PDA

Click to See Complete Forum and Search --> : NetShareGetInfo returns invalid SD??

C.Schlue
May 15th, 2008, 04:51 AM
Hi all,

i want to set accessrights for a shared folder.

What I try to do is:


SHARE_INFO_502* pBuff = NULL;
long nRes = NetShareGetInfo( NULL, _T("public"), 502, (BYTE**)&pBuff );

BOOL bPresent=0;
BOOL bDefault=0;
PACL acl = NULL;
if (!GetSecurityDescriptorDacl(pBuff->shi502_security_descriptor,
&bPresent, // bDaclPresent flag
&acl,
&bDefault)) // not a default DACL
{
printf("GetSecurityDescriptorDacl Error %u\n",
GetLastError());
}



The call to GetSecurityDescriptorDacl blocks seemingliy forever. When I try to call SetSecurityDescriptorDacl it retuns 'The Security Descriptor is invalid'...

Any Ideas??

Regards,
Christoph
ahoodin
May 15th, 2008, 07:18 AM
Well you have a NULL pointer. You try to use the pointer before
if (!GetSecurityDescriptorDacl(pBuff->shi502_security_descriptor,
you initialize it to a valid memory address. That could be the problem.
Tis an Access violation 0xC0000006 waiting to happen.

HTH,
C.Schlue
May 15th, 2008, 08:15 AM
Hi ahoodin, zhanks for the reply but this is not a null pointer issue.

I have benn fiddling around a little and got the following result:
I can get the ACL using GetSecurityDescriptorDacl. Great. But when I try to set exactly the same ACL I receive an error 1338 : "The security descriptor structure is invalid."

This is my code:


SHARE_INFO_502* pBuff = NULL;
long nRes = NetShareGetInfo( NULL, _T("public"), 502, (BYTE**)&pBuff );

BOOL bPresent=0;
BOOL bDefault=0;
PACL acl = NULL;
if (!GetSecurityDescriptorDacl(pBuff->shi502_security_descriptor,
&bPresent, // bDaclPresent flag
&acl,
&bDefault)) // not a default DACL
{
printf("GetSecurityDescriptorDacl Error %u\n",
GetLastError());
goto Cleanup;
}

// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pBuff->shi502_security_descriptor,
TRUE, // bDaclPresent flag
acl,
FALSE)) // not a default DACL
{
printf("SetSecurityDescriptorDacl Error %u\n",
GetLastError());
goto Cleanup;
}


I would think the acl returned previously from GetSecurityDescriptorDacl should be valid. So Wy does SetSecurityDescriptorDacl tell me its not?? What am I getting wrong here??

regards,
Chris
ahoodin
May 15th, 2008, 08:28 AM
I think its talking about this security descriptor being invalid:
if (!GetSecurityDescriptorDacl(pBuff->shi502_security_descriptor

Alot of times error messages are sort of anomolouse, especially MS error messages :rolleyes: .
pBuff->shi502_security_descriptor

Its obvious that the GetSecurityDescriptorDacl() function is supposed to fill your pAcl, but not your pBuff.
C.Schlue
May 15th, 2008, 08:34 AM
Yeah- I also just sensed that the error issues a problem with the security descriptor and not with the acl.

However- basically my question remains the same: Why is the security descriptor valid for getting an ACL but invalid for setting the ACL??

My programm is running under the local Administrator account. So this should not be an security issue right? Would it be useful for anyone to if I put a sample together an upload it here?

EDIT:
Ahoodin, the buffer is completely 'filled' by the NetShareGetInfo function
ahoodin
May 15th, 2008, 08:43 AM
probably 1st call:
NET_API_STATUS NetShareGetInfo(
LPWSTR servername,
LPWSTR netname,
DWORD level,
LPBYTE *bufptr
);


to fill pBuff.

Ok I am seeing this now.


IT does call that first.
ahoodin
May 15th, 2008, 08:57 AM
Have you stepped through the code with the debugger to look at the return values on NetShareGetInfo() etc?
C.Schlue
May 15th, 2008, 09:05 AM
Shure. Everythig looks fine exept the call to SetSecurityDescriptorDacl.

=> NetShareGetInfo succeeds. And returns a security descriptor.

=> I can use the security descriptor to get the associated ACL

=> I cannot use this security descriptor to set the ACL ( error 1338 = invalid security descriptor)
ahoodin
May 15th, 2008, 09:09 AM
Hmmmm look at what I found:
Link to 1338 error at CG (http://www.codeguru.com/forum/printthread.php?t=149764)
ahoodin
May 15th, 2008, 09:46 AM
Says you got to put the security descriptor passed to SetSecurityDescriptorDacl in Absolute format with MakeAbsoluteSD().
C.Schlue
May 15th, 2008, 10:25 AM
Oh dear. Sometimes I'm just to blind. I saw this Absolute SD thing in the MSDN docs for SetACL but immediatly forgot about it again. Just didnt belive that would be the problem here.

Yeah- well this absolutely does the trick. Now it works perfectly. For anyone also having this problem here is my working code. For testing purposes I do simply set a NULL DACL for my share:



SHARE_INFO_502* pBuff = NULL;
long nRes = NetShareGetInfo( NULL, _T("public"), 502, (BYTE**)&pBuff );

BOOL bPresent=0;
BOOL bDefault=0;
PACL acl = NULL;
if (!GetSecurityDescriptorDacl(pBuff->shi502_security_descriptor,
&bPresent, // bDaclPresent flag
&acl,
&bDefault)) // not a default DACL
{
printf("GetSecurityDescriptorDacl Error %u\n",
GetLastError());
goto Cleanup;
}

DWORD dwAbsoluteSDSize = 0;
DWORD dwAbsoluteDACLSize= 0;
DWORD dwAbsoluteSACLSize= 0;
DWORD dwAbsoluteOwnerSize= 0;
DWORD dwAbsoluteGroupSize= 0;
SECURITY_DESCRIPTOR* pAbsoluteSD = NULL;
PACL pAbsoluteDACL= NULL;
PACL pAbsoluteSACL= NULL;
PSID pAbsoluteOwner=NULL;
PSID pAbsoluteGroup=NULL;
MakeAbsoluteSD( pBuff->shi502_security_descriptor,
NULL, &dwAbsoluteSDSize,
NULL, &dwAbsoluteDACLSize,
NULL, &dwAbsoluteSACLSize,
NULL, &dwAbsoluteOwnerSize,
NULL, &dwAbsoluteGroupSize);
if(GetLastError()!=STATUS_BUFFER_TOO_SMALL)
{
printf("MakeAbsoluteSD (1) Error %u\n",
GetLastError());
goto Cleanup;
}


pAbsoluteSD = (SECURITY_DESCRIPTOR*) new BYTE[ dwAbsoluteSDSize ];
pAbsoluteDACL = (PACL) new BYTE[ dwAbsoluteDACLSize];
pAbsoluteSACL = (PACL) new BYTE[ dwAbsoluteSACLSize ];
pAbsoluteOwner = (PSID) new BYTE[ dwAbsoluteOwnerSize ];
pAbsoluteGroup = (PSID) new BYTE[ dwAbsoluteGroupSize ];


if( ! MakeAbsoluteSD(
pBuff->shi502_security_descriptor,
pAbsoluteSD, &dwAbsoluteSDSize,
pAbsoluteDACL, &dwAbsoluteDACLSize,
pAbsoluteSACL, &dwAbsoluteSACLSize,
pAbsoluteOwner, &dwAbsoluteOwnerSize,
pAbsoluteGroup, &dwAbsoluteGroupSize) )
{
printf("MakeAbsoluteSD (2) Error %u\n",
GetLastError());
goto Cleanup;
}

// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pAbsoluteSD,
FALSE, // bDaclPresent flag
NULL,
FALSE)) // not a default DACL
{
printf("SetSecurityDescriptorDacl Error %u\n",
GetLastError());
goto Cleanup;
}

pBuff->shi502_security_descriptor = pAbsoluteSD;

DWORD parmError = 0;
nRes = NetShareSetInfo( NULL, _T("public"), 502, (BYTE*)pBuff, &parmError );
if( nRes!=0 )
{
printf("NetShareSetInfo Error %u\n",
GetLastError());
goto Cleanup;
}


Thanks ahoodin for helping me focusing on the problem :thumb:

Regards,
Chris