dacl

问题 While debugging a particularly troublesome error involving SQLite and IIS, we encountered a permissions problem when accessing the App_Data properties The permissions on App_Data are incorrectly ordered, which may cause some entries to be ineffective. Here's a screenshot as well: My question isn't what incorrect ordering is, I think How do you programmatically fix a non-canonical ACL? already gives a good intro into the problem. What I want to know is what types of ordering are incorrect? For

问题 I have legacy C++ code that changes a process DACL and am trying to use the managed code classes in .NET 3.5. I found code on the web where someone created a SetAclOnServices class that extends the NativeObjectSecurity class for services. I thought that I could implement this and just change the ResourceType.Service to ResourceType.KernelObject but when I call GetAccessControl it fails with File Not Found error. 回答1: Merry Christmas. public class ProcessSecurity : NativeObjectSecurity {

问题 I have legacy C++ code that changes a process DACL and am trying to use the managed code classes in .NET 3.5. I found code on the web where someone created a SetAclOnServices class that extends the NativeObjectSecurity class for services. I thought that I could implement this and just change the ResourceType.Service to ResourceType.KernelObject but when I call GetAccessControl it fails with File Not Found error. 回答1: Merry Christmas. public class ProcessSecurity : NativeObjectSecurity {

问题 Goal: Add a local user account share-level Read/Write permissions to an existing file share. I'm hitting a roadblock in developing this. Apparently Microsoft wants you to add your user's ACE to the DACL and then back into the security descriptor of the share. (1). (No, NET SHARE /ADD is not available for existing shares, I was surprised.) In theory that should be simple enough, but my main fear is doing it wrong and losing the existing share permissions (lots of network users, specific groups

问题 I am testing the following code in C using Win32 API, which is intended to create a new file that is accessible for the current user but private (not accessible) for everyone else. For this this a deny all permissions for everyone SID, then for current's user SID I set up the permissions. The file is created successfully and the permissions are apparently set up successfully (see screenshots below), however when I try to open the file with notepad, it says "access is denied" (My file explorer

问题 My Windows service creates 2 Events with CreateEvent for communication with a user app. The service and the user app are not running under the same user account. The user app opens the event and set it to signaled without error. But the event is never received by the service. The other event works in the opposite direction. So I think the events miss the syncronization right. Service: SECURITY_ATTRIBUTES security; ZeroMemory(&security, sizeof(security)); security.nLength = sizeof(security);

问题 I'm attempting to apply custom rights to a folder as part of a WiX 3.0.4318.0 installer. In terms of the Security properties UI in explorer, I want to add Modify to the rights for BUILTIN\Users. Obviously it needs to be resilient against localisation of the user name. So based on my research to date, I want at least: <CreateFolder Directory="XYZ" > <PermissionEx User="[WIX_ACCOUNT_USERS]" GenericRead="yes" GenericWrite="yes" Delete="Yes" /> </CreateFolder> Questions: I'm doing this in a

问题 (Note: IMO the question is mainly about WinAPI and DACL and not about CNG, so please read on!) I'm currently trying to modify the sample CNG key storage provider of Microsoft's Cryptographic Provider Development Kit in such a way that it does not store the keys in single files. However, I'm in trouble with the security descriptors that can be assigned to the private keys. In the Certificates Snap-in of the Windows Server Management Console, private keys of certificates can be managed, i.e.

问题 Anyone have any idea how to get the SACL's on a remote service using C#? I've tried numerous different methods, and basically nothing works. I can get the DACL's and SACL's on the local machine, but getting either on a remote machine doesn't appear to be possible. What I've done is create a class called ServiceSecurity that inherits from NativeObjectSecurity and acts a lot like the RegistrySecurity class. Below are two of the constructors that I have: public ServiceSecurity(string serviceName

问题 I need to grant access to everyone for a named pipe I'm creating. I understand the way to do it is to create a NULL/empty DACL and pass it to CreateNamedPipe . How do I create a NULL DACL? I was told that it is not the same as passing a NULL pointer for LPSECURITY_ATTRIBUTES . 回答1: Like this: SECURITY_DESCRIPTOR SD; InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl(&SD, TRUE, NULL, FALSE); I omitted error checking for the sake of brevity. You would not