Security descriptors

Every protected object in Peios — file, registry key, IPC endpoint, service, token, process — has exactly one security descriptor. The descriptor says who owns the object, who can do what to it, and what should be audited about access. This page is the map for the four components and the topics that cover each one in depth.

The DACL and SACL are both Access Control Lists — ordered sequences of Access Control Entries. Each ACE has a type, a set of flags, a 32-bit access mask, and a SID. This page covers the ACL structure, the catalog of ACE types, the ACE flags that control inheritance and audit, and the layout of the access mask.

A DACL is evaluated by walking its ACEs in order and applying first-writer-wins. Each bit in the requested access mask is decided by the first ACE that mentions it. This page covers the walk, the canonical ACE ordering, the NULL-vs-empty DACL distinction, and what MAXIMUM_ALLOWED does to the algorithm.

Every security descriptor names an owner. The owner has implicit READ_CONTROL and WRITE_DAC rights regardless of what the DACL says — the "you cannot lock yourself out" guarantee. This page covers the implicit rights, how OWNER RIGHTS suppresses them, and the rules for changing ownership.

When a new object is created, its security descriptor is computed by combining the parent's inheritable ACEs with the creator's defaults. The result is stored on the child as a complete SD — the kernel never walks the parent at access-check time. This page covers the eager-evaluation model, the inheritance flags, CREATOR_OWNER/GROUP substitution, and the protected-ACL flag.

A conditional ACE is an ACE whose grant or deny is gated by an expression. The expression references token claims, resource attributes, and local context. Evaluation produces TRUE, FALSE, or UNKNOWN — the third value makes a missing attribute fail closed for allows and fail closed for denies. This page covers the model, the expression language, and the three-valued logic.

A resource attribute is a typed key-value attribute attached to an object via its SACL. Resource attributes do not grant or deny access by themselves — they exist so conditional ACEs can reference object properties as @Resource.<name>. This page covers what they are, how they are stored, and how they participate in access checks.

The SACL is the system-side half of a security descriptor. It carries audit ACEs, alarm ACEs, the mandatory integrity label, the PIP trust label, scoped policy references, and resource attributes. This page covers what the SACL holds, how each entry is consumed, and why modifying it requires SeSecurityPrivilege.

sd is the command-line tool for reading and changing the security descriptor on a file — its owner, its access rules, its audit rules, its integrity label, and its inheritance.