When a thread attempts to use a securable object, the system performs an access check before allowing the thread to proceed. In an access check, the system compares the security information in the thread's access token against the security information in the object's security descriptor.
- The access token contains security identifiers (SIDs) that identify the user associated with the thread.
- The security descriptor identifies the object's owner and contains a discretionary access control list (DACL). The DACL contains access control entries (ACEs), each of which specify the access rights allowed or denied to a specific user or group.
(当线程试图使用安全对象时,系统在线程执行进一步操作前执行访问检查的操作。在访问检查中,系统将线程访问权限中访问令牌的安全信息与安全对象的安全描述符进行比较。
- 访问令牌中包含安全标识符SID,标识线程相对应的用户
- 安全描述符用于识别对象的所有者,包含一个自主访问控制列表DACL。DACL包含ACE,每一项指定了允许或者拒绝访问的特定用户或者组)
The system checks the object's DACL, looking for ACEs that apply to the user and group SIDs from the thread's access token. The system checks each ACE until access is either granted or denied or until there are no more ACEs to check. Conceivably, an access control list (ACL) could have several ACEs that apply to the token's SIDs. And, if this occurs, the access rights granted by each ACE accumulate. For example, if one ACE grants read access to a group and another ACE grants write access to a user who is a member of the group, the user can have both read and write access to the object.
(系统检查对象的DACL,寻找与线程访问令牌中的用户和组SID相对应的ACE。系统检查每一项ACE直至本次访问被允许或者被拒绝或者没有更多的ACE可以去检查。可以想象,ACL可以拥有多个与访问令牌SID向适应的ACE。如果发生这样的情况,访问权限将是这些ACE的相加。例如,如果ACL中的一项ACE赋予一个组读的权限,另一项ACE则赋予这个组中一个成员写的权限,那么这个用户对这个对象拥有读和写的权限)
The following illustration shows the relationship between these blocks of security information:
