3.1.4.9.1 LsarQuerySecurityObject (Opnum 3)
The LsarQuerySecurityObject method is invoked to query security information that is assigned to a database object. It returns the security descriptor of the object.
-
NTSTATUS LsarQuerySecurityObject( [in] LSAPR_HANDLE ObjectHandle, [in] SECURITY_INFORMATION SecurityInformation, [out] PLSAPR_SR_SECURITY_DESCRIPTOR* SecurityDescriptor );
ObjectHandle: An open object handle of any type.
SecurityInformation: A bitmask specifying which portions of the security descriptor the caller is interested in.
SecurityDescriptor: Used to return the security descriptor containing the elements requested by the caller.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC00000BB
STATUS_NOT_SUPPORTED
The request is not supported.
0xC0000008
STATUS_INVALID_HANDLE
ObjectHandle is not a valid handle.
Processing:
This message takes three arguments:
ObjectHandle: Can be an open handle of any type. If the handle is not a valid context handle to an object or ObjectHandle.PolicyType is not one of the following:
"Policy" for handles to policy objects
"Account" for handles to account objects
"Secret" for handles to secret objects
"Trusted Domain" for handles to trusted domain objects
The server MUST return STATUS_INVALID_HANDLE. The access required for a successful completion of this request depends on the SecurityInformation parameter. The server MUST verify that ObjectHandle grants access as specified in section 3.1.4.2.2. The following pseudocode specifies the RequiredAccess value to use in this access check.
-
Set RequiredAccess equal to 0 IF ((SecurityInformation & OWNER_SECURITY_INFORMATION) || (SecurityInformation & GROUP_SECURITY_INFORMATION) || (SecurityInformation & DACL_SECURITY_INFORMATION)) THEN RequiredAccess |= READ_CONTROL END IF IF (SecurityInformation & SACL_SECURITY_INFORMATION) THEN RequiredAccess |= ACCESS_SYSTEM_SECURITY END IF
SecurityInformation: A set of bits specifying which portions of the security descriptor the caller is interested in retrieving. The various bits and the associated access rights are specified in section 2.2.1.3.
SecurityDescriptor: An output parameter. If access checks pass, the server MUST fill this information with a valid self-relative security descriptor containing only the fields requested by the caller. The server MUST NOT put information into the security descriptor that the caller did not request.
It is valid for the server to not support this method for all object types. If an object does not support this method, the server MUST return STATUS_NOT_SUPPORTED.<112>