Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Registry Security

Posted on 1999-06-22
6
Medium Priority
?
273 Views
Last Modified: 2013-12-03
What security issues are involved with writing to the registry in an app (on NT4)? My RegCreateKey call fails when a user without administrative rights runs my app. I'm sure I need to do something with a security descriptor object, but I'd appreciate if someone could point me in the right direction.
0
Comment
Question by:cdickerson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 200 total points
ID: 1400980
When these keys were created by an admin, only members of the admin group are allowed to access them. Use the following code to set access for a certain group on a registry key:

/*------------------------------------------------------------------
| Name: CreateSDForRegKey
| Desc: creates SD with access for up to MAX_LIST users or groups
|   passed into function:
|    SID from the group or user
|    permission access requested
------------------------------------------------------------------*/
DWORD CreateSDForRegKey ( LPTSTR pszGroupName[], DWORD dwAccessMask)
{
#define MAX_LIST 10

 PSID        pGroupSID [MAX_LIST];
 DWORD       dwGroupSIDCount = 0;
 DWORD       cbSID;

 SID_NAME_USE snuGroup;

 DWORD       dwDomainSize = 80;
 TCHAR       szDomainName[80];

 PSECURITY_DESCRIPTOR pAbsSD = NULL;

 PACL        pDACL;

 DWORD       dwSDRevision;
 DWORD       dwDACLLength = sizeof ( ACL);

 SECURITY_DESCRIPTOR_CONTROL sdcSDControl;

 PACL        pNewDACL  = NULL;

 BOOL        fAceFound = 0;

 BOOL        fHasDACL  = FALSE;
 BOOL        fDACLDefaulted = FALSE;

 ACCESS_ALLOWED_ACE  *pDACLAce;

 DWORD       dwError = 0;

 DWORD       i;

 // handle for security registry key
 HKEY  hSecurityRegKey = ( HKEY) 0;


 // inits
 for ( i = 0; i < MAX_LIST; i++)
  pGroupSID[i] = NULL;

 // count number of groups or users to be added; list ends in NULL
 for ( i = 0; pszGroupName[i] != NULL; i++);

 if ( i > MAX_LIST)
  return ( ERROR_TOO_MANY_NAMES);
 else
  dwGroupSIDCount = i;

 // get SIDs for each group or user passed in
 for ( i = 0; i < dwGroupSIDCount; i++)
 {
  cbSID = GetSidLengthRequired (2);

  pGroupSID[i] = ( PSID) malloc ( cbSID);

  // loop if not enough room for SID; otherwise set to NULL
  while ( ! LookupAccountName ( NULL, pszGroupName[i], pGroupSID[i],
     &cbSID, szDomain, &dwDomainSize, &snuGroup) )
  {
   dwError = GetLastError();

   if ( dwError == ERROR_INSUFFICIENT_BUFFER)
    pGroupSID[i] = ( PSID) realloc ( pGroupSID[i], cbSID);
   else
   {
    pGroupSID[i] = NULL;

    break;
   }
  }




  // check if found group or user
  if ( pGroupSID[i])
  {
   // add to DACL length
   dwDACLLength += ( sizeof ( ACCESS_ALLOWED_ACE) -
        sizeof ( DWORD) + GetLengthSid ( pGroupSID[i]);
  }
 }

 // get memory needed for new DACL
 if ( ! ( pNewDACL = ( PACL) malloc ( dwDACLLength) ) )
  return ( GetLastError());

 // get memory for new SD
 if ( ! ( pAbsSD = ( PSECURITY_DESCRIPTOR)
      malloc ( SECURITY_DESCRIPTOR_MIN_LENGTH + dwDACLLength) ) )
 {
  dwError = GetLastError();

  goto ErrorExit;
 }

 // init new SD
 if ( ! InitializeSecurityDescriptor ( pAbsSD,
            SECURITY_DESCRIPTOR_REVISION) )
 {
  dwError = GetLastError();

  goto ErrorExit;
 }

 // init new DACL
 if ( ! InitializeAcl ( pNewDACL, dwDACLLength, ACL_REVISION) )
 {
  dwError = GetLastError();

  goto ErrorExit;
 }

 // now add new ACEs to new DACL
 for ( i = 0; i < dwGroupSIDCount; i++)
 {
  // if there is a valid SID, then attach to the ACE and add to the DACL
  if ( pGroupSID[i])
  {
   if ( ! AddAccessAllowedAce ( pNewDACL, ACL_REVISION, dwAccessMask,
               pGroupSID[i]) )
   {
    dwError = GetLastError();

