I am proud to announce that fksec is in need of a new name: it is now no longer mine alone. Simon Fell and Tomas Restrepo are now as much the authors of fksec as I am. Errors are, of course, my responsibility.

Win32 offers two ways to deal with security descriptors and their components: the slow, painful one, and the easy, buggy one. The former relies on the APIs that are now called "low-level" and which only work on binary representations (meaning you have to do everything yourself, including name-to-SID translation, laying out structures, and so on). The latter way uses the APIs introduced in NT 4.0, which offer far more ease of use, at the small price of correctness. Hey, it's just security, who cares whether it works?

Questions related to these APIs and their use came up often enough -- at least in the newsgroups that I trawl -- that I finally broke down and collected some of the bits and pieces I had lying around and uploaded them. The documentation is still in the works, as you will see, and my work schedule is not really ideal for finishing it, but I hope you will find the classes themselves readable, and the docs at least tell you how to merge the things into your code.

Aside from the included test-driver in main.cpp, which exercises plenty of fksec's functionality, I now have a real (and potentially useful) fksec-based sample online, demonstrating taking ownership. The security-related code, including translation of names to SIDs, looking up (and enabling) privileges, and actually changing the owner of a file, is all of five lines of code. :-)

As always, I appreciate suggestions, corrections, bug reports, and just plain feedback. If you have a problem with fksec, a detailed description and a small (!) sample app demonstrating the bug would help tremendously in locating and fixing the error.

Release history:

Date (CET) Change
13 Nov 99 Initial upload
13 Nov 99 Eliminated dead code (already #if-ed out) from priv.cpp. No need to download, since the active code didn't change.
13 Nov 99 Added the exceptions chapter to the documentation.
14 Nov 99 Uploaded the rest of the *.dsp project files, to build fksec as a static library; added docs for that
28 Nov 99 Fixed a bug -- priv::SetState() did check ATP() for a return of TRUE, but GetLastError() wasn't called in this case. Thanks for reminding me, Slava! (Only priv.cpp changed this time around.)
1 Dec 99 Bug fix: When stuffing a sid with a stringified SID ("S-1-..."), RIDs with a value of 0 were flagged as errors. This is obviously bogus, as the World SID, for instance, is S-1-1-0.
Addition: sid::LookupSidType() report whether a sid is built-in (well-known groups, like Administrators, or LocalSystem); local (local users and groups); from the domain that the current machine is a member of (domain users, global groups); or foreign (a domain SID that does not belong to the current machine or its domain).
Big change: I got fed up with Word and imported the documentation into the sources, from where ccdoc generates totally hip HTML documentation. My stock is bound to leap upwards any day now -- at the latest, as soon as I incorporate as fksec-dot-com. :-)
25 Dec 99 Documentation update -- I added descriptions for the priv class (managing privileges) and for the functions in apis.h (getting and setting security on securable objects).
Cosmetic change: priv::operator ==() and priv::operator !=() now return a bool instead of an int.
9 Mar 00 Minor update: ace::operator<<() now presents a cleaner display, and sd::GetControl() makes sure that the SE_xACL_PRESENT bits are cleared when no ACL of a particular kind is present. Next on the list: The code to dump ACEs in a readable form, kindly provided by Tomas Restrepo. No documentation changes, so you can download just ace.cpp and sd.cpp and recompile.
7 Apr 00 *Highly* recommended update, as it includes bug fixes: In particular, ACE sorting finally works the way NT 5.0 wants it for auto-inherited ACEs. Additionally, if an SD that is written back to an object has the SE_xACL_AUTO_INHERITED bit set in its control word (where xACL is either SACL or DACL), the SE_xACL_AUTO_INHERIT_REQ bit will get set, ensuring proper functioning of auto-inheritance.
11 Apr 00 A sample using fksec to take ownership of files is now online.
19 Apr 00 Kudos goes to Ivan Krivyakov for pointing out to me that (a) older SDK headers needed a little help with new constants (see fksec.h line 82ff.) and (b) enabling specific combinations of tests in main.cpp broke due to multiple use of the same name. Only fksec.h and main.cpp have changed this time.
28 Apr 00 Stefan Kuhr suggested a number of changes for compatibility with VC++ 5.0, and to make running the test main.cpp easier for those with localised (non-US) versions of NT. In particular: The domain- and account-names used by main.cpp are now all #defined near line 50 of main.cpp; the existence of those accounts is verified before they are blithely used; and _tmain is now #defined if it is missing. Furthermore, priv::GetState() and priv::GetState() now have an (unreachable) "retun false;" at their ends; VC++ 5.0 did not realise that an unconditional throw statement ended the current code path and insisted on a value being returned.
29 Apr 00 Incorporated Tomas Restrepo's token class -- thanks, Tomas! Unless Tomas fights (and wins), fksec now has two authors. On further reflection, maybe fksec wasn't the best of all possible names ...
6 May 00 Switched to Doxygen by Dimitri van Heesch instead of ccdoc.
5 Jun 00 Simon Fell's debut -- thanks, Simon! How does sftrfksec as a library name sound to you? Simon has kindly supplied two new member functions for the sid class, dealing with determining membership for a given group SID and finding the groups of which a given SID is a member. On top of that, he has extended the ace class to handle the "object ACEs" used by Active Directory, made the appropriate extensions to the acl and sd classes, and added AdsGetObjectSecurity()/AdsSetObjectSecurity() to apis.cpp.
In other news: class ace is now fully documented; class sid now offers a slew of those constant "well-known SIDs"; and acl is (slowly) growing a replacement for the buggy Win32 function GetEffectiveRightsFromAcl().
8 Oct 00 A few minor fixes: token::operator=(const token &) and token::token(const token&) now check the validity of the token object that gets copied into them, and token::operator=() closes the lhs-object's current token handle, if any.
Perry Rapp (prapp, works at smartronix.com) kindly pointed out a bug in sd::operator=(SECURITY_DESCRIPTOR *): if the address passed in was the address of the internal buffer for the absolute or self-relative SDs, that buffer would be released before the code assigned its contents to *this. Similar problems existed in acl::operator=(ACL *), ace::operator=(const void *), and sid::operator=(const PSID). Kudos to Perry!
Following an earlier suggestion from Perry, I added a #define SE_GROUP_RESOURCE to fksec.h -- this flag is supported on NT5 only, and the symbol is undefined unless _WIN32_WINNT is set to a suitable value. Obviously, my definition is properly guarded.
Instructions for generating an HTMLhelp file from the docs were added, as well as the file itself.
13 Oct 00 Documentation for class acl has been added.
Minor fix: when verifying that a potential ACL is less than 64K in size, acl::IsValidAcl() now also takes any requested additional bytes into account.
15 Oct 00 Minor fix: NT4 does not have restricted SIDs in a token; the error returned by GetTokenInformation() is now handled cleanly.
Perry Rapp (prapp, works at smartronix.com) has kindly added a new member function to fksec::ex -- never was it easier to translate a Win32 error code into the corresponding error message.
Other minor changes too small to mention.
16 Oct 00 If you downloaded fksec within the past eight hours (i.e., from 15-Oct-2000 22:00 GMT through 16-Oct-2000 05:30 GMT), download it again -- an important line was missing from token::GetTokenInfo(), basically causing every call to it to fail. Sorry!

