NT security: need to give read access to an object for EVERYONE
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 4 of 4

Thread: NT security: need to give read access to an object for EVERYONE

  1. #1
    Join Date
    Feb 2009
    Location
    Portland, OR
    Posts
    1,488

    NT security: need to give read access to an object for EVERYONE

    I have a global event that signifies that my service is running. I need to give read access to this object for everyone. I used the following code to create the security descriptor (code w/o error handling):

    Code:
    PSID pSIDEveryone;
    PSID pSIDAdmin;
    PACL pACL;
    PSECURITY_DESCRIPTOR pSD;
    
    
    //Allocate SID for everyone
    SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
    AllocateAndInitializeSid(&SIDAuthWorld, 1,
    	SECURITY_WORLD_RID,
    	0,
    	0, 0, 0, 0, 0, 0,
    	&pSIDEveryone);
    
    //Allocate SID for the BUILTIN\Administrators group.
    SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
    AllocateAndInitializeSid(&SIDAuthNT, 2,
    	 SECURITY_BUILTIN_DOMAIN_RID,
    	 DOMAIN_ALIAS_RID_ADMINS,
    	 0, 0, 0, 0, 0, 0,
    	 &pSIDAdmin);
    
    //The ACE will allow Everyone read access and all access to the admin
    EXPLICIT_ACCESS ea[2] = {0};
    
    //First Everyone
    ea[0].grfAccessPermissions = KEY_READ | SYNCHRONIZE;
    ea[0].grfAccessMode = SET_ACCESS;
    ea[0].grfInheritance= NO_INHERITANCE;
    ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
    ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
    ea[0].Trustee.ptstrName  = (LPTSTR)pSIDEveryone;
    
    //Then admin
    ea[1].grfAccessPermissions = GENERIC_ALL;
    ea[1].grfAccessMode = SET_ACCESS;
    ea[1].grfInheritance= NO_INHERITANCE;
    ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
    ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
    ea[1].Trustee.ptstrName  = (LPTSTR)pSIDAdmin;
    
    SetEntriesInAcl(SIZEOF(ea), ea, NULL, &pACL);
    
    pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); 
    
    InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
    
    //Add the ACL to the security descriptor
    SetSecurityDescriptorDacl(pSD, TRUE, pACL, FALSE);
    and then I use this SD to create a global event:
    Code:
    #define GLOBAL_EVENT_NAME _T("Global\\my_service_event_name")
    
    SECURITY_ATTRIBUTES sa;
    sa.nLength = sizeof(sa);
    sa.bInheritHandle = FALSE;
    sa.lpSecurityDescriptor = pSD;
    
    ::CreateEvent(&sa, FALSE, FALSE, GLOBAL_EVENT_NAME);
    Then if I need to check if my service is running I do this:
    Code:
    HANDLE hEvent = ::OpenEvent(READ_CONTROL, FALSE, GLOBAL_EVENT_NAME);
    if(hEvent)
    {
    	//It's on
    	bServiceIsOn = TRUE;
    
    	CloseHandle(hEvent);
    }
    The last function (OpenEvent) seems to be working fine even from a built in Guest account. The problem arises when I try to call it from my screen saver that is running when no user is logged on. The OpenEvent in the code above returns ERROR_ACCESS_DENIED. I'm not sure why?

  2. #2
    Join Date
    Feb 2009
    Location
    Portland, OR
    Posts
    1,488

    Re: NT security: need to give read access to an object for EVERYONE

    I spent a whole day so far trying to crack one more of these Windows conundrums.....

    So far I was able to establish that both my service and the screen saver are running with the integrity level or S-1-16-16384: Mandatory Label\System Mandatory Level and the screen saver is running with the credentials of SID: S-1-5-19: Local Service and the service: SID: S-1-5-18: Local System.

    Are there any privileges that the screensaver needs to be able to open an event object?

    Any ideas why I can't open it???

  3. #3
    Join Date
    Nov 2003
    Posts
    1,793

    Re: NT security: need to give read access to an object for EVERYONE

    Have you tried using a NULL DACL for "no security"? (Third parameter to SetSecurityDescriptorDacl is NULL)

    gg

  4. #4
    Join Date
    Feb 2009
    Location
    Portland, OR
    Posts
    1,488

    Re: NT security: need to give read access to an object for EVERYONE

    Quote Originally Posted by Codeplug View Post
    Have you tried using a NULL DACL for "no security"? (Third parameter to SetSecurityDescriptorDacl is NULL)
    Thanks for advice. Although it's not a good security practice to set a NULL DACL, but I did try it and it didn't help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Azure Activities Information Page

Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center