How CREATOR_OWNER and CREATOR_GROUP affect security

This article was previously published under Q126629
This article discusses the CREATOR_OWNER and CREATOR_GROUP securityidentifiers (SID) and how they affect security.
When logged on, each user is represented by a token object. This tokencontains all the SIDs comprising your security context. Tokens identifyone of those SIDs as a default owner for any new objects the user creates,such as files, processes, events, and so forth. Typically, this is theuser's account (<domain>\<username>). For an administrator however, thedefault owner is set to be the local group "Administrators," rather thanthe individual's user account.

Each token also identifies a primary group for the user. This group doesnot necessarily have to be one the user is a member of (although it is bydefault) and it does not determine the objects a user has access to (thatis, it isn't used in access validation decisions). However, by default itis assigned as the primary group of any objects the user creates. For themost part, the primary group is required simply for POSIX compatibility,but the primary group does play a role in object creation.

When a new object is created, the security system has the task ofassigning protection to the new object. The system follows this process:
  1. Assign the new object any protection explicitly passed in by the object creator.
  2. Otherwise, assign the new object any inheritable protection from the container the object is created in.
  3. Otherwise, assign the new object any protection explicitly passed in by the object creator, but marked as "default."
  4. Otherwise, if the caller's token has a default DACL, that will be assigned to the new object.
  5. Otherwise, no protection is assigned to the new object.
In step 2, if the parent container has inheritable access-control entries(ACE), those are used to generate protection for the new object. In thiscase, each ACE is evaluated to see if it should be copied to the newobject's protection. Usually, when an ACE is copied, the SID within thatACE is copied as is. The two exceptions to this rule are when CREATOR_OWNERand CREATOR_GROUP are encountered. In this case, the SID is replaced withthe caller's default owner SID or primary group SID.

By default, users logging on to Windows NT are given a primary group of"Domain Users" (when logging on to a Windows NT Server) or the group called"None" (when logging onto a Windows NT Workstation system). Therefore, whenyou create an object in a container that has an inheritable ACE with theCREATOR_GROUP SID, you will likely end up with an ACE granting Domain Userssome access. This may not be what you intended.

Article ID: 126629 - Last Review: 11/21/2006 15:27:00 - Revision: 4.1

Microsoft Win32 Application Programming Interface

  • kbhowto kbprogramming kbkernbase kbsecurity kbacl KB126629