    goto ErrorExit;
   }
  }
 }

 // check if everything went ok
 if ( ! IsValidAcl ( pNewDACL) )
 {
  dwError = GetLastError();

  goto ErrorExit;
 }

 // now set DACL to the SD
 if ( ! SetSecurityDescriptorDacl ( pAbsSD, TRUE, pNewDACL,
              fDACLDefaulted) )
 {
  dwError = GetLastError();

  goto ErrorExit;
 }

 // check if everything went ok
 if ( ! IsValidSecurityDescriptor ( pAbsSD) )
 {
  dwError = GetLastError();

  goto ErrorExit;
 }

 // now open reg key to set security
 // note: pzsRegKeyName is a global
 if ( ( dwError = RegOpenKeyEx ( HKEY_LOCAL_MACHINE, pszRegKeyName, 0,
          KEY_ALL_ACCESS, &hSecurityRegKey) ) )
  goto ErrorExit;


 // now set the reg key security (this will overwrite any existing security)
 dwError = RegSetKeySecurity (
      hSecurityRegKey,
      (SECURITY_INFORMATION)( DACL_SECURITY_INFORMATION),
      pAbsSD);

 // close reg key
 RegCloseKey ( hSecurityRegKey);


ErrorExit:

 // free memory
 if ( pAbsSD)
  free ( ( VOID *) pAbsSD);
 if ( pNewDACL)
  free ( ( VOID *) pNewDACL);

 return ( dwError);
}
/* eof - CreateSDForRegKey */

Feel free to ask if you need more information!


0
 

Author Comment

by:cdickerson
ID: 1400981
Can you further summarize what this code is doing? I'm adding the user himself to an access list??

Also, I'm not sure I understand what you mean by "When these keys were created by an admin, only members of the admin group are allowed to access them". The key is created at run-time.

Thanks for your response.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1400982
The above code adds an 'access allowed ACE' for a certain group to the security descriptor of a registry, causing this group to be able to access the key.

I assumed that your 'runtime-created' keys were created by a process running under the 'admin' account, thus setting the default 'admin' access rights on these keys...
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:cdickerson
ID: 1400983
Ok, perhaps I'm going about this wrong. With each run of the application, I create a key (in case it wasn't there), and write to it.

Should I instead create that key with the install program (running under admin), and at *that* time grant the current user permission to write to it (which is what your code is doing)??
0
 
LVL 86

Expert Comment

by:jkr
ID: 1400984
>>and at *that* time grant the current user permission to
>>write to it

That's the idea - however, you could change the access rights later, also, but the program changing the rights must have access to these keys (i.e. run under the admin account also)

An alternative would be to use 'RegCreateKeyEx()' supplying an appropriate 'SECURITY_ATTRIBUTES' struct, e.g.

SECURITY_ATTRIBUTES sa;
PSID psidWorldSid; // a SID representing "everyone"
SID_IDENTIFIER_AUTHORITY siaWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;

psidWorldSid = (PSID) LocalAlloc(LPTR, GetSidLengthRequired(1));
InitializeSid(psidWorldSid, &siaWorldSidAuthority, 1);
*(GetSidSubAuthority(psidWorldSid, 0)) = SECURITY_WORLD_RID;

SECURITY_DESCRIPTOR         sd;

if  (   !InitializeSecurityDescriptor   (   &sd,    SECURITY_DESCRIPTOR_REVISION)
    )
    {
        //  error
    }

// here I set the _group_ to 'world', but you could also use
// 'owner'...
if  (   !SetSecurityDescriptorGroup (   &sd,    psidWorldSid,   TRUE)
    )
    {
        //  error
    }

sa.nLength = sizeof ( SECURITY_ATTRIBUTES );
sa.lpSecurityDescriptor = & sd;
sa.bInheritHandle = FALSE;
0
 

Author Comment

by:cdickerson
ID: 1400985
Thanks a lot.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to make a Windows 7 gadget that accepts files dropped from the Windows Explorer.  It also illustrates how to give your gadget a non-rectangular shape and how to add some nifty visual effects to text displayed in a your gadget.…
zlib is a free compression library (a DLL) on which the popular gzip utility is built.  In this article, we'll see how to use the zlib functions to compress and decompress data in memory; that is, without needing to use a temporary file.  We'll be c…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question