Prev: OpenEvent() fails on Vista for some processes while trying to openglobal event
Next: OpenEvent() fails on Vista for some processes while trying toopen global event
From: Pavel A. on 15 Dec 2009 21:06 Something related to the integrity classes? --pa "Grzegorz Wr�bel" </dev/null(a)localhost.localdomain> wrote in message news:hg9akg$6vg$1(a)nemesis.news.neostrada.pl... > Hi, > > I am creating an event in a global namespace from within a service. The > event is supposed to be accessed (set) by some other processes that might > be running under different credentials in different sessions, so during > its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its security > descriptor (read and write access for Everyone). This is supposed to > ensure other processes have rights to open it for read and write access. > > On pre vista OSes it used to be working, on Vista it works too but not for > every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...) fails > with GetLastError() returning 5 (ERROR_ACCESS_DENIED). > > I have no idea what might be causing this and where to look now. Is there > any additional security mechanism in Vista that can override security > descriptor of an object? > > -- > Grzegorz Wr�bel > 677265676F727940346E6575726F6E732E636F6D
From: Remy Lebeau on 16 Dec 2009 16:22 "Grzegorz Wróbel" </dev/null(a)localhost.localdomain> wrote in message news:hg9akg$6vg$1(a)nemesis.news.neostrada.pl... > I am creating an event in a global namespace from within a service. > The event is supposed to be accessed (set) by some other processes > that might be running under different credentials in different sessions Rather then creating a DACL with read/write permissions, try assigning a NULL DACL instead. That will allow unrestricted access to everyone. For example: SECURITY_DESCRIPTOR sd; InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE); SECURITY_ATTRIBUTES sa = {0}; sa.nLength = sizeof(sa); sa.lpSecurityDescriptor = &sd; sa.bInheritHandle = FALSE; HANDLE hEvent = CreateEvent(&sa, ...); -- Remy Lebeau (TeamB)
From: mosesvas on 22 Dec 2009 05:00
Hi, Try changing the integrity of the event to low use this code. Low integrity process can't access kernel object created from other integrity levels processes. static BOOL SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE type=SE_KERNEL_OBJECT) { BOOL bRet = FALSE; DWORD dwErr = ERROR_SUCCESS; PSECURITY_DESCRIPTOR pSD = NULL; PACL pSacl = NULL; BOOL fSaclPresent = FALSE; BOOL fSaclDefaulted = FALSE; // The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low integrity LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)"; if ( ConvertStringSecurityDescriptorToSecurityDescriptorW (LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL )) { if (GetSecurityDescriptorSacl (pSD,&fSaclPresent,&pSacl,&fSaclDefaulted)) { dwErr = SetSecurityInfo (hObject,type,LABEL_SECURITY_INFORMATION,NULL,NULL,NULL,pSacl); bRet = (ERROR_SUCCESS == dwErr); } LocalFree ( pSD ); } return bRet; } regards, vasanth On Dec 16, 5:36 am, Grzegorz Wróbel </dev/n...(a)localhost.localdomain> wrote: > Hi, > > I am creating an event in a global namespace from within a service. The > event is supposed to be accessed (set) by some other processes that > might be running under different credentials in different sessions, so > during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its > security descriptor (read and write access for Everyone). This is > supposed to ensure other processes have rights to open it for read and > write access. > > On pre vista OSes it used to be working, on Vista it works too but not > for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...) > fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED). > > I have no idea what might be causing this and where to look now. Is > there any additional security mechanism in Vista that can override > security descriptor of an object? > > -- > Grzegorz Wróbel > 677265676F727940346E6575726F6E732E636F6D |