• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 837
  • Last Modified:

Creating a registry key where EVERYONE has FULL CONTROL

Hi,

I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:

http://developers.href.com/ARTICLE:947351496:waArticle.450277

To fill you in,  I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.

The following is an excerpt from my code:

 // Get the Security Descriptor.
if (!::GetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, pOldSecurityDescriptor, dwSize, &dwBytesNeeded))
{
  dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorDacl(pOldSecurityDescriptor, &bIsDaclPresent, &pOldDacl, &bIsDaclDefaulted) || !bIsDaclPresent || NULL == pOldDacl)
{
  dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(WinWorldSid, NULL, pWellKnownSIDForEveryone, &nSidSize))
{
  dwLastError = ::GetLastError();
}
else
{
  /*
 *  Build an EA structure with a single ACE that allows members of the
  * well known trustee group WinWorldSid full access permission to the registry key.
  */
  ::ZeroMemory(&newSecurityDescriptor, sizeof(SECURITY_DESCRIPTOR));

  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
  ea.grfAccessMode        = SET_ACCESS;
  ea.grfInheritance       = NO_INHERITANCE;
  ea.Trustee.TrusteeForm  = TRUSTEE_IS_SID;
  ea.Trustee.TrusteeType  = TRUSTEE_IS_WELL_KNOWN_GROUP;
  ea.Trustee.ptstrName    = (LPTSTR) pWellKnownSIDForEveryone;

  /* Add/Merge the required ACE (see above) for the registry key
  * with the current existing one & produce a new DACL.
  */
  if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
  {
    dwLastError = ::GetLastError();
  }
  // Initialize a new security descriptor for the the key.
  else if (!::InitializeSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
  {
    dwLastError = ::GetLastError();
  }
  // Set the DACL in this new security descriptor.
  else if (!::SetSecurityDescriptorDacl(&newSecurityDescriptor, TRUE, pNewDacl, FALSE))
  {
    dwLastError = ::GetLastError();
  }
  // Finally, set the new security descriptor for the registry key.
  else if (!::SetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, &newSecurityDescriptor))
  {
    dwLastError = ::GetLastError();
  }
  else
  {
    dwLastError = ERROR_SUCCESS;
    bOK         = true;
  }
}

The line setting the permissions doesn't work (i.e. not sufficient)

 ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!

Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.

What is the correct value for  ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?

Thanks in advance...

0
LoneRhino
Asked:
LoneRhino
  • 3
  • 2
1 Solution
 
jkrCommented:
You can achieve the same by setting a NULL DACL to that key, see http://msdn.microsoft.com/en-us/library/aa379286(VS.85).aspx ("Null DACLs and Empty DACLs")
0
 
jkrCommented:
Oh, an othre alternative would be to use a "world" SID, e.g.
    PSID                        psidWorldSid    =   NULL;
    SECURITY_DESCRIPTOR         sd;
    SECURITY_ATTRIBUTES         sa;
 
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;
    DWORD                       dwCreate                =   0;
  
    //  Create a security descriptor that allows
    //  access for "evreyone"
 
    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );
 
    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);
 
    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;
 
    InitializeSecurityDescriptor    (   &sd,    SECURITY_DESCRIPTOR_REVISION);
 
    SetSecurityDescriptorGroup      (   &sd,    psidWorldSid,   TRUE);
 
    ZeroMemory  (   &sa,    sizeof  (   SECURITY_ATTRIBUTES));
 
    sa.nLength              =   sizeof  (   SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor =   &sd;
    sa.bInheritHandle           =   FALSE;

Open in new window

0
 
LoneRhinoAuthor Commented:
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 
LoneRhinoAuthor Commented:
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 
jkrCommented:
No problem, hope it's gonna work for you ;o)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now