Solved

Sharing objects with local system account ?

Posted on 2000-04-11
4
365 Views
Last Modified: 2013-12-03
SDK: IIS 4.0 & 5.0 & BCB 4.0

During the global.asa processing (Application_OnStart),  i
create a shared memory via a COM object. At this time of processing,
the token is the iis local system account. The trouble is i
cannot open the same shared memory through another application.

The "service api" help file (because iis is a service) says the
local system account limits the object sharing, because of DACL.

Help api says

>>>
The LocalSystem Account ..... has several implications:

The service cannot share objects (pipes, file mapping, synchronization,
and so on) with other applications, unless it creates them using either
a DACL which allows a user or group of users access to the object or a
NULL DACL, which allows everyone access to the object. Note that
specifying a NULL DACL is not the same as specifying NULL. If you specify
NULL in the lpSecurityDescriptor member of the SECURITY_ATTRIBUTES structure,
access to the object is granted only to processes with the same security
context as the process that created the object. For information on specifying
a NULL DACL in the security descriptor field, see Allowing Access Using the
Low-Level Functions.
<<<

I saw the code in section "Allowing Access Using the Low-Level Functions".
But, i DO NOT KNOW nothing about security, dacl and so on. All i know is
i must create an object (file, mutex...) with a NON NULL security descriptor.

Could you give me some pieces of code to create a NULL DACL for
- File Mapping
- Mutex
- Semaphore
- Event

Thank you very much
0
Comment
Question by:mars
  • 2
  • 2
4 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 200 total points
Comment Utility
You can do this by creating these objects with a 'world' security descriptor, e.g.

static  HANDLE                      g_hSharedObj    =   INVALID_HANDLE_VALUE;
static  PSID                        g_psidWorldSid  =   NULL;
static  SECURITY_DESCRIPTOR         g_sd;
static  SECURITY_ATTRIBUTES         g_sa;

    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;
    DWORD                       dwCreate                =   0;

    //  Create a security descriptor for the log file that allows
    //  access from both the privileged service and the non-privileged
    //  user mode programs

    g_psidWorldSid  =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   g_psidWorldSid, &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   g_psidWorldSid, 0)) =   SECURITY_WORLD_RID;

    InitializeSecurityDescriptor    (   &g_sd,  SECURITY_DESCRIPTOR_REVISION);

    SetSecurityDescriptorGroup      (   &g_sd,  g_psidWorldSid, TRUE);

    ZeroMemory  (   &g_sa,  sizeof  (   SECURITY_ATTRIBUTES));

    g_sa.nLength                =   sizeof  (   SECURITY_ATTRIBUTES);
    g_sa.lpSecurityDescriptor   =   &g_sd;
    g_sa.bInheritHandle         =   FALSE;

    //  set this SD on the object
    g_hSharedObj    =   CreateMutex (   &g_sa,
                                        FALSE,
                                        HPSUD_LOGFILE_LOCK
                                    );


The above works for all kinds of securable Win32 objects, also for the ones you mentioned in your list.

Feel free to ask if you need more information!

0
 

Author Comment

by:mars
Comment Utility
I created well my EVENT in the COM object but i got an access denied in the executable file. Error #5.

Any ideas!
0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
Well, you'll have to use the same security descriptor (i.e. the same code as above) in the executable also, otherwise it won't work - I use the code above a lot to share objects between services and user applications, so I can assure you that it works ;-)
0
 

Author Comment

by:mars
Comment Utility
I used the same code, but you must add this line to achieve the sharing between process among different token.

SetSecurityDescriptorDacl( &g_sd,  TRUE, NULL, FALSE );


0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article describes how to programmatically preset the "Pages per Sheet" option that's available with most printer drivers.   This setting lets you do "n-Up" printing, where two, four, or more pages are printed on each sheet of paper. If your …
If you have ever found yourself doing a repetitive action with the mouse and keyboard, and if you have even a little programming experience, there is a good chance that you can use a text editor to whip together a sort of macro to automate the proce…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now