mars
asked on
Sharing objects with local system account ?
SDK: IIS 4.0 & 5.0 & BCB 4.0
During the global.asa processing (Application_OnStart), i
create a shared memory via a COM object. At this time of processing,
the token is the iis local system account. The trouble is i
cannot open the same shared memory through another application.
The "service api" help file (because iis is a service) says the
local system account limits the object sharing, because of DACL.
Help api says
>>>
The LocalSystem Account ..... has several implications:
The service cannot share objects (pipes, file mapping, synchronization,
and so on) with other applications, unless it creates them using either
a DACL which allows a user or group of users access to the object or a
NULL DACL, which allows everyone access to the object. Note that
specifying a NULL DACL is not the same as specifying NULL. If you specify
NULL in the lpSecurityDescriptor member of the SECURITY_ATTRIBUTES structure,
access to the object is granted only to processes with the same security
context as the process that created the object. For information on specifying
a NULL DACL in the security descriptor field, see Allowing Access Using the
Low-Level Functions.
<<<
I saw the code in section "Allowing Access Using the Low-Level Functions".
But, i DO NOT KNOW nothing about security, dacl and so on. All i know is
i must create an object (file, mutex...) with a NON NULL security descriptor.
Could you give me some pieces of code to create a NULL DACL for
- File Mapping
- Mutex
- Semaphore
- Event
Thank you very much
During the global.asa processing (Application_OnStart), i
create a shared memory via a COM object. At this time of processing,
the token is the iis local system account. The trouble is i
cannot open the same shared memory through another application.
The "service api" help file (because iis is a service) says the
local system account limits the object sharing, because of DACL.
Help api says
>>>
The LocalSystem Account ..... has several implications:
The service cannot share objects (pipes, file mapping, synchronization,
and so on) with other applications, unless it creates them using either
a DACL which allows a user or group of users access to the object or a
NULL DACL, which allows everyone access to the object. Note that
specifying a NULL DACL is not the same as specifying NULL. If you specify
NULL in the lpSecurityDescriptor member of the SECURITY_ATTRIBUTES structure,
access to the object is granted only to processes with the same security
context as the process that created the object. For information on specifying
a NULL DACL in the security descriptor field, see Allowing Access Using the
Low-Level Functions.
<<<
I saw the code in section "Allowing Access Using the Low-Level Functions".
But, i DO NOT KNOW nothing about security, dacl and so on. All i know is
i must create an object (file, mutex...) with a NON NULL security descriptor.
Could you give me some pieces of code to create a NULL DACL for
- File Mapping
- Mutex
- Semaphore
- Event
Thank you very much
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, you'll have to use the same security descriptor (i.e. the same code as above) in the executable also, otherwise it won't work - I use the code above a lot to share objects between services and user applications, so I can assure you that it works ;-)
ASKER
I used the same code, but you must add this line to achieve the sharing between process among different token.
SetSecurityDescriptorDacl( &g_sd, TRUE, NULL, FALSE );
SetSecurityDescriptorDacl(
ASKER
Any ideas!