Registry key create with SECURITY_ATTRIBUTES fails on Win2k8 Clust



Hi,

I am having an issue while trying to create a registry key under the
HKLM\Cluster registry key. I am using the 'ClusterRegCreateKey' function and
passing a 'SECURITY_ATTRIBUTES' structure with permission of 'KEY_ALL_ACCESS'
to 'Everyone' (or SECURITY_WORLD_SID_AUTHORITY).

The same code works fine on a Windows 2003 cluster system but doesn't work
correctly on a Windows 2008 cluster. On a Windows 2008 cluster the key gets
created but it DOES NOT have the permissions as specified in the
SECURITY_ATTRIBUTES parameter passed to the API. On a Windows 2003 cluster
system the key gets created with the expected security attributes.

I have tried to run the code both as a Local Administrator and as a Domain
Administrator (who is a cluster manager by default) but without any success.

Below is the test source that has the required code. I have also put the
contents of the makefile that can be used to build the test executable. This
makefile uses the same flags that we use in our product build. The makefile
can be run from a 'Visual Studio 2005 Command prompt' to build the executable.

Pl. let me know what might be the cause of the failure. Do I need to do
anything extra for this to work on a Windows 2008 cluster? Your quick answers
will be of great help.

Regards,
Kavan

/*************************Source***************************/
#include <windows.h>
#include <share.h>
#include <limits.h>
#include <winuser.h>
#include <CLUSAPI.H>
#include <TCHAR.H>
#include <sys/types.h>
#include <sys/stat.h>
#include <aclapi.h>
#include <stdio.h>

void Cleanup(PSID pEveryoneSID,PACL pACL,PSECURITY_DESCRIPTOR pSD )
{
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pACL)
LocalFree(pACL);
if (pSD)
LocalFree(pSD);
}

SECURITY_ATTRIBUTES setSecurityAttributesForSecretKeys(PSID
pEveryoneSID,PACL pACL,PSECURITY_DESCRIPTOR pSD)
{
DWORD dwRes;
EXPLICIT_ACCESS ea[1];
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
SECURITY_ATTRIBUTES sa;


// Create a well-known SID for the Everyone group.
if(!AllocateAndInitializeSid(&SIDAuthWorld, 1,SECURITY_WORLD_RID,0, 0, 0,
0, 0, 0, 0,&pEveryoneSID) )
{
printf("AllocateAndInitializeSid Error %u\n", GetLastError());
Cleanup(pEveryoneSID,pACL,pSD );

}
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow Everyone ALL access to the key.
SecureZeroMemory(&ea, 1 * sizeof(EXPLICIT_ACCESS));
ea[0].grfAccessPermissions = KEY_ALL_ACCESS;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.pMultipleTrustee = NULL;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID;


// Create a new ACL that contains the new ACEs.
dwRes = SetEntriesInAcl(1, ea, NULL, &pACL);


// Create a new ACL that contains the new ACEs.
//dwRes = SetEntriesInAcl(1, ea, NULL, &pACL);
if (ERROR_SUCCESS != dwRes)
{
printf("SetEntriesInAcl Error %u\n", GetLastError());
printf("dwRes value %u\n",dwRes);
Cleanup(pEveryoneSID,pACL,pSD );
}

// Initialize a security descriptor.
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (NULL == pSD)
{
printf("LocalAlloc Error %u\n", GetLastError());
Cleanup(pEveryoneSID,pACL,pSD );
}

if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
{
printf("InitializeSecurityDescriptor Error %u\n",
GetLastError());
Cleanup(pEveryoneSID,pACL,pSD );
}

// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // bDaclPresent flag
pACL,
FALSE)) // not a default DACL
{
printf("SetSecurityDescriptorDacl Error %u\n",
GetLastError());
Cleanup(pEveryoneSID,pACL,pSD );
}

// Initialize a security attributes structure.
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;

// Use the security attributes to set the security descriptor
// when you create a key.
return sa;

