Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sharing objects with local system account ?

Posted on 2000-04-11
4
Medium Priority
?
383 Views
Last Modified: 2013-12-03
SDK: IIS 4.0 & 5.0 & BCB 4.0

During the global.asa processing (Application_OnStart),  i
create a shared memory via a COM object. At this time of processing,
the token is the iis local system account. The trouble is i
cannot open the same shared memory through another application.

The "service api" help file (because iis is a service) says the
local system account limits the object sharing, because of DACL.

Help api says

>>>
The LocalSystem Account ..... has several implications:

The service cannot share objects (pipes, file mapping, synchronization,
and so on) with other applications, unless it creates them using either
a DACL which allows a user or group of users access to the object or a
NULL DACL, which allows everyone access to the object. Note that
specifying a NULL DACL is not the same as specifying NULL. If you specify
NULL in the lpSecurityDescriptor member of the SECURITY_ATTRIBUTES structure,
access to the object is granted only to processes with the same security
context as the process that created the object. For information on specifying
a NULL DACL in the security descriptor field, see Allowing Access Using the
Low-Level Functions.
<<<

I saw the code in section "Allowing Access Using the Low-Level Functions".
But, i DO NOT KNOW nothing about security, dacl and so on. All i know is
i must create an object (file, mutex...) with a NON NULL security descriptor.

Could you give me some pieces of code to create a NULL DACL for
- File Mapping
- Mutex
- Semaphore
- Event

Thank you very much
0
Comment
Question by:mars
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 800 total points
ID: 2704962
You can do this by creating these objects with a 'world' security descriptor, e.g.

static  HANDLE                      g_hSharedObj    =   INVALID_HANDLE_VALUE;
static  PSID                        g_psidWorldSid  =   NULL;
static  SECURITY_DESCRIPTOR         g_sd;
static  SECURITY_ATTRIBUTES         g_sa;

    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;
    DWORD                       dwCreate                =   0;

    //  Create a security descriptor for the log file that allows
    //  access from both the privileged service and the non-privileged
    //  user mode programs

    g_psidWorldSid  =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   g_psidWorldSid, &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   g_psidWorldSid, 0)) =   SECURITY_WORLD_RID;

    InitializeSecurityDescriptor    (   &g_sd,  SECURITY_DESCRIPTOR_REVISION);

    SetSecurityDescriptorGroup      (   &g_sd,  g_psidWorldSid, TRUE);

    ZeroMemory  (   &g_sa,  sizeof  (   SECURITY_ATTRIBUTES));

    g_sa.nLength                =   sizeof  (   SECURITY_ATTRIBUTES);
    g_sa.lpSecurityDescriptor   =   &g_sd;
    g_sa.bInheritHandle         =   FALSE;

    //  set this SD on the object
    g_hSharedObj    =   CreateMutex (   &g_sa,
                                        FALSE,
                                        HPSUD_LOGFILE_LOCK
                                    );


The above works for all kinds of securable Win32 objects, also for the ones you mentioned in your list.

Feel free to ask if you need more information!

0
 

Author Comment

by:mars
ID: 2705098
I created well my EVENT in the COM object but i got an access denied in the executable file. Error #5.

Any ideas!
0
 
LVL 86

Expert Comment

by:jkr
ID: 2705109
Well, you'll have to use the same security descriptor (i.e. the same code as above) in the executable also, otherwise it won't work - I use the code above a lot to share objects between services and user applications, so I can assure you that it works ;-)
0
 

Author Comment

by:mars
ID: 2705337
I used the same code, but you must add this line to achieve the sharing between process among different token.

SetSecurityDescriptorDacl( &g_sd,  TRUE, NULL, FALSE );


0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial is about how to put some of your C++ program's functionality into a standard DLL, and how to make working with the EXE and the DLL simple and seamless.   We'll be using Microsoft Visual Studio 2008 and we will cut out the noise; that i…
This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question