Re: Effective User Rights on Key under System Service?
From: Gil Hamilton (gil_hamilton_at_hotmail.com)
Date: 04/22/04
- Next message: Tom Stewart: "Re: ICDBurn from console application"
- Previous message: Slava M. Usov: "Re: Win32 app before winlogon?"
- In reply to: Stefan Goerres: "Re: Effective User Rights on Key under System Service?"
- Next in thread: Stefan Kuhr: "Re: Effective User Rights on Key under System Service?"
- Messages sorted by: [ date ] [ thread ]
Date: 22 Apr 2004 04:52:56 -0700
"Stefan Goerres" <lists@gsysteme.de> wrote in message news:<c659vn$830jr$1@ID-8437.news.uni-berlin.de>...
> Stefan Kuhr wrote:
> > Stefan Goerres wrote:
> >> how can I check the effective right a user has to a Reg Key from
> >> inside a system service?? Any ideas? Or to I have to code the
> >> effective right stuff on my own and iterate through all ACL's?`
> > What exactly are you trying to perform? If you want to write to a
> > registry key then try to open it for writing and if you get
> > ERROR_ACCESS_DENIED simply quit gracefully.
> as seen in the other thread about the logged on user I'm messing with "who
> is on the console" and is he/she allowed to use my devices. The service is
> thought is a regularly checking instance that keeps an eye on who is on the
> console and then check if the user can access the config in the registry. If
> so a give access to the device or in the other case disable the device.
How is your device accessed? If there is some kernel object such as a
device or file object through which processes gain access to the
device (which there usually is), it seems to me that a relatively easy
way to implement this would be to periodically check the ACL on the
registry and simply copy it to the device if it has changed. That is,
take the same ACL that exists on the registry key and simply copy it
to the device object's security descriptor. (There is some mapping
required here as there may be object type-specific bits in the access
mask, but you'd have to do that mapping somehow anyway. Probably the
"Generic" and "Standard" access rights bits would be sufficient for
most purposes.)
This gets you out of the business of looking up SIDs, doing detailed
ACL checks, etc. and also avoids the need to have a separate program
running in the user's context.
- GH
- Next message: Tom Stewart: "Re: ICDBurn from console application"
- Previous message: Slava M. Usov: "Re: Win32 app before winlogon?"
- In reply to: Stefan Goerres: "Re: Effective User Rights on Key under System Service?"
- Next in thread: Stefan Kuhr: "Re: Effective User Rights on Key under System Service?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
