RE: Creating a directory with security attributes.

From: Steve Friedl [MVP] (SteveFriedlMVP_at_discussions.microsoft.com)
Date: 11/22/04

Next message: egar: "RE: Where are NTFS perms stored?"

Previous message: Steve Friedl [MVP]: "RE: Creating a directory with security attributes."
In reply to: Kevin Burton: "Creating a directory with security attributes."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 21 Nov 2004 20:19:02 -0800

"Kevin Burton" wrote:

> TCHAR * szSD = TEXT("D:") // Discretionary ACL
> TEXT("(D;OICI;GA;;;BG)") // Deny access to built-in guests
> TEXT("(D;OICI;GA;;;AN)") // Deny access to anonymous logon
> TEXT("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to authenticated users
> TEXT("(A;OICI;GA;;;BA)") // Allow full control to administrators
> TEXT("(A;OICI;GA;;;DU)"); // Allow full control to domain users

It seems that the problem is with the "AN" and "DU" tokens that specify
"Anonymous users" and "Domain Users" - I'm not sure why this is the case. You
can see for yourself by making a small test program that comments these lines
out:

When these tokens are converted to the the S-format, it seems to work:

#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <sddl.h>
#include <stdio.h>
#include <tchar.h>

int __cdecl _tmain(void)
{
SECURITY_ATTRIBUTES sa;

        ZeroMemory(&sa, sizeof sa);

        sa.nLength = sizeof sa;
        sa.bInheritHandle = FALSE;

        const TCHAR * szSD =
          _T("D:") // Discretionary ACL
          _T("(D;OICI;GA;;;BG)") // Deny access to built-in guests
// _T("(D;OICI;GA;;;AU)") // Deny access to anonymous logon
          _T("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to domain users
          _T("(A;OICI;GA;;;BA)") // Allow full control to administrators
// _T("(A;OICI;GA;;;DU)") // Allow full control to domain users
        ;

        if ( ! ConvertStringSecurityDescriptorToSecurityDescriptor(
                   szSD,
                   SDDL_REVISION_1,
                   &sa.lpSecurityDescriptor,
                   NULL) )
        {
                printf("failed: err#%ld\n", GetLastError() );
        }
        else
        {
                printf("created OK\n");
        }

return 0;
}

With this more limited string, it works (I figured it out by trial-and-error).

Replacing these tokens for the ACE trustee (ref:
http://msdn.microsoft.com/library/en-us/secauthz/security/sid_strings.asp )
with the S-format seems to help:

// deny access to anonymous logins
> TEXT("(D;OICI;GA;;;AN)") // doesn't seem to work
> TEXT("(D;OICI;GA;;;S-1-5-7)") // seems to work OK

Finding the SID for the domain users is left as an exercise to the reader.
Not sure if this is a bug or not...

Steve

Next message: egar: "RE: Where are NTFS perms stored?"

Previous message: Steve Friedl [MVP]: "RE: Creating a directory with security attributes."
In reply to: Kevin Burton: "Creating a directory with security attributes."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Creating a directory with security attributes.
... "Anonymous users" and "Domain Users" - I'm not sure why this is the case. ... When these tokens are converted to the the S-format, ... Finding the SID for the domain users is left as an exercise to the reader. ...
(microsoft.public.platformsdk.security)
Impersonating user on remote computer (ie. SSPI SQL authentication)
... I am using the Microsoft sample for SSPI login to get the token. ... get tokens for local and domain users without any problems. ... that just works on the local system. ...
(microsoft.public.platformsdk.security)