How CREATOR_OWNER and CREATOR_GROUP affect security
Each token also identifies a primary group for the user. This group doesnot necessarily have to be one the user is a member of (although it is bydefault) and it does not determine the objects a user has access to (thatis, it isn't used in access validation decisions). However, by default itis assigned as the primary group of any objects the user creates. For themost part, the primary group is required simply for POSIX compatibility,but the primary group does play a role in object creation.
When a new object is created, the security system has the task ofassigning protection to the new object. The system follows this process:
- Assign the new object any protection explicitly passed in by the object creator.
- Otherwise, assign the new object any inheritable protection from the container the object is created in.
- Otherwise, assign the new object any protection explicitly passed in by the object creator, but marked as "default."
- Otherwise, if the caller's token has a default DACL, that will be assigned to the new object.
- Otherwise, no protection is assigned to the new object.
By default, users logging on to Windows NT are given a primary group of"Domain Users" (when logging on to a Windows NT Server) or the group called"None" (when logging onto a Windows NT Workstation system). Therefore, whenyou create an object in a container that has an inheritable ACE with theCREATOR_GROUP SID, you will likely end up with an ACE granting Domain Userssome access. This may not be what you intended.
Article ID: 126629 - Last Review: 11/21/2006 15:27:00 - Revision: 4.1
- kbhowto kbprogramming kbkernbase kbsecurity kbacl KB126629