2.1.5.17 Server Requests Setting of Security Information
This operation is also referred to as SET_SECURITY when it is used in switch statements.
If the object store does not implement security, the operation MUST be failed with STATUS_INVALID_DEVICE_REQUEST.<193>
The server provides:
Open - The Open on which security information is being applied.
SecurityInformation - A SECURITY_INFORMATION data type as defined in [MS-DTYP] section 2.4.7.
InputBuffer - A buffer that contains the security descriptor to be applied to the object. The security descriptor is a SECURITY_DESCRIPTOR structure in self-relative format, as described in [MS-DTYP] section 2.4.6.
InputBufferSize - The size of the buffer provided.
On completion, the object store MUST return:
Status - An NTSTATUS code indicating the result of the operation.
This routine uses the following local variables:
Boolean values (initialized to FALSE): DisableOwnerAces, ServerObject, DaclUntrusted
The operation MUST be failed with STATUS_ACCESS_DENIED under any of the following conditions:
SecurityInformation contains any of OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION, or LABEL_SECURITY_INFORMATION, and Open.GrantedAccess does not contain WRITE_OWNER.
SecurityInformation contains DACL_SECURITY_INFORMATION and Open.GrantedAccess does not contain WRITE_DAC.
SecurityInformation contains SACL_SECURITY_INFORMATION and Open.GrantedAccess does not contain ACCESS_SYSTEM_SECURITY.
Pseudocode for the operation is as follows:
If Open.Stream.Oplock is not empty, the object store MUST check for an oplock break according to the algorithm in section 2.1.4.12, with input values as follows:
Open equal to this operation's Open
Oplock equal to Open.Stream.Oplock
Operation equal to "SET_SECURITY"
OpParams empty
The object store MUST post a USN change as specified in section 2.1.4.11 with File equal to File, Reason equal to USN_REASON_SECURITY_CHANGE, and FileName equal to Open.Link.Name.
If the Server Security (SS) bit is set in InputBuffer.Control, set ServerObject to TRUE, otherwise set it to FALSE.
If the DACL Trusted (DT) bit is set in InputBuffer.Control, set DaclUntrusted to FALSE, otherwise set it to TRUE.
If SecurityInformation contains OWNER_SECURITY_INFORMATION:
If SecurityInformation contains DACL_SECURITY_INFORMATION, set DisableOwnerAces to FALSE, otherwise set it to TRUE.
If InputBuffer.OwnerSid is not present, the operation MUST be failed with STATUS_INVALID_OWNER.
If InputBuffer.OwnerSid is not a valid owner SID for a file in the object store, as determined in an implementation-specific manner, the object store MUST return STATUS_INVALID_OWNER.
Else
If Open.File.SecurityDescriptor.Owner is NULL, the operation MUST be failed with STATUS_INVALID_OWNER.
EndIf
The object store MUST set Open.File.SecurityDescriptor to InputBuffer. See [MS-DTYP] section 2.4.6 for additional details.
If Open.File.FileType is not DirectoryFile:
The object store MUST set Open.File.FileAttributes.FILE_ATTRIBUTE_ARCHIVE.
The object store MUST update Open.File.LastChangeTime.<194>
EndIf
The operation returns STATUS_SUCCESS.