Solved

Creating a registry key where EVERYONE has FULL CONTROL

Posted on 2009-04-08
5
755 Views
Last Modified: 2013-12-04
Hi,

I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:

http://developers.href.com/ARTICLE:947351496:waArticle.450277

To fill you in,  I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.

The following is an excerpt from my code:

 // Get the Security Descriptor.
if (!::GetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, pOldSecurityDescriptor, dwSize, &dwBytesNeeded))
{
  dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorDacl(pOldSecurityDescriptor, &bIsDaclPresent, &pOldDacl, &bIsDaclDefaulted) || !bIsDaclPresent || NULL == pOldDacl)
{
  dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(WinWorldSid, NULL, pWellKnownSIDForEveryone, &nSidSize))
{
  dwLastError = ::GetLastError();
}
else
{
  /*
 *  Build an EA structure with a single ACE that allows members of the
  * well known trustee group WinWorldSid full access permission to the registry key.
  */
  ::ZeroMemory(&newSecurityDescriptor, sizeof(SECURITY_DESCRIPTOR));

  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
  ea.grfAccessMode        = SET_ACCESS;
  ea.grfInheritance       = NO_INHERITANCE;
  ea.Trustee.TrusteeForm  = TRUSTEE_IS_SID;
  ea.Trustee.TrusteeType  = TRUSTEE_IS_WELL_KNOWN_GROUP;
  ea.Trustee.ptstrName    = (LPTSTR) pWellKnownSIDForEveryone;

  /* Add/Merge the required ACE (see above) for the registry key
  * with the current existing one & produce a new DACL.
  */
  if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
  {
    dwLastError = ::GetLastError();
  }
  // Initialize a new security descriptor for the the key.
  else if (!::InitializeSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
  {
    dwLastError = ::GetLastError();
  }
  // Set the DACL in this new security descriptor.
  else if (!::SetSecurityDescriptorDacl(&newSecurityDescriptor, TRUE, pNewDacl, FALSE))
  {
    dwLastError = ::GetLastError();
  }
  // Finally, set the new security descriptor for the registry key.
  else if (!::SetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, &newSecurityDescriptor))
  {
    dwLastError = ::GetLastError();
  }
  else
  {
    dwLastError = ERROR_SUCCESS;
    bOK         = true;
  }
}

The line setting the permissions doesn't work (i.e. not sufficient)

 ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!

Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.

What is the correct value for  ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?

Thanks in advance...

0
Comment
Question by:LoneRhino
  • 3
  • 2
5 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 24097891
You can achieve the same by setting a NULL DACL to that key, see http://msdn.microsoft.com/en-us/library/aa379286(VS.85).aspx ("Null DACLs and Empty DACLs")
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 24099907
Oh, an othre alternative would be to use a "world" SID, e.g.
    PSID                        psidWorldSid    =   NULL;
    SECURITY_DESCRIPTOR         sd;
    SECURITY_ATTRIBUTES         sa;
 
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;
    DWORD                       dwCreate                =   0;
  
    //  Create a security descriptor that allows
    //  access for "evreyone"
 
    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );
 
    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);
 
    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;
 
    InitializeSecurityDescriptor    (   &sd,    SECURITY_DESCRIPTOR_REVISION);
 
    SetSecurityDescriptorGroup      (   &sd,    psidWorldSid,   TRUE);
 
    ZeroMemory  (   &sa,    sizeof  (   SECURITY_ATTRIBUTES));
 
    sa.nLength              =   sizeof  (   SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor =   &sd;
    sa.bInheritHandle           =   FALSE;

Open in new window

0
 

Author Comment

by:LoneRhino
ID: 24181524
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 

Author Closing Comment

by:LoneRhino
ID: 31567906
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 
LVL 86

Expert Comment

by:jkr
ID: 24181536
No problem, hope it's gonna work for you ;o)
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question