AccessCheck() return error with empty security descriptor


The expected way of work of the attached program is the
following:

a) allocate security descriptor
b) initialize security descriptor
   after this all access is allowed.
c) impersonate self in order to get impersonated access
   token.
d) fake call of AccessCheck() in order to get size of
    buffers needed
e) allocating buffers
f) real call of AccessCheck()
g) print returned values
   It should be "Access denied\nGranted access = 7".
h) restore state

The problem is that at (f) error returned
GetLastError() = 1338 "The security descriptor structure is
invalid."

I call IsValidSecurityDescriptor() before AccessCheck() and
it returns true. Setting DACL, Owner and Group to security
descriptor does not help. Converting Security descriptor to
selfrealtive format does not helps too.

The problem is reproducable on both NT 4.0 and NT3.51.

------------ begin of program ----------
<code>
section 1 of uuencode 4.13 of file TST.ZIP    by R.E.M.

begin 644 TST.ZIP
M4$L#!!0````(`(@AER)R*2"*NP<``,(J```%````='-T+F/M6FV/VD80_AXIW
M_V%SIYS,U;G+7=I&"KU6!`RQRLO)F*25*B%CK[G5&1OMFKN\-/^],^L7,*P-7
M*)QZK>(/V*S-L_/R[.S,F&,6NL'"H^27>Q9ZT;TXN_GUZ9/C?%3$'HO6QF9.J
M$$3NVJ`C!.6Q'(1AC_HLI(3PN;^@7'-UIOLUPGS-K7V9<Q;&OG9D6-;`(L_%L
MF^<>?&HUPEUR19Y[?X5'^GC<-KO&>*QK\&QM/.Z:??A&=.W8KR5C&JO5ZE\+A
M4P7WKR[E9-E4Y`N?RS&A';OZL;^$S1#U#HV[CH@-SB.N)8AW$?-(_D/WQN'D9
ME+BA3M)+?Z%G5TPG011.2<#TUH>!U2*4NU'MZ1-"ON`'(=WK]P.S169B6D>[Q
MX%`[XC,G[E$AG"G5V@.KU[#'/6,X;'2,<:/;'30;MC%^.VJW#8O\3=8>:%N#[
MWGCXY]`V>GJ"5SCZHVY7-8YRJ<9[C=^-;J/?,5L:GL9]8V1;C:Y.AJ.W<J!E;
MM!NCKEW3"3D_)2WJ.XL@)H$33A<@/CD]5X!JW6M[:%LU<@)ZJV9]62:Z8KA6"
M3P8SUGQ@X:M+LL&=HA\EC^#&D0XN`N>`RZ0%4F_60*X,MQNY3M#FE&KH)9AN%
M=7)0&6^1^(:2R<+W*3_;$#`Q09&)(F,BVX>+3-(O)>#,8:$&5`(BG9^^.,"!U
M<H(^X$,W<#@E#O'I/=`7U"=W#F?.)*!B0SO5D2"]>/$#PE[@A[RZS*]>Y5<_2
MYE<_Y5<_YU>O,_I<#XWFR#+M/X%OPZ9E7MO@7>'5<R_L)!.>WPX&W8V;$^[6`
M]T8"NN')9]F/"\<YKOX03,=IO.`A<2,(@M5(2AR)5(%11'K7Z+>Z!G'<^%8M1
MD^.Z$%A('-W2L!(I"5?$8TZ)=AX5C%,O0]R*-.5E2'!G%N^"E/J.B2E7(S&1.
M@0!FB)A^X$P52-?7EOD>5A<$S*%A0^P0<;V`!-'DC@74@Q`F:+Q=.T00GS>D0
MVD02[#.M1/+4-,#@*A_8@4\=HV]89G/<:UQ?F_T.F<[J1:0I#3ES(83,%3-EE
M2(>-*NX-=6_)W`%?TQB"''%"#XC/XIUCR^&C"BY=V`E>*I>=Y!/*)Y^JD`G/M
MN.``";>H$F8B4M7BRY"02-N1UDB5;#UK2-/968>&%!QM4<?#D2MR45]!PE\RT
MCX8QBS\A%^8LG!9FVT3ZP%E,)=+E-R(9'ZF[`*PK\N,W(C6"@"3:O=X;Z;`<M
M;V#:NR2V,Q%1@#H*4)6C&!`S7<[F<<2)^C@\QX4'AM%4^V<M2=,UQ:UQS^R/M
MNT:_8[_+TB#F$PU)2:ZN`+.FX*5/9G06\4_DWA$DC$!_A'<P"A<\]Z5$]QQI)
M0J<L))%/)O#[VQ(K)5=I^7"A5RNA)ZIB[B9WTWG$XP+.-(HCR(&#2<D.E=SF:
ME7[#\]=MNM'02PQ%2RR5(4UD:#*!1\P)8,\8IAQJY132A*=4VS+>FT-ST%_U6
MW#.`6_=9+A,\4*7;0WDNK<8N]"HEBRY;$?-?\UT%5-%WQ!3O02M/Z;E4K[(CY
MSPP?O>_*="QU''F\OCOL;F#.YI#G1"&L:Z@/.>[!N#5,:74BH)#I<+M!&E66Z
MD@UIX&N9]Y;C+`I3![(5+58M_OB9652RBH\JI#0W?'&A9B9F%U6)H8KCEYM0D
M&<?#""1SHSL*FT(B6^!,:%!`VH7CU59?8<'58$Y#6[+21A9J'1HW%YQ#OI2,F
M:C7='OQN]+'C-&XTF\9PJ-O6R-!/,-?]S^PM:VKNRX+'%9_PC`4Y\++7^,/L`
MC7JR'_C!:-672#+U]%AY<9XA]9QYFD'W''&KG2"R?C*=)1TN0,+R<`:W2N4^$
M?,R<9A4R^%E=XV`(E>D28:JR_`%B9E+:E]6)F<4WZ_I-BW_/"_Z;>0&>4]\U2
MY()J8C,#\^\5I*U%GK(5GAP84O4<:><>G5(E7,:GYVOQ02]IV54@0230<U#L"
M&-&T9;112&^32;YSR)%@JU.O;+&8SP-&O2J9DK6H)TARR864>EF%N8=,)]B.#
MU'/MTF[AU@ZD"@G;D7G,W+D#F;P.2Q:Q,B]`PHF;:!%XL`2)[P2BI&_H26867
MWV_45Y$PJ`9P;^M^AU%%OC@9F_WAJ-TVFZ;1M[-73<^N<*I:,;R`OE%\`]Z#&
MCW"?J)+X/(XB(K`X+Y5IY6W)A0[SZRLK\.%V\QO89H+2_NK6J)*;Y^QL\WW0K
M*E+:[=.*_>BL,Y.P/=4RV?0*OLKZ,?A<<2?XU_LQZ4)5]5VVYZ>/K1]S^!P']
M)[A?!IS*+$NMW4/4A=\SD^^9R=KQ_\Y,,$HMM:MZJ;(-Z7^4F3SZ%;R6`3SRJ
MO66'%3Q?Q$)#9_UVU"BXZ.A--N#1$%+CH[(@O,PGDC_!=(JTN2+/_\!_3<D_I
M1B&_JH)Y_H9-&N*CTDXKEOJHKL.72&CJ-ULLM=;R*I6IJBNW3U\.U=HF$RI6W
M(=)F)O:L,A.3R<5:"K:&=,CUXN,_EJ0XTM7X%838R-2X^\M+';)JO"\7TSYK*
M:??LJDQYE0UE?W$="1Z07$[W'H2+YC0,<["'L&&RLS:#2-!WLB#0DMYGBB1OC
ME)0*:TAY],+`JJ\@[I@:[VGQ"E,5LP:+WD$5:D?R-4"Q:ER$7I1W_P/V6;X4I
M4,E4U&T5<;^\7[;(*Q9ETCLH;9,799)_DJD_??+UZ9-_`%!+`0(4"Q0````(.
M`(@AER)R*2"*NP<``,(J```%``````````$`(`"V@0````!T<W0N8U!+!08`\
1`````0`!`#,```#>!P``````R
``
end
sum -r/size 48793/2950 section (from "begin" to "end")
sum -r/size 18333/2087 entire input file

</code>
------------ end of program-------------
constAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NickRepinCommented:
Try to use this instead of InitializeSecurityDescriptor (insert this code before call to AccessCheck). It's work!

brc=CreatePrivateObjectSecurity(
    NULL,      // address of parent directory SD
    NULL,      // address of creator SD
    &sd,      // address of pointer to new SD
    FALSE,      // container flag for new SD
    actk,      // handle of client's access token
    &gm       // address of access-rights structure
   );

See also Q102447 in http://www.microsoft.com/kb/articles/q102/4/47.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.