RE: Question Regarding ACL's
- From: Eric Perlin [MSFT] <EricPerlinMSFT@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 31 Oct 2006 11:36:01 -0800
Didn't you ask a similar question recently?
In step 2, I meant that the service is creating the exe file that it's going
to execute later, and is received from another location. It actually doesn't
really matter if the exe is created remotely from another machine.
In any case, if you just call CreateProcess (and in absence of Software
Restrictions Policies rules), the resulting process will run with token
similar to the token of the parent process (the service).
You could try to restrict that token further (CreateRestrictedToken) and you
will have to use CreateProcessAsUser afterwards.
But once you create the process, its "capabilities" are all derived from
that token.
To achieve your goal, you need to start this process with a token that will
only have write access to this location. That may prove difficult. You'll
need to disable the BUILTIN\Users SID because it can create folders at the
root of the drive, yet I wouldn't be surprised that code without BU won't
even run (won't get READ access to some binaries)....
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]
"kunal s patel" wrote:
Yes i am sorry for the mismatch of the comment...BA and SY r.
interchanged....Now i m not creating exe....my service receiving exe from
remote machine n then i m running that exe using CreateProcess Api in local
service account.
i guess i have confused u with the second part....i m sorry for that..let me
rephrase for u
assuming i have a directory called P2P Simulations. Now when i run the exe
received in above step, i want to restrict that exe from creating files at ny
other location except in P2P Simulations.....when ever it tries to create a
file at some other location, it shud fail. Similarly it shud not be able to
delete or modify ny other file except for those created by service(ie by exe)
I hope this helps
kunal
"Eric Perlin [MSFT]" wrote:
Note that the SDDL and the comments don't match.
SY is SYSTEM, BA is built-in administrators, LS is LocalService.
Let me rephrase the sequence of steps:
1. A service running under the LocalService account can not create some
file/folder
2. That service creates an exe in \P2P
3. The service then calls CreateProcess on the exe created in step 2.
4. That resulting exe can now create the same file/folder that couldn't be
created in step 1 by the parent process.
Can you confirm?
Even step 1 is not standard out of the box.
LocalService binaries appear to feature the BUILTIN\Users SID.
That same SID allows creation of folders at the root of the system drive
(and actually in most folders created after the installation).
It also allows the creation of files in such directories.
The corresponding ACEs are (A;CI;LC;;;BU) & (A;CIIO;DC;;;BU).
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]
"kunal s patel" wrote:
Hi all,
I have a windows service running under local service account. Now that
service runs executables received from remote machines. Now when i run my
service under that account, i cannot create or delete files in the system. So
to avoid that situation, i created this ACL and applied to one folder where i
want both of this rites. Code is as follows
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
char *szSD = "D:" // DACL
"(D;OICI;GA;;;BG)" // Deny Guests
"(A;OICI;GA;;;SY)" // Allow Admins Full Control
"(A;OICI;GA;;;BA)" // Allow SYSTEM Full Control
"(A;OICI;SDFRFWFX;;;LS)"; // Allow Interactive Users RWX
if (ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL)) {
if (!CreateDirectory("C:\\P2P Simulations\\", &sa )) {
DWORD err = GetLastError();
AfxMessageBox("Error in creating Directory");
}
Now i m using CreateProcess to run the exe's files. Now with this code in
place i can create n delete files created in P2P Simulations directory and
also at the same time exe's cannot delete files that r not created by it(as i
wanted) but now the problem is that the exe is able to create files in any
directory. i want to prevent that...i want that if exe tries to create file
in ny other directory (except P2P Simulations)..it shud not be allowed...How
shud i go abt that...
Thanks
Kunal
- Prev by Date: Register an Exit Module programmatically
- Next by Date: Re: How i can export the DH- agreed Key ?
- Previous by thread: Register an Exit Module programmatically
- Next by thread: Re: How i can export the DH- agreed Key ?
- Index(es):
Relevant Pages
|
