Sharing objects with local system account ?

SDK: IIS 4.0 & 5.0 & BCB 4.0

During the global.asa processing (Application_OnStart),  i
create a shared memory via a COM object. At this time of processing,
the token is the iis local system account. The trouble is i
cannot open the same shared memory through another application.

The "service api" help file (because iis is a service) says the
local system account limits the object sharing, because of DACL.

Help api says

The LocalSystem Account ..... has several implications:

The service cannot share objects (pipes, file mapping, synchronization,
and so on) with other applications, unless it creates them using either
a DACL which allows a user or group of users access to the object or a
NULL DACL, which allows everyone access to the object. Note that
specifying a NULL DACL is not the same as specifying NULL. If you specify
NULL in the lpSecurityDescriptor member of the SECURITY_ATTRIBUTES structure,
access to the object is granted only to processes with the same security
context as the process that created the object. For information on specifying
a NULL DACL in the security descriptor field, see Allowing Access Using the
Low-Level Functions.

I saw the code in section "Allowing Access Using the Low-Level Functions".
But, i DO NOT KNOW nothing about security, dacl and so on. All i know is
i must create an object (file, mutex...) with a NON NULL security descriptor.

Could you give me some pieces of code to create a NULL DACL for
- File Mapping
- Mutex
- Semaphore
- Event

Thank you very much
Who is Participating?
jkrConnect With a Mentor Commented:
You can do this by creating these objects with a 'world' security descriptor, e.g.

static  HANDLE                      g_hSharedObj    =   INVALID_HANDLE_VALUE;
static  PSID                        g_psidWorldSid  =   NULL;
static  SECURITY_DESCRIPTOR         g_sd;
static  SECURITY_ATTRIBUTES         g_sa;

    DWORD                       dwCreate                =   0;

    //  Create a security descriptor for the log file that allows
    //  access from both the privileged service and the non-privileged
    //  user mode programs

    g_psidWorldSid  =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)

    InitializeSid   (   g_psidWorldSid, &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   g_psidWorldSid, 0)) =   SECURITY_WORLD_RID;

    InitializeSecurityDescriptor    (   &g_sd,  SECURITY_DESCRIPTOR_REVISION);

    SetSecurityDescriptorGroup      (   &g_sd,  g_psidWorldSid, TRUE);

    ZeroMemory  (   &g_sa,  sizeof  (   SECURITY_ATTRIBUTES));

    g_sa.nLength                =   sizeof  (   SECURITY_ATTRIBUTES);
    g_sa.lpSecurityDescriptor   =   &g_sd;
    g_sa.bInheritHandle         =   FALSE;

    //  set this SD on the object
    g_hSharedObj    =   CreateMutex (   &g_sa,

The above works for all kinds of securable Win32 objects, also for the ones you mentioned in your list.

Feel free to ask if you need more information!

marsAuthor Commented:
I created well my EVENT in the COM object but i got an access denied in the executable file. Error #5.

Any ideas!
Well, you'll have to use the same security descriptor (i.e. the same code as above) in the executable also, otherwise it won't work - I use the code above a lot to share objects between services and user applications, so I can assure you that it works ;-)
marsAuthor Commented:
I used the same code, but you must add this line to achieve the sharing between process among different token.

SetSecurityDescriptorDacl( &g_sd,  TRUE, NULL, FALSE );

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.