Prev: WritePwrScheme under Vista
Next: @ALL - [SOLUTION],...
From: James Bond on 20 Jun 2008 17:23
Hi,

I'm writing a Win32 service which uses Shared memory (File Mapping) for
communication with other process. I would like to protect this memory object
by giving it full access for the Service process and Read-only access for any
other process. I'm not familiar with security (ACL, DACL, SACL). Looks like i
need to pass right security attribute to CreateFileMapping() API.

Any one know how to generate this?
Any predefined descriptors that i can use?

I really appreciate any help on this....

Thanks
From: Kellie Fitton on 20 Jun 2008 21:46
On Jun 20, 2:23 pm, James Bond <JamesB...(a)discussions.microsoft.com>
wrote:
> Hi,
>
> I'm writing a Win32 service which uses Shared memory (File Mapping) for
> communication with other process. I would like to protect this memory object
> by giving it full access for the Service process and Read-only access for any
> other process. I'm not familiar with security (ACL, DACL, SACL). Looks like i
> need to pass right security attribute to CreateFileMapping() API.
>
> Any one know how to generate this?
> Any predefined descriptors that i can use?
>
> I really appreciate any help on this....
>
> Thanks



Hi,

You can use the following APIs to create or open a named
or unnamed mutex object, and protect a shared resource
from simultaneous access by multiple threads or processes:

InitializeSecurityDescriptor()

SetSecurityDescriptorDacl()

CreateMutex()

http://msdn2.microsoft.com/en-us/library/aa378863.aspx

http://msdn2.microsoft.com/en-us/library/aa379583.aspx

http://msdn2.microsoft.com/en-us/library/ms682411.aspx

http://msdn2.microsoft.com/en-us/library/ms686927.aspx

Kellie.

From: Pavel A. on 21 Jun 2008 08:29
"James Bond" <JamesBond(a)discussions.microsoft.com> wrote in message
news:EC98E270-1429-423F-8C99-CDB3654D4777(a)microsoft.com...
> Hi,
>
> I'm writing a Win32 service which uses Shared memory (File Mapping) for
> communication with other process. I would like to protect this memory
> object
> by giving it full access for the Service process and Read-only access for
> any
> other process. I'm not familiar with security (ACL, DACL, SACL). Looks
> like i
> need to pass right security attribute to CreateFileMapping() API.
>
> Any one know how to generate this?
> Any predefined descriptors that i can use?
>

There is a "text" form of the security descriptors, aka SDDL.

Some examples: (quoted from WDK 6001 documentation)

"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)"

- allows the kernel and system complete control over the device. By default
the administrator can access the entire device, but cannot change the ACL
(the administrator must take control of the device first.)

"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)"

- same as above + Everyone (the World SID) is given read access. In
addition, untrusted code is also allowed to access code. ...

Function ConvertStringSecurityDescriptorToSecurityDescriptor
converts SDDL stringst to a binary PECURITY_DESCRIPTOR struct.

Regards,
--PA




From: James Bond on 23 Jun 2008 18:00
Thanks for the information. I will try it.

-Venkatesh

"Pavel A." wrote:

> "James Bond" <JamesBond(a)discussions.microsoft.com> wrote in message
> news:EC98E270-1429-423F-8C99-CDB3654D4777(a)microsoft.com...
> > Hi,
> >
> > I'm writing a Win32 service which uses Shared memory (File Mapping) for
> > communication with other process. I would like to protect this memory
> > object
> > by giving it full access for the Service process and Read-only access for
> > any
> > other process. I'm not familiar with security (ACL, DACL, SACL). Looks
> > like i
> > need to pass right security attribute to CreateFileMapping() API.
> >
> > Any one know how to generate this?
> > Any predefined descriptors that i can use?
> >
>
> There is a "text" form of the security descriptors, aka SDDL.
>
> Some examples: (quoted from WDK 6001 documentation)
>
> "D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)"
>
> - allows the kernel and system complete control over the device. By default
> the administrator can access the entire device, but cannot change the ACL
> (the administrator must take control of the device first.)
>
> "D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)"
>
> - same as above + Everyone (the World SID) is given read access. In
> addition, untrusted code is also allowed to access code. ...
>
> Function ConvertStringSecurityDescriptorToSecurityDescriptor
> converts SDDL stringst to a binary PECURITY_DESCRIPTOR struct.
>
> Regards,
> --PA
>
>
>
>
>
 | 
Pages: 1
Prev: WritePwrScheme under Vista
Next: @ALL - [SOLUTION],...