Re: Prevent changing DACL by SetSecurityInfo



If the other program is running as the same user as the object owner, then it can always rewrite the DACL (via opening the object with WRITE_DAC).
If the other program has certain privileges (SeRestorePrivilege, SeTakeOwnershipPrivilege - typically granted to local system, builtin\administrators, and backup operators), then it will also be able to rewrite the DACL freely as well.

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
"mario.beutler" <mario.beutler@xxxxxxxxxx> wrote in message news:1170845384.613705.114460@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,

my service creates a Named Pipe with SECURITY_ATTRIBUTES (DACL) which
limit the access to SID of the active user. Is it possible that
another program change the DACL of the Named Pipe that everyone have
access?
How can I prevent this?
Thanks for your help!

Mario


My DACL is:
"D:"+SDDL_PROTECTED // Discretionary ACL
"(D;OICI;GA;;;BG)" // Deny access to built-in guests
"(D;OICI;GA;;;AN)" // Deny access to anonymous logon
"(A;OICI;GRGW;;;%%AvtiveUserSid%%)"

Does I have to add "(A;OICI;GRGWGX;;;CO)" // Allow read/write/execute
to creator/owner?


.