In the last couple of days I've debugged several ACL issues. That these questions come up internally suggests that our security model is fairly complex. In one scenario, the DACL was not as expected when importing a machine certificate via the MMC snapin. The newly created file possessed a DACL with an ACE that had a SID of form S-1-5-5-0-xyz, where xyz changed each logon cycle.
That SID is a logon SID. This SID changes per logon session. If you log on you will have a random logon SID. This is typically used for securing ephemeral objects, like the desktop, your process objects, etc. Log off and log back on and you will have a new logon SID in your token. The implication here is that objects which persist should not be ACLed with the logon SID. If a file is ACLed for the logon SID, then access will not be granted after a logoff / logon: the file's creator will no longer have the same logon SID.
Why, then, is this SID in an ACE on a file, which is persisted? How did it get there? The management console wasn't responsible for this.
Objects (files, processes, tokens, registry keys, etc) are secured at creation. The mechanism for determining the security descriptor for the object is as follows:
1. Did the caller provide an explicit security descriptor? If so, use it (in most circumstances - a few caveats exist surrounding the owner ACE and integrity labels).
2. Are there inheritable ACEs that should be applied to this object? This question really only makes sense for objects that live in a hierarchy like files and registry keys. Unnamed objects don't typically inherit.
3. If steps 1 and 2 have produced a DACL that is empty then use the default mechanism: pull the DACL out of the caller's token. Token objects have a DACL stored in them (accessible via GetTokenInformation with TokenDefaultDacl info level) which is used for providing default security on objects. The DACL that is put on calc.exe typically comes from the process token default DACL on the parent process. So, if you launch calc.exe from a cmd window, then the cmd process token supplies the security for the new calc.exe process.
To tie this back in to the original scenario, note that the token default DACL contains the logon SID. This suggested to me that the certificate file was receiving security from the mmc process token. I checked the directory security descriptor where the file was created. As expected - the directory was marked protected (meaning that no ACEs could flow to it from its own parent), and there were no inheritable ACEs. So, any file created in that directory would not receive any ACEs from the parent folder. If the creator of the file didn't specify an SD then the DACL would have to come from the caller's token.
I confirmed this by typing "echo foo > foo.txt" in a cmd window in that directory. foo.txt had a logon SID in its DACL. The fix was to correct the DACL on the folder.
Here's what is happening in the kernel debugger (looking at the explorer.exe token):
2: kd> !token fffff8a001fa3970_TOKEN fffff8a001fa3970TS Session ID: 0x1User: S-1-5-21-1351730727-423322435-1524058515-500Groups: 00 S-1-5-21-1351730727-423322435-1524058515-513 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-32-544 Attributes - Mandatory Default Enabled Owner 03 S-1-5-32-545 Attributes - Mandatory Default Enabled 04 S-1-5-4 Attributes - Mandatory Default Enabled 05 S-1-2-1 Attributes - Mandatory Default Enabled 06 S-1-5-11 Attributes - Mandatory Default Enabled 07 S-1-5-15 Attributes - Mandatory Default Enabled 08 S-1-5-5-0-139447 Attributes - Mandatory Default Enabled LogonId 09 S-1-2-0 Attributes - Mandatory Default Enabled 10 S-1-5-64-10 Attributes - Mandatory Default Enabled 11 S-1-16-12288 Attributes - GroupIntegrity GroupIntegrityEnabledPrimary Group: S-1-5-21-1351730727-423322435-1524058515-513Privs: 05 0x000000005 SeIncreaseQuotaPrivilege Attributes - 08 0x000000008 SeSecurityPrivilege Attributes - 09 0x000000009 SeTakeOwnershipPrivilege Attributes - 10 0x00000000a SeLoadDriverPrivilege Attributes - 11 0x00000000b SeSystemProfilePrivilege Attributes - 12 0x00000000c SeSystemtimePrivilege Attributes - 13 0x00000000d SeProfileSingleProcessPrivilege Attributes - 14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 15 0x00000000f SeCreatePagefilePrivilege Attributes - 17 0x000000011 SeBackupPrivilege Attributes - 18 0x000000012 SeRestorePrivilege Attributes - 19 0x000000013 SeShutdownPrivilege Attributes - 20 0x000000014 SeDebugPrivilege Attributes - 22 0x000000016 SeSystemEnvironmentPrivilege Attributes - 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 24 0x000000018 SeRemoteShutdownPrivilege Attributes - 25 0x000000019 SeUndockPrivilege Attributes - 28 0x00000001c SeManageVolumePrivilege Attributes - 29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 34 0x000000022 SeTimeZonePrivilege Attributes - 35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -Authentication ID: (0,220ec)Impersonation Level: AnonymousTokenType: PrimarySource: User32 TokenFlags: 0x2000 ( Token in use )Token ID: 23b8a ParentToken ID: 0Modified ID: (0, 13c3894)RestrictedSidCount: 0 RestrictedSids: 0000000000000000OriginatingLogonSession: 3e72: kd> dt nt!TOKEN fffff8a001fa3970 DefaultDacl +0x0b0 DefaultDacl : 0xfffff8a0`01cc9adc _ACL2: kd> !acl 0xfffff8a0`01cc9adcACL is:ACL is: ->AclRevision: 0x2ACL is: ->Sbz1 : 0x0ACL is: ->AclSize : 0x50ACL is: ->AceCount : 0x3ACL is: ->Sbz2 : 0x0ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPEACL is: ->Ace[0]: ->AceFlags: 0x0ACL is: ->Ace[0]: ->AceSize: 0x18ACL is: ->Ace[0]: ->Mask : 0x10000000ACL is: ->Ace[0]: ->SID: S-1-5-32-544
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPEACL is: ->Ace[1]: ->AceFlags: 0x0ACL is: ->Ace[1]: ->AceSize: 0x14ACL is: ->Ace[1]: ->Mask : 0x10000000ACL is: ->Ace[1]: ->SID: S-1-5-18
ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPEACL is: ->Ace[2]: ->AceFlags: 0x0ACL is: ->Ace[2]: ->AceSize: 0x1cACL is: ->Ace[2]: ->Mask : 0xa0000000ACL is: ->Ace[2]: ->SID: S-1-5-5-0-139447