And now, without further blather, I give you fksec: Simon Fell's, Tomas Restrepo's, and Felix Kasza's security classes.

System requirements

As of this writing [8 Oct 00], I am using VC++ 6.0 SP4 and the NT5 final release of the Platform SDK. The SDK can be downloaded from MSDN Online's Platform SDK page. Please make sure that your include, library, and executable paths (Tools, Options, Directories tab if you use the IDE) list the Platform SDK stuff before the VC++ headers.

Update [6 May 00]: Thanks to the efforts of Stefan Kuhr, fksec can now be built with VC++ 5.0. As far as I can tell, having a current Platform SDK still is a good idea.


The fksec class library, including not only the code written by yours truly, but also the parts written by Simon Fell and Tomas Restrepo, is in the public domain. Read more about this on the license page. (If you like fksec, I am sure Simon and Tomas wouldn't mind a little thank-you note.)


Note that the only documented classes are ex (exceptions), priv (privileges), ace (access-control entries), acl (access-control lists), token (process and thread tokens), and sid (SID functionality), plus the global functions in apis.h. I am working on sd, the wrapper for security descriptors, but I do have a day job which I actually like, so bear with me, please.

The vanilla fksec.zip (see next section) contains the data needed to recreate the documentation, assuming that you have Doxygen installed. You can also read ready-made docs online, or download them:

fksecdoc.zip, 438 KB: docs in HTML format. Unzip this file into any empty directory. The home page is index.html.
fksec.chm, 573 KB: docs in compressed-HTML (.CHM) format, suitable for HTMLhelp, in a single file.
Online documentation, plenty KB in many small files: Hey, you know what to do.

To regenerate the documentation, you need to install Doxygen by Dimitri van Heesch (thanks, mate!). Installation basically consists of moving the pre-built doxygen.exe into a directory that is on the PATH. Then, build the doc project in the fksec workspace; the "Win32 Debug" configuration uses a command line which requires 4NT, a cmd.exe replacement, while the "Win32 Release" configuration's command line should work with cmd.exe itself.

To rebuild fksec.chm, the compressed-HTML help file, generate docs as above and then run "hhc <fksec-dir>\html\index.hhp". Rename "<fksec-dir>\html\index.chm" to "fksec.chm". Note: "hhc" is the HTMLhelp compiler's command-line version. It is installed with the HH authoring kit, which you can download from the HTMLhelp download page if you do not have the Platform SDK installed. Unless you put hhc.exe into a directory on your PATH, you will have to specify its full pathname in the build command for the "doc" project.

Complete package, for your convenience

fksec.zip, 104 KB: Everything you need to build fksec and its documentation. Note that fksec.zip contains no documentation per se, only comments that are assembled into documentation by Doxygen. Please see the "Documentation" heading above for pre-generated online and downloadable copies of the docs.