CreateFile() returns ERROR_ACCESS_DENIED to the user
in [Win32 Kernel]
|
Prev: About device class GUIDs and RegisterDeviceNotification()
Next: FindWindow fails for MessageBox displayed at Winlogon
From: anton bassov on 13 Nov 2006 17:26 Don, > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > that allows geneal users access. In this particular situation, such approach is more reasonable - I admit. However, I think the OP may need to modify access to various kernel objects on more than one occasion in his future career, so it would be a good idea for him to learn how to do it. In fact, I just wonder how he managed to write a driver, in the first place - he seems to be struggling with the basic NT concepts..... Anton Bassov Don Burn wrote: > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > that allows geneal users access. > > > -- > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > http://www.windrvr.com > Remove StopSpam from the email to reply > > > > "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message > news:1163454664.839974.119450(a)f16g2000cwb.googlegroups.com... > >> Do i must modify user rights or driver rights ???? > > > > In actuality, none of the above.... > > > > You have to modify not user rights and DEFINITELY not driver rights, > > but access permission to your target device (i.e. its ACL) Check MSDN, > > namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), > > for more info > > > > Anton Bassov > > > > SteM wrote: > >> Thanks Anton, > >> my guess was that, at least, open, close and DeviceIoControl was allowed > >> .... > >> How can i solve ? > >> Do i must modify user rights or driver rights ???? > >> > >> Thanks > >> -- > >> SteM > >> > >> > >> "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio > >> news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... > >> > Hi mate > >> > > >> > This is just absolutely normal default behaviour - limited users have > >> > no access to devices by default. If you want non-privileged users to > >> > gain access to it, you have to EXPLICITLY allow the above (it is > >> > understandable that it can be done only from the Admin account) > >> > > >> > Anton Bassov > >> > > >> > > >> > SteM wrote: > >> > > Hello, > >> > > I've written a small wdm driver for Win2000 to access an old custom > >> > > hw > >> on > >> > > parallel port. > >> > > The accesses are via a couple of DeviceIoControl() custom commands. > >> > > It works fine, does exactly what i intended; however, it only works > >> > > if I > >> am > >> > > logged in as Administrator (or equivalent). > >> > > If I log in as a regular user (Power User) the call to CreateFile > >> > > fails > >> with > >> > > ACCESS_DENIED. > >> > > > >> > > // Open driver > >> > > rv = CreateFile ( > >> > > ifDetail->DevicePath, > >> > > 0, // Desidered access > >> > > 0, // Share mode > >> > > NULL, // Security attrb > >> > > CREATE_NEW, // How to create > >> > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute > >> > > NULL // Template file > >> > > ); > >> > > > >> > > if (rv==INVALID_HANDLE_VALUE) > >> > > { > >> > > ...... > >> > > > >> > > > >> > > > >> > > Thanks in advance for any pointers... > >> > > -- > >> > > SteM > >> > > >
From: sunk_bansal on 14 Nov 2006 03:44 Hi, About granting ACL on device through GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), I want to know as to when to grant these permissions? Will Administrator log in and then execute the code with these API's to grant permissions for power users on the device driver and then do a relogon with power user or there is some other place where the permissions can be granted? Regards, Sunil anton bassov wrote: > Don, > > > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > > that allows geneal users access. > > In this particular situation, such approach is more reasonable - I > admit. However, I think the OP may need to modify access to various > kernel objects on more than one occasion in his future career, so it > would be a good idea for him to learn how to do it. In fact, I just > wonder how he managed to write a driver, in the first place - he seems > to be struggling with the basic NT concepts..... > > > Anton Bassov > > > Don Burn wrote: > > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > > that allows geneal users access. > > > > > > -- > > Don Burn (MVP, Windows DDK) > > Windows 2k/XP/2k3 Filesystem and Driver Consulting > > http://www.windrvr.com > > Remove StopSpam from the email to reply > > > > > > > > "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message > > news:1163454664.839974.119450(a)f16g2000cwb.googlegroups.com... > > >> Do i must modify user rights or driver rights ???? > > > > > > In actuality, none of the above.... > > > > > > You have to modify not user rights and DEFINITELY not driver rights, > > > but access permission to your target device (i.e. its ACL) Check MSDN, > > > namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), > > > for more info > > > > > > Anton Bassov > > > > > > SteM wrote: > > >> Thanks Anton, > > >> my guess was that, at least, open, close and DeviceIoControl was allowed > > >> .... > > >> How can i solve ? > > >> Do i must modify user rights or driver rights ???? > > >> > > >> Thanks > > >> -- > > >> SteM > > >> > > >> > > >> "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio > > >> news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... > > >> > Hi mate > > >> > > > >> > This is just absolutely normal default behaviour - limited users have > > >> > no access to devices by default. If you want non-privileged users to > > >> > gain access to it, you have to EXPLICITLY allow the above (it is > > >> > understandable that it can be done only from the Admin account) > > >> > > > >> > Anton Bassov > > >> > > > >> > > > >> > SteM wrote: > > >> > > Hello, > > >> > > I've written a small wdm driver for Win2000 to access an old custom > > >> > > hw > > >> on > > >> > > parallel port. > > >> > > The accesses are via a couple of DeviceIoControl() custom commands. > > >> > > It works fine, does exactly what i intended; however, it only works > > >> > > if I > > >> am > > >> > > logged in as Administrator (or equivalent). > > >> > > If I log in as a regular user (Power User) the call to CreateFile > > >> > > fails > > >> with > > >> > > ACCESS_DENIED. > > >> > > > > >> > > // Open driver > > >> > > rv = CreateFile ( > > >> > > ifDetail->DevicePath, > > >> > > 0, // Desidered access > > >> > > 0, // Share mode > > >> > > NULL, // Security attrb > > >> > > CREATE_NEW, // How to create > > >> > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute > > >> > > NULL // Template file > > >> > > ); > > >> > > > > >> > > if (rv==INVALID_HANDLE_VALUE) > > >> > > { > > >> > > ...... > > >> > > > > >> > > > > >> > > > > >> > > Thanks in advance for any pointers... > > >> > > -- > > >> > > SteM > > >> > > > >
From: anton bassov on 14 Nov 2006 04:01 > Will Administrator log in and then execute the code with these API's to > grant permissions for power users on the device driver and then do a > relogon with power user or there is some other place where the > permissions can be granted? Well, you can do it the way you like (for example, CreateProcessAsUser()may be quite helpfull), but keep in mind that, in order to grant aceess permissions, one needs to be Admin - non-admin users cannot grant permissions to themselves, can they??? Therefore, the code thar runs these lines must be running under Admin account Anton Bassov sunk_bansal(a)yahoo.co.in wrote: > Hi, > > About granting ACL on device through > GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), I want to > know as to when to grant these permissions? > > Will Administrator log in and then execute the code with these API's to > grant permissions for power users on the device driver and then do a > relogon with power user or there is some other place where the > permissions can be granted? > > Regards, > Sunil > > anton bassov wrote: > > Don, > > > > > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > > > that allows geneal users access. > > > > In this particular situation, such approach is more reasonable - I > > admit. However, I think the OP may need to modify access to various > > kernel objects on more than one occasion in his future career, so it > > would be a good idea for him to learn how to do it. In fact, I just > > wonder how he managed to write a driver, in the first place - he seems > > to be struggling with the basic NT concepts..... > > > > > > Anton Bassov > > > > > > Don Burn wrote: > > > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > > > that allows geneal users access. > > > > > > > > > -- > > > Don Burn (MVP, Windows DDK) > > > Windows 2k/XP/2k3 Filesystem and Driver Consulting > > > http://www.windrvr.com > > > Remove StopSpam from the email to reply > > > > > > > > > > > > "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message > > > news:1163454664.839974.119450(a)f16g2000cwb.googlegroups.com... > > > >> Do i must modify user rights or driver rights ???? > > > > > > > > In actuality, none of the above.... > > > > > > > > You have to modify not user rights and DEFINITELY not driver rights, > > > > but access permission to your target device (i.e. its ACL) Check MSDN, > > > > namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), > > > > for more