Absolute versus Self-Relative
All Security Descriptors can be of two formats, Absolute and Self-Relative, both of which use the data structure:
struct _SECURITY_DESCRIPTOR {
BYTE Revision;
BYTE Sbz1;
SECURITY_DESCRIPTOR_CONTROL Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
};
The difference between the two types of SD depends on the content of the four pointers (four last variables). With the Absolute format, the SD contains pointers to the address of memory containing the SID or ACL for each of these variables. This way, you can easily manipulate the structure and change SIDs and ACLs as you want. The problem with this format is that it is not in a contiguous block of memory and you cannot store it in a permanent fashion, such as in a file.
A Self-Relative SD doesn't contain pointers, but contains offsets from the beginning of the SD structure to the object that it is pointing to. In this case, you have your entire SD in a contiguous block of memory (see Figures 1 and 2). A Self-Relative SD is more difficult to edit and maintain because the space allotted might not be enough to add new ACEs or to set a new Owner. To do that, you can convert from one format into another using the Win32 functions MakeSelfRelativeSD() and MakeAbsoluteSD().
All Windows APIs will return the SD in a Self-Relative format. However, most functions that assign an SD to an object accept both formats. You cannot use functions like SetSecurityDescriptorOwner() if you have your SD in Self-Relative format.
-- M.C.
