[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Problem with Process-to-process Security ...

Posted on 2000-02-24
5
Medium Priority
?
1,455 Views
Last Modified: 2013-12-03
Simply put, I have a process (normally a service running in an account with Administrative rights) that is given a Pipe Handle from its client processes (running on other accounts) using a RPC/COM function call. The Pipe Handle is created with CreatePipe in the client process. The client process therefore have to DuplicateHandle the handle that is given to the server process. In order to do so, the server process have to grant "EVERYONE" (?) the following access rights to its own process: PROCESS_QUERY_INFORMATION, PROCESS_DUP_HANDLE, and SYNCHRONIZE.

However, I have failed to do that using the code that follows:

   // Give other processes right to duplicate handles for this application.

   HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, ::GetCurrentProcessId());

   if (NULL != hProcess)
   {
      HANDLE hProcessToken = NULL;
      if (::OpenProcessToken(::GetCurrentProcess(), TOKEN_READ | TOKEN_ADJUST_PRIVILEGES, &hProcessToken))
      {
         if (::SetPrivilege(hProcessToken, SE_SECURITY_NAME, TRUE))
         {
            PACL pOldDacl = NULL;
            PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
            DWORD dwErrorCode = ::GetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, &pSecurityDescriptor);
            if (ERROR_SUCCESS == dwErrorCode)
            {
               EXPLICIT_ACCESS rgExplicitAccess[1] = { 0 };

               ::BuildExplicitAccessWithName(rgExplicitAccess, _T("EVERYONE"), PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE | SYNCHRONIZE, GRANT_ACCESS, NO_INHERITANCE);

               PACL pNewDacl = NULL;
               dwErrorCode = ::SetEntriesInAcl(sizeof(rgExplicitAccess)/sizeof(rgExplicitAccess[0]), rgExplicitAccess, pOldDacl, &pNewDacl);

               if (ERROR_SUCCESS == dwErrorCode) // 1332 : ERROR_NONE_MAPPED : "No mapping between account names and security IDs was done."
               {
                  dwErrorCode = ::SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL);

                  if (ERROR_SUCCESS == dwErrorCode)
                  {
                     HLOCAL hLocal = ::LocalHandle(pNewDacl);

                     if (NULL != hLocal)
                     {
                        hLocal = ::LocalFree(hLocal);
                     }
                  }
               }

               HLOCAL hLocal = ::LocalHandle(pSecurityDescriptor);

               if (NULL != hLocal)
               {
                  hLocal = ::LocalFree(hLocal);
               }
            }
         }

         ::CloseHandle(hProcessToken);
         hProcessToken = NULL;
      }

      ::CloseHandle(hProcess);
      hProcess = NULL;
   }

SetPrivilege is a function that sets or resets a privilege for a process token (I don't know if its necessary).

As indicated, it is the function SetEntriesInAcl that fails with error code ERROR_NONE_MAPPED.

How can I accomplish the task of duplicating the Pipe Handle for the server process ?
0
Comment
Question by:stefanr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 600 total points
ID: 2555757
Are you using an english NT? "EVERYONE" usually is localized, which makes it quite a pain using these APIs...

To do this, use

    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;



    //  lookup clear text name of the group
    if  (   !LookupAccountSid   (   NULL,
                                    psidWorldSid,
                                    pszNameBuf,
                                    pdwNameBufSize,
                                    acReferencedDomain,
                                    &dwDomainBufSize,
                                    &eUse
                                )
        )
        {
            dwErr   =   GetLastError    ();
        }
0
 
LVL 15

Expert Comment

by:NickRepin
ID: 2556117
/*----------------------------------------------------------------------
| Name:     SetPipeSecurity
| Author:   Chris Nefcy
| Desc:     sets up security on pipe to allow access to everyone
| Params:   none
| Compiler: 32-bit VC++ or Win32 SDK
|
| COPYRIGHT:
|
|   (C) Copyright Microsoft Corp. 1993.  All rights reserved.
|
|   You have a royalty-free right to use, modify, reproduce and
|   distribute the Sample Files (and/or any modified version) in
|   any way you find useful, provided that you agree that
|   Microsoft has no warranty obligations or liability for any
|   Sample Application Files which are modified.
----------------------------------------------------------------------*/
VOID SetPipeSecurity ( VOID)
{
    HANDLE               hPipe;
    SECURITY_ATTRIBUTES  saPipeSecurity;
    PSECURITY_DESCRIPTOR pPipeSD   = NULL;

    // security inits
    memset ( ( VOID *) &saPipeSecurity, 0, sizeof ( SECURITY_ATTRIBUTES) );

    // alloc & init SD
    if ( ! ( pPipeSD = ( PSECURITY_DESCRIPTOR)
                    ( malloc ( SECURITY_DESCRIPTOR_MIN_LENGTH)) ) )
        return;

    if ( ! InitializeSecurityDescriptor ( pPipeSD,
                                    SECURITY_DESCRIPTOR_REVISION) )
        return;

