From: Pavel A. on
Something related to the integrity classes?
--pa

"Grzegorz Wr�bel" </dev/null(a)localhost.localdomain> wrote in message
news:hg9akg$6vg$1(a)nemesis.news.neostrada.pl...
> Hi,
>
> I am creating an event in a global namespace from within a service. The
> event is supposed to be accessed (set) by some other processes that might
> be running under different credentials in different sessions, so during
> its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its security
> descriptor (read and write access for Everyone). This is supposed to
> ensure other processes have rights to open it for read and write access.
>
> On pre vista OSes it used to be working, on Vista it works too but not for
> every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...) fails
> with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
>
> I have no idea what might be causing this and where to look now. Is there
> any additional security mechanism in Vista that can override security
> descriptor of an object?
>
> --
> Grzegorz Wr�bel
> 677265676F727940346E6575726F6E732E636F6D

From: Remy Lebeau on

"Grzegorz Wróbel" </dev/null(a)localhost.localdomain> wrote in message news:hg9akg$6vg$1(a)nemesis.news.neostrada.pl...

> I am creating an event in a global namespace from within a service.
> The event is supposed to be accessed (set) by some other processes
> that might be running under different credentials in different sessions

Rather then creating a DACL with read/write permissions, try assigning a NULL DACL instead. That will allow unrestricted access to everyone. For example:

SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);

SECURITY_ATTRIBUTES sa = {0};
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = &sd;
sa.bInheritHandle = FALSE;

HANDLE hEvent = CreateEvent(&sa, ...);

--
Remy Lebeau (TeamB)
From: mosesvas on
Hi,
Try changing the integrity of the event to low use this code. Low
integrity process can't access kernel object created from other
integrity levels processes.
static BOOL SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE
type=SE_KERNEL_OBJECT)
{
BOOL bRet = FALSE;
DWORD dwErr = ERROR_SUCCESS;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pSacl = NULL;
BOOL fSaclPresent = FALSE;
BOOL fSaclDefaulted = FALSE;
// The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low
integrity
LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)";


if ( ConvertStringSecurityDescriptorToSecurityDescriptorW
(LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ))
{
if (GetSecurityDescriptorSacl
(pSD,&fSaclPresent,&pSacl,&fSaclDefaulted))
{
dwErr = SetSecurityInfo
(hObject,type,LABEL_SECURITY_INFORMATION,NULL,NULL,NULL,pSacl);
bRet = (ERROR_SUCCESS == dwErr);
}
LocalFree ( pSD );
}

return bRet;

}
regards,
vasanth

On Dec 16, 5:36 am, Grzegorz Wróbel </dev/n...(a)localhost.localdomain>
wrote:
> Hi,
>
> I am creating an event in a global namespace from within a service. The
> event is supposed to be accessed (set) by some other processes that
> might be running under different credentials in different sessions, so
> during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its
> security descriptor (read and write access for Everyone). This is

> supposed to ensure other processes have rights to open it for read and
> write access.
>
> On pre vista OSes it used to be working, on Vista it works too but not
> for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
> fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
>
> I have no idea what might be causing this and where to look now. Is
> there any additional security mechanism in Vista that can override
> security descriptor of an object?
>
> --
> Grzegorz Wróbel
> 677265676F727940346E6575726F6E732E636F6D