Menu
I need to grant access to everyone for a named pipe I'm creating. I understand the way to do it is to create a NULL/empty DACL and pass it to CreateNamedPipe.
How do I create a NULL DACL? I was told that it is not the same as passing a NULL pointer for LPSECURITY_ATTRIBUTES.
562
Thank you. Creating a proper discretionary access control list (DACL) is a necessary and important part of application development. Because a NULL DACL permits all types of access to all users, do not use NULL DACLs. The following example shows how to properly create a DACL.
An empty DACL is a properly allocated and initialized DACL that contains no access control entries (ACEs). An empty DACL grants no access to the object it is assigned to. For an example of how to create a DACL, see Creating a DACL.
However, it is possible to create a security descriptor without the memory location of the DACL. The security descriptor is valid; however, the memory location of the DACL does not exist; it is null. This means that Windows did not create a DACL.
Windows uses system access control lists to audit actions performed against an object by a specific user or group. The DACL controls that type of access to a resource and who is taking that action. Windows allocates memory when creating a DACL. The security descriptor stores the memory location of the DACL.
Like this:
SECURITY_DESCRIPTOR SD;
InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&SD, TRUE, NULL, FALSE);
I omitted error checking for the sake of brevity. You would not do that.
Then when you call CreateNamedPipe you can set up the security attributes record like this:
SA.nLength = sizeof(SA);
SA.lpSecurityDescriptor = &SD;
SA.bInheritHandle = TRUE;
The documentation for SetSecurityDescriptorDacl states:
When the pDacl parameter does not point to a DACL and the bDaclPresent flag is TRUE, a NULL DACL is specified. All access is allowed. You should not use a NULL DACL with an object because any user can change the DACL and owner of the security descriptor. This will interfere with use of the object.
So, the above is how to do it, but the documentation does stress that you should not do so.
180
Here's the code we use in one of our projects:
SECURITY_DESCRIPTOR pSD;
SECURITY_ATTRIBUTES SA;
if(!InitializeSecurityDescriptor(&pSD, SECURITY_DESCRIPTOR_REVISION))
throw error;
if(!SetSecurityDescriptorDacl(&pSD, true, NULL, false))
throw error;
SA.nLength = sizeof(SA);
SA.lpSecurityDescriptor = &pSD;
SA.bInheritHandle = true;
pSA = &SA;
...
FMapping = CreateFileMapping(INVALID_HANDLE_VALUE, pSA, PAGE_READWRITE, 0, 4096, p);
This code creates a mapping with access for all
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