    // set NULL DACL on the SD
    if ( ! SetSecurityDescriptorDacl ( pPipeSD, TRUE, ( PACL) NULL, FALSE) )
        return;

    // now set up the security attributes
    saPipeSecurity.nLength              = sizeof ( SECURITY_ATTRIBUTES);
    saPipeSecurity.bInheritHandle       = TRUE;
    saPipeSecurity.lpSecurityDescriptor = pPipeSD;

    // now create named pipe with security
    hPipe = CreateNamedPipe (
                    PIPENAME,                  // name of pipe
                    PIPE_ACCESS_DUPLEX |       // Open mode
                    FILE_FLAG_OVERLAPPED,      // use overlapped structure
                    PIPE_TYPE_MESSAGE     |    // message mode
                    PIPE_READMODE_MESSAGE |    
                    PIPE_WAIT,                 // blocking
                    dwMaxNumberOfClients,      // Max. number of instances
                    PIPEPKTSIZE,               // Size of output buffer
                    PIPEPKTSIZE,               // Size of input buffer
                    0L,                        // Time-out value (use default)
                    &saPipeSecurity );         // security flag

}
/* eof - SetPipeSecurity */

0
 
LVL 15

Expert Comment

by:NickRepin
ID: 2556119
/*----------------------------------------------------------------------
| Name:     SetPipeSecurity
| Author:   Chris Nefcy
| Desc:     sets up security on pipe to allow access to everyone
| Params:   none
| Compiler: 32-bit VC++ or Win32 SDK
|
| COPYRIGHT:
|
|   (C) Copyright Microsoft Corp. 1993.  All rights reserved.
|
|   You have a royalty-free right to use, modify, reproduce and
|   distribute the Sample Files (and/or any modified version) in
|   any way you find useful, provided that you agree that
|   Microsoft has no warranty obligations or liability for any
|   Sample Application Files which are modified.
----------------------------------------------------------------------*/
VOID SetPipeSecurity ( VOID)
{
    HANDLE               hPipe;
    SECURITY_ATTRIBUTES  saPipeSecurity;
    PSECURITY_DESCRIPTOR pPipeSD   = NULL;

    // security inits
    memset ( ( VOID *) &saPipeSecurity, 0, sizeof ( SECURITY_ATTRIBUTES) );

    // alloc & init SD
    if ( ! ( pPipeSD = ( PSECURITY_DESCRIPTOR)
                    ( malloc ( SECURITY_DESCRIPTOR_MIN_LENGTH)) ) )
        return;

    if ( ! InitializeSecurityDescriptor ( pPipeSD,
                                    SECURITY_DESCRIPTOR_REVISION) )
        return;

    // set NULL DACL on the SD
    if ( ! SetSecurityDescriptorDacl ( pPipeSD, TRUE, ( PACL) NULL, FALSE) )
        return;

    // now set up the security attributes
    saPipeSecurity.nLength              = sizeof ( SECURITY_ATTRIBUTES);
    saPipeSecurity.bInheritHandle       = TRUE;
    saPipeSecurity.lpSecurityDescriptor = pPipeSD;

    // now create named pipe with security
    hPipe = CreateNamedPipe (
                    PIPENAME,                  // name of pipe
                    PIPE_ACCESS_DUPLEX |       // Open mode
                    FILE_FLAG_OVERLAPPED,      // use overlapped structure
                    PIPE_TYPE_MESSAGE     |    // message mode
                    PIPE_READMODE_MESSAGE |    
                    PIPE_WAIT,                 // blocking
                    dwMaxNumberOfClients,      // Max. number of instances
                    PIPEPKTSIZE,               // Size of output buffer
                    PIPEPKTSIZE,               // Size of input buffer
                    0L,                        // Time-out value (use default)
                    &saPipeSecurity );         // security flag

}
/* eof - SetPipeSecurity */

0
 
LVL 3

Author Comment

by:stefanr
ID: 2557860
Yes, it was a localization problem. In fact it is lucky that I did not run an English Windows NT since the application must work on any language.
Your comment helped me to find the proper documentation in MSDN (in this case it seems that it is necessary to know exactly what to search for; like SECURITY_WORLD_RID in this case), so I accept the comment as an answer.
0
 
LVL 86

Expert Comment

by:jkr
ID: 2557952
Thanx ;-)

This problem is quite common, and the MS habit to localize everything is a pain in the <censored>. Until Office2k, the even used to be localized versions of VBA - just imagine C/C++ keywords translated to your native language (this makes me frightened ;-)
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What my article will show is if you ever had to do processing to a listbox without being able to just select all the items in it. My software Visual Studio 2008 crystal report v11 My issue was I wanted to add crystal report to a form and show…
For most people, the WrapPanel seems like a magic when they switch from WinForms to WPF. Most of us will think that the code that is used to write a control like that would be difficult. However, most of the work is done by the WPF engine, and the W…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question