very directory.

I gave the "everyone" and the users group and the specific user all permissions to the driver, the library(link between driver and sfs), the mounter and the special file system and did a lot in the registry too. I also gave this permissions to the mounted dir (all rigths, owner,...) but nothing works.

The debug outprint shows, that the request for the directory or the files inside never comes to to "sfs". It seems, that the IO-Manager never sends someting to this addres. An other problem is, that I can't manage to get all the debug outprints from the OS (boot in local debug mode and use DebugView.exe from SysInternals), but thats another story.

What did I miss? What is the difference between the security system of XP and Win7? Are there any basic restrictions in XP which I don't know?

Please ask if you need snippets of the code.

Any advise or idea is welcome!


Solution

  • Found it!

    I forgot to set security for the device itselfe! What a bad thing not to find this earlier! :-(

    This is the section in the mount service:

    static VOID GetSecAttr(PSECURITY_ATTRIBUTES SecAttr)
    {
    
       LPTSTR sd = L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGW;;;WD)(A;;GR;;;RC)";
    
       ZeroMemory(SecAttr, sizeof(SECURITY_ATTRIBUTES));
    
       ConvertStringSecurityDescriptorToSecurityDescriptor(sd, SDDL_REVISION_1, &SecAttr->lpSecurityDescriptor, NULL);
    
       SecAttr->nLength = sizeof(SECURITY_ATTRIBUTES);
       SecAttr->bInheritHandle = TRUE;
    }
    
    static VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv)
    {
    
    //... some declarations ...
       SECURITY_ATTRIBUTES sa;
    
    //... some stuff like syncronisation, named pipe and so on...
       GetSecAttr(&sa);
    
       device = CreateFile(
           MY_DEVICE_NAME,
           GENERIC_READ | GENERIC_WRITE,
           FILE_SHARE_READ | FILE_SHARE_WRITE,
           &sa,                //!!! and this was NULL!!!
           OPEN_EXISTING, 
           FILE_FLAG_OVERLAPPED, 
           NULL);
    
       if (device == INVALID_HANDLE_VALUE) {/*...*/}
    }
    

    Thanks to all of you who spent time to help me!

    ... and why the hell did this work for Win7 ?!?