info > > > > > > > > Anton Bassov > > > > > > > > SteM wrote: > > > >> Thanks Anton, > > > >> my guess was that, at least, open, close and DeviceIoControl was allowed > > > >> .... > > > >> How can i solve ? > > > >> Do i must modify user rights or driver rights ???? > > > >> > > > >> Thanks > > > >> -- > > > >> SteM > > > >> > > > >> > > > >> "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio > > > >> news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... > > > >> > Hi mate > > > >> > > > > >> > This is just absolutely normal default behaviour - limited users have > > > >> > no access to devices by default. If you want non-privileged users to > > > >> > gain access to it, you have to EXPLICITLY allow the above (it is > > > >> > understandable that it can be done only from the Admin account) > > > >> > > > > >> > Anton Bassov > > > >> > > > > >> > > > > >> > SteM wrote: > > > >> > > Hello, > > > >> > > I've written a small wdm driver for Win2000 to access an old custom > > > >> > > hw > > > >> on > > > >> > > parallel port. > > > >> > > The accesses are via a couple of DeviceIoControl() custom commands. > > > >> > > It works fine, does exactly what i intended; however, it only works > > > >> > > if I > > > >> am > > > >> > > logged in as Administrator (or equivalent). > > > >> > > If I log in as a regular user (Power User) the call to CreateFile > > > >> > > fails > > > >> with > > > >> > > ACCESS_DENIED. > > > >> > > > > > >> > > // Open driver > > > >> > > rv = CreateFile ( > > > >> > > ifDetail->DevicePath, > > > >> > > 0, // Desidered access > > > >> > > 0, // Share mode > > > >> > > NULL, // Security attrb > > > >> > > CREATE_NEW, // How to create > > > >> > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute > > > >> > > NULL // Template file > > > >> > > ); > > > >> > > > > > >> > > if (rv==INVALID_HANDLE_VALUE) > > > >> > > { > > > >> > > ...... > > > >> > > > > > >> > > > > > >> > > > > > >> > > Thanks in advance for any pointers... > > > >> > > -- > > > >> > > SteM > > > >> > > > > >
From: Alexander Grigoriev on 17 Nov 2006 00:45
Even simpler way is to specify a security descriptor for the device in the INF file. "Don Burn" <burn(a)stopspam.acm.org> wrote in message news:eVu%23CA3BHHA.1300(a)TK2MSFTNGP03.phx.gbl... > Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string > that allows geneal users access. > > > -- > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > http://www.windrvr.com > Remove StopSpam from the email to reply > > > > "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message > news:1163454664.839974.119450(a)f16g2000cwb.googlegroups.com... >>> Do i must modify user rights or driver rights ???? >> >> In actuality, none of the above.... >> >> You have to modify not user rights and DEFINITELY not driver rights, >> but access permission to your target device (i.e. its ACL) Check MSDN, >> namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), >> for more info >> >> Anton Bassov >> >> SteM wrote: >>> Thanks Anton, >>> my guess was that, at least, open, close and DeviceIoControl was allowed >>> .... >>> How can i solve ? >>> Do i must modify user rights or driver rights ???? >>> >>> Thanks >>> -- >>> SteM >>> >>> >>> "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio >>> news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... >>> > Hi mate >>> > >>> > This is just absolutely normal default behaviour - limited users have >>> > no access to devices by default. If you want non-privileged users to >>> > gain access to it, you have to EXPLICITLY allow the above (it is >>> > understandable that it can be done only from the Admin account) >>> > >>> > Anton Bassov >>> > >>> > >>> > SteM wrote: >>> > > Hello, >>> > > I've written a small wdm driver for Win2000 to access an old custom >>> > > hw >>> on >>> > > parallel port. >>> > > The accesses are via a couple of DeviceIoControl() custom commands. >>> > > It works fine, does exactly what i intended; however, it only works >>> > > if I >>> am >>> > > logged in as Administrator (or equivalent). >>> > > If I log in as a regular user (Power User) the call to CreateFile >>> > > fails >>> with >>> > > ACCESS_DENIED. >>> > > >>> > > // Open driver >>> > > rv = CreateFile ( >>> > > ifDetail->DevicePath, >>> > > 0, // Desidered access >>> > > 0, // Share mode >>> > > NULL, // Security attrb >>> > > CREATE_NEW, // How to create >>> > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute >>> > > NULL // Template file >>> > > ); >>> > > >>> > > if (rv==INVALID_HANDLE_VALUE) >>> > > { >>> > > ...... >>> > > >>> > > >>> > > >>> > > Thanks in advance for any pointers... >>> > > -- >>> > > SteM >>> > >> > > |