Hello there,

i used ntfs3g on windows. (i trying porting for windows)

i have a question.

runed chkdsk. i met security missing error.

"security descriptor for file 512323 is missing or invalid.

so, i checked security descriptor by secaudit (for win).

that security descriptor contants some diffrent other files.

this is security descriptor maked ntfs3g.
"01000480 48000000 58000000 00000000 "
14000000 02003400 02000000 00001400
ff011f00 01010000 00000005 12000000
00001800 ff011f00 01020000 00000005
20000000 20020000 01020000 00000005
20000000 20020000 01010000 00000005
12000000

other file's security descriptor more long this.

could you advise for me?

thank you.
regards

Hi,


The security part of ntfs-3g is designed for mapping Unix-type protections onto ntfs. Most of it is not relevant when executing on Windows.


The security descriptor above is (syntactically) correct, and I could not get chkdsk to output any error (I have tried two different chkdsk versions).


This is because the security descriptor is owned by built-in owner and group (administrator and system), whose SIDs are shorter than user-defined owner and group. Moreover no user is defined to be allowed to read, write or change permissions to the file. Only the administrator is allowed to access the file, and this makes the descriptor even shorter. Note : you can use the "-vv" option of secaudit to display the descriptor details.

This is probably not what you had wanted, and to fix it, you need to get the SIDs of the file owner and group, and define appropriate permissions. The usual way to define permissions in Windows is to inherit them from the parent directory. If this is what you want, you have to collect the descriptor for the parent directory and adapt the ntfs-3g code for processing the option "inherit".

Regards

Jean-Pierre

thank you~ Jean

you advised to me,

"The usual way to define permissions in Windows is to inherit them from the parent directory"

I tried, change security descriptor contents, but i can't change that.

i tried change constant value (ex-ACL_REVISION and funtion ntfs_sd_add_everyone)

i used, call ntfs_fuse_unlink(FileName,NtfsFuseContext)->ntfs_fuse_create(FileName, S_IFREG , 0, NULL, (struct fuse_file_info*)NULL,NtfsFuseContext) -> ntfs_fuse_write(FileName, buf, size, offset, NULL, NtfsFuseContext) for make files.

* NtfsFuseContext is ctx (ntfs_fuse_context_t)

Did ntfs_fuse_write change security descriptor?

Regards

Hi Jessica,

I do not understand what you are trying to do on what base. Before considering security descriptors, do you have a working environment to create files and access them ? Maybe you explain why ntfs-3g does not suit your needs ?

ntfs_fuse_write() does not change the security descriptor, it only accesses it to check whether the calling process is allowed to write to the file. For changing a security descriptor see ntfs_fuse_chmod() or ntfs_fuse_chown(). These functions expect Unix-type owner, group and permissions, what is your input like ?

Regards

Jean-Pierre

Hi Jessica,

I am planning to porting ntfs-3g for windows too. But I am not sure how to deal with the /dev/fuse file which is used on linux platform.
It seems that all communications between the user space ntfs-3g project and the FUSE kernel module are changed to operations of this file.
Is this file still needed on windows platform? Should I also porting the kernel FUSE fs and VFS functions to windows platform too?
Or, the file is not necessary any more because the low level functions are implemented in win32_io.c
I am curious about this. Really appreciated if any feedback from you or anyone else.
Thanks.

Ryan

thanks jean.

I tied make some windows file use ntfs3g on boot time.

so i used some function (unlink / create / write / doesn't use setxattr).

and i succed make files. but that files have some problem (security descriptor missing error).

i want fix security descriptor missing error.

i think. that problem is my file's security descriptor is worng.
so tried change ntfs_sd_add_everyone function and security descriptor revision contents, but dosen't apply.

Regards.

Hi

@ryan :

/dev/fuse is a kind of mailbox to which the kernel posts the user requests to access a file (open, read, write, chmod, etc.). fuse then formats the requests and calls the appropriate function in a file system driver such as ntfs-3g.

Most likely you need not fuse or the Linux vfs, but you need something to hijack the user requests and forward them to ntfs-3g.

