NT security: need to give read access to an object for EVERYONE

[ahmd]

I have a global event that signifies that my service is running. I need to give read access to this object for everyone. I used the following code to create the security descriptor (code w/o error handling):

Code:

PSID pSIDEveryone;
PSID pSIDAdmin;
PACL pACL;
PSECURITY_DESCRIPTOR pSD;


//Allocate SID for everyone
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthWorld, 1,
	SECURITY_WORLD_RID,
	0,
	0, 0, 0, 0, 0, 0,
	&pSIDEveryone);

//Allocate SID for the BUILTIN\Administrators group.
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthNT, 2,
	 SECURITY_BUILTIN_DOMAIN_RID,
	 DOMAIN_ALIAS_RID_ADMINS,
	 0, 0, 0, 0, 0, 0,
	 &pSIDAdmin);

//The ACE will allow Everyone read access and all access to the admin
EXPLICIT_ACCESS ea[2] = {0};

//First Everyone
ea[0].grfAccessPermissions = KEY_READ | SYNCHRONIZE;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName  = (LPTSTR)pSIDEveryone;

//Then admin
ea[1].grfAccessPermissions = GENERIC_ALL;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName  = (LPTSTR)pSIDAdmin;

SetEntriesInAcl(SIZEOF(ea), ea, NULL, &pACL);

pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); 

InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);

//Add the ACL to the security descriptor
SetSecurityDescriptorDacl(pSD, TRUE, pACL, FALSE);

and then I use this SD to create a global event:

Code:

#define GLOBAL_EVENT_NAME _T("Global\\my_service_event_name")

SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
sa.lpSecurityDescriptor = pSD;

::CreateEvent(&sa, FALSE, FALSE, GLOBAL_EVENT_NAME);

Then if I need to check if my service is running I do this:

Code:

HANDLE hEvent = ::OpenEvent(READ_CONTROL, FALSE, GLOBAL_EVENT_NAME);
if(hEvent)
{
	//It's on
	bServiceIsOn = TRUE;

	CloseHandle(hEvent);
}

The last function (OpenEvent) seems to be working fine even from a built in Guest account. The problem arises when I try to call it from my screen saver that is running when no user is logged on. The OpenEvent in the code above returns ERROR_ACCESS_DENIED. I'm not sure why?

[ahmd]

I spent a whole day so far trying to crack one more of these Windows conundrums.....

So far I was able to establish that both my service and the screen saver are running with the integrity level or S-1-16-16384: Mandatory Label\System Mandatory Level and the screen saver is running with the credentials of SID: S-1-5-19: Local Service and the service: SID: S-1-5-18: Local System.

Are there any privileges that the screensaver needs to be able to open an event object?

Any ideas why I can't open it???

[Codeplug]

Have you tried using a NULL DACL for "no security"? (Third parameter to SetSecurityDescriptorDacl is NULL)

gg

[ahmd]

Have you tried using a NULL DACL for "no security"? (Third parameter to SetSecurityDescriptorDacl is NULL)

Thanks for advice. Although it's not a good security practice to set a NULL DACL, but I did try it and it didn't help.