-
October 16th, 2010, 11:26 PM
#1
NT security: need to give read access to an object for EVERYONE
I have a global event that signifies that my service is running. I need to give read access to this object for everyone. I used the following code to create the security descriptor (code w/o error handling):
Code:
PSID pSIDEveryone;
PSID pSIDAdmin;
PACL pACL;
PSECURITY_DESCRIPTOR pSD;
//Allocate SID for everyone
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0,
0, 0, 0, 0, 0, 0,
&pSIDEveryone);
//Allocate SID for the BUILTIN\Administrators group.
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pSIDAdmin);
//The ACE will allow Everyone read access and all access to the admin
EXPLICIT_ACCESS ea[2] = {0};
//First Everyone
ea[0].grfAccessPermissions = KEY_READ | SYNCHRONIZE;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR)pSIDEveryone;
//Then admin
ea[1].grfAccessPermissions = GENERIC_ALL;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR)pSIDAdmin;
SetEntriesInAcl(SIZEOF(ea), ea, NULL, &pACL);
pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
//Add the ACL to the security descriptor
SetSecurityDescriptorDacl(pSD, TRUE, pACL, FALSE);
and then I use this SD to create a global event:
Code:
#define GLOBAL_EVENT_NAME _T("Global\\my_service_event_name")
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
sa.lpSecurityDescriptor = pSD;
::CreateEvent(&sa, FALSE, FALSE, GLOBAL_EVENT_NAME);
Then if I need to check if my service is running I do this:
Code:
HANDLE hEvent = ::OpenEvent(READ_CONTROL, FALSE, GLOBAL_EVENT_NAME);
if(hEvent)
{
//It's on
bServiceIsOn = TRUE;
CloseHandle(hEvent);
}
The last function (OpenEvent) seems to be working fine even from a built in Guest account. The problem arises when I try to call it from my screen saver that is running when no user is logged on. The OpenEvent in the code above returns ERROR_ACCESS_DENIED. I'm not sure why?
-
October 17th, 2010, 04:44 AM
#2
Re: NT security: need to give read access to an object for EVERYONE
I spent a whole day so far trying to crack one more of these Windows conundrums.....
So far I was able to establish that both my service and the screen saver are running with the integrity level or S-1-16-16384: Mandatory Label\System Mandatory Level and the screen saver is running with the credentials of SID: S-1-5-19: Local Service and the service: SID: S-1-5-18: Local System.
Are there any privileges that the screensaver needs to be able to open an event object?
Any ideas why I can't open it???
-
October 17th, 2010, 09:40 AM
#3
Re: NT security: need to give read access to an object for EVERYONE
Have you tried using a NULL DACL for "no security"? (Third parameter to SetSecurityDescriptorDacl is NULL)
gg
-
October 17th, 2010, 01:18 PM
#4
Re: NT security: need to give read access to an object for EVERYONE
Originally Posted by Codeplug
Have you tried using a NULL DACL for "no security"? (Third parameter to SetSecurityDescriptorDacl is NULL)
Thanks for advice. Although it's not a good security practice to set a NULL DACL, but I did try it and it didn't help.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|