The low level functions (actual read and write to device) have no relation to /dev/fuse. win32_io.c may be used for that (at least as a starting point).

Regards

Jean-Pierre

Hi Jessica,


Which operating system are you using ?

When you create a file, you must define who are its owner and group, and what are the permissions. This is what is needed to build the security descriptor. In your situation, where do you get this information from, and what are the formats used ?

What makes you think that ? Do you get an error message ? in what circumstances ?

Maybe the operating system you are using requires you have some permission to set permissions on a file, or the current process must be the owner of the file being created.

The function is probably correct, most likely you are calling it in a wrong way, such as calling with inappropriate arguments.

Regards

Jean-Pierre

Thanks Jean. Now I have a much clear understanding about the arch.

Thanks Jean,

i want without an OS. and, make windows files. and use on windows.

so, i think, i can't get information. i want to use the default value or randomly set the value.

why am i think my files have problem, because run chkdsk have "security descriptor missing error"

in ntfs_sd_add_everyone function, i changed SID_REVISION / ACL_REVISION/ SECURITY_DESCRIPTOR_REVISION on layout.h but doesn't apply.

and i checked secaudit.exe on linux(ubuntu10.04) & windows7.
the value is diffrent two OS.

Regards
Jessica

Hi Jessica,

I will probably not be able to do so, unless I have the details of how you are creating a file. ntfs-3g does insert a security descriptor when creating a file, but is designed for Linux and fuse, so you have to adapt to your environment.

Regards

Jean-Pierre

thanks Jean-Pierre,

i create file before OS start(during the boot).

If security descriptor is created by default from ntfs_sd_add_everyone, is it possible to have security descriptor missing error occurred with chkdsk?

When I create file to Windows partition, I don't fully use/ put up the Linux kernel but using part of ntfs-3g driver.
And I think this is why(not enough information from Linux kernel) security descriptor error is occurred. So, I'm wondering, is there any reference information from Linux kernel when ntfs-3g driver create file to ntfs partition?

Can you please advise?
Regards,
Jessica

Hi Jessica,

The only information needed for creating a security descriptor are the owner, group and permissions.

In ntfs-3g the security descriptor is built while creating a file. You must have skipped something when adapting to your configuration, and you have to debug your code to identify why the descriptor is not built or not written.

Regards

Jean-Pierre

Hi Jean-Pierre

i'll check my function.

and if i have some more question. i'll write reply.

thanks your advise.

Regards.

Jessica

Hi Jean-Pierre,

Now i do check function ntfs_fuse_create(),

my code run no kernel. so, i set gid/ uid = 0, (acls.c ntfs_do_grouptmapping()'s getgrnam() --> 0; / security.c link_single_group()'s getgrgid() --> 0 / ntfs_initialize_file_security()'s getuid() & getgid() -->0)

so, my code doesn't inherit(because in ntfs_fuse_create's NtfsFuseContext->security.mapping[MAPUSERS]is 0) . i think, only use ntfs_sd_add_everyone().

but i do test on windows secaudit.exe -v value's defferent ntfs_sd_add_everyone().

in ntfs_fuse_create(), have other security descriptor change function?

and i did set gid/ uid =0 is it ok?

Best Regards.
Jessica

Hi there,

i doing porting on doesn't use Kernel.

in this situation. maked files occured security descriptor missing error.

and, this situation create security descriptor using ntfs_sd_add_everyone()

but that occured security descriptor missing error,

so, i tried pass this sentence. like this.

dir.c L.1489

#if 0 //Jessica passed create Security descriptor
if (!securid) {
if (ntfs_sd_add_everyone(ni)) {
err = errno;
goto err_out;
}
}
#endif //_Jessica

doesn't create security descriptor, windows chkdsk doesn't have security descriptor missing or invalid error.

is it okay? if it is have problem?

Can you please advise?
Regards,
Jessica

Hi Jessica


You have to debug your code, I cannot do it for you, that is your job. I do not have your code and I do not have your execution environment. ntfs-3g is designed for a Linux type environment and it builds security descriptors when creating a file,... but you have to make adaptations to your specific environment.

Regards

Jean-Pierre