Re: SetEntriesInAcl failures?
From: Slava M. Usov (stripit.slough_at_gmx.net)
Date: 04/04/04
- Next message: Ara Avanesyan: "Re: What is an invalid HKEY?"
- Previous message: Gary Chanson: "Re: FindFirstFile"
- In reply to: Tom Horsley: "SetEntriesInAcl failures?"
- Next in thread: Tom Horsley: "Re: SetEntriesInAcl failures?"
- Reply: Tom Horsley: "Re: SetEntriesInAcl failures?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 4 Apr 2004 15:16:42 +0200
"Tom Horsley" <tom.horsley@att.net> wrote in message
news:OzV5DJRGEHA.3472@TK2MSFTNGP11.phx.gbl...
[...]
> Some users (all using German Windows I think) have reported that
> the service reports SetEntriesInAcl fails with error code 1332
> (ERROR_NONE_MAPPED).
>
> I used BuildExplicitAccessWithName and the "well known" names
> "EVERYONE" and "CURRENT_USER" to get up to the point of calling
> SetEntriesInAcl.
The names are not well-known. The SIDs are. In a localized version of
windows, "everyone", "Administrators" and so on are replaced with their
local equivalents.
[...]
> Should I just give up on the "simplified" security APIs and
> delve into the low level APIs where I might be able to get
> the access list I want without involving symbolic names?
By all means do so. The high-level security API has been broken ever since
its début.
[...]
> <editorial>
>
> I wonder if the root cause of the bad security on Windows is that
> programmers all run screaming when they try to understand the
> security APIs? :-).
>
> </editorial>
Sigh. It is not all that difficult. A "user" is known by its token, which is
a collection of SIDs. A securable object is protected by its ACL, which is
an ordered collection of SIDs with access rights attached to them [an
SID-access pair is known as an ACE]. Whenever a "user" tries to access a
securable object, the ACL is searched for all the SIDs in the user's token,
until the desired access level is fully granted or partly denied. Then there
are a number of privileges, which are really exceptions to the normal access
check sequence: "if the user has priv. X, then he will receive access Y no
matter what".
The only real complication is related to inheritance of ACLs, but when the
above is grasped, inheritance readily gives in. Incidentally, the high-level
security API breaks when it tries to deal with inheritance, so there is no
escape.
S
- Next message: Ara Avanesyan: "Re: What is an invalid HKEY?"
- Previous message: Gary Chanson: "Re: FindFirstFile"
- In reply to: Tom Horsley: "SetEntriesInAcl failures?"
- Next in thread: Tom Horsley: "Re: SetEntriesInAcl failures?"
- Reply: Tom Horsley: "Re: SetEntriesInAcl failures?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