}

int CreateClusterKey(){
HCLUSTER hCluster = OpenCluster(L"");
HKEY hKey = NULL;
HKEY hsmKey = NULL;
HKEY hsmKey1 = NULL;
SECURITY_ATTRIBUTES secAttrib;
PSID pEveryoneSID = NULL;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;

DWORD dwDisposition;
int k = 0;

printf("\n Inside CreateClusterKey");
if (hCluster)
{
printf("\n 1");
hKey = GetClusterKey( hCluster, KEY_READ);
if(hKey)
{
printf("\n 2");
secAttrib = setSecurityAttributesForSecretKeys(pEveryoneSID,pACL,pSD);
if(secAttrib.lpSecurityDescriptor != NULL){
printf("Successfully created the secAttrib");
}

printf("\n Writing key 'Kavan'");

if(ClusterRegCreateKey( hKey,
L"Kavan",
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
&secAttrib,
&hsmKey,
&dwDisposition
) != ERROR_SUCCESS)
{
printf("\n 4"); printf("Cannot open key %s","Kavan");
Cleanup(pEveryoneSID,pACL,pSD );
ClusterRegCloseKey(hKey); CloseCluster(hCluster);
return -1;
}
printf("\n 4");

ClusterRegCloseKey(hsmKey);
Cleanup(pEveryoneSID,pACL,pSD );
ClusterRegCloseKey(hKey);
CloseCluster(hCluster);

}//hkey
else{
printf("\n 5");
printf("\n returing failure");
CloseCluster(hCluster);
return -1; //Failure
}
}//hcluster
else{
printf("\n 6");
printf("\n returing failure");
return -1; //Fialure
}
printf("\n returing success");
return 0;
}

int main (){
int iRetVal = CreateClusterKey();
return 0;
}
/***********************End Source*************************/



/***********************Makefile*************************/
CC=cl.exe
CPP=cl.exe
RSC=rc.exe
LINK32=link.exe
MT=mt.exe

CFLAGS=/nologo /GR /MD /EHa /W3 /GF /Zc:wchar_t /Gd /Zi /analyze /D "NDEBUG"
/D "_WINDOWS" /D "WIN32" /D "_LITTLE_ENDIAN"

LDFLAGS_EXE=/SUBSYSTEM:CONSOLE /NOLOGO /machine:IX86 advapi32.lib user32.lib
Ws2_32.lib Clusapi.lib

ClusterKeyTest.exe-build: ClusterKeyTest.exe
ClusterKeyTest-exe-embedd-manifest-for-exe

ClusterKeyTest-exe-embedd-manifest-for-exe:
$(MT) -manifest ClusterKeyTest.exe.manifest
-outputresource:ClusterKeyTest.exe;1

ClusterKeyTest.exe: ClusterKeyTest.obj
$(LINK32) $(LDFLAGS_EXE) /OUT:$@ ClusterKeyTest.obj

ClusterKeyTest.obj: ClusterKeyTest.c
$(CC) /c $(CFLAGS) ClusterKeyTest.c

/***********************End Makefile*************************/

.



Relevant Pages

  • invalid security descriptor
    ... I am dealing with a Windows 2003 Server enterprise edition cluster. ... "The machine wide group policy Launch and Activation Limits security ... The security descriptor is defined as an invalid ... security descriptor definitions language string. ...
    (microsoft.public.windows.server.general)
  • Re: OpenCluster call
    ... Calling the Server cluster APIs ... The Server cluster APIs are protected so that arbitrary, ... The cluster service maintains a security descriptor in order to control ...
    (microsoft.public.windows.server.clustering)
  • Re: Cluster API and domains
    ... security descriptor of the cluster. ... > user from that domain to the security descriptor of the cluster. ... >> Can the cluster API be used for queries regarding clusters in a different ... I want to write a program that makes use of the Cluster API ...
    (microsoft.public.windows.server.clustering)