Re: StartService() API and encrypted file systems.
- From: Tommy <bad@xxxxxxxxxxxxx>
- Date: Mon, 22 Dec 2008 21:31:42 -0500
But users have full freedom to encrypt folders. A product that is to or can be run as a NT Service, need to take it into account - at least be in its KB or FAQ.
=
Alexander Grigoriev wrote:
I'd say this is unreasonable requirement for a product..
"Jayasimha Ananth" <jayasimha.a@xxxxxxxxx> wrote in message news:24295bc7-d92f-415d-9abf-3b8014b0fe43@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi All,
Thank you all for the responses. As for the question, why am I
encrypting the folder? There is no specific reason for that or a
specific functionality that is expected to be achieved. It is a
scenario that is required to be handled by the product that we are
working on.
Yes, it is the problem with the user rights. When I change
the user to the owner of the folder (via services.msc), I am having no
problems whatsoever. But programmatically when I try to use
OWNER_SECURITY_INFORMATION with SetServiceObjectSecurity() API, I am
getting an error of -
"Unable to set OWNER_SECURITY_INFORMATION - This security ID may not
be assigned as the owner of this object."
(from the FormatMessage() call).
Thanks for all the pointers,
--Jayasimha
On Dec 20, 7:20 pm, Tommy <b...@xxxxxxxxxxxxx> wrote:Tim Roberts wrote:Tommy <b...@xxxxxxxxxxxxx> wrote:Sure, but I fail the see the difference. The end result is still aIt is the reason because thats the error he got - Access Denied.That error covers a surprisingly wide range of access problems (including,
for example, having the file opened in another program).
Alexander is right, the issue is here is not access rights, it's that
the service account isn't the owner, and thus cannot decrypt
the file, even if it has the rights to read it.
ERROR_ACCESS_DENIED. Are you saying there should be a different
error, like some
ERROR_DECRYPTION_FAILED
ERROR_NO_ACCESS_TO_DECRYPT
ERROR_INCORRECT_CERTIFICATE_THUMBPRINT
Again, its all using the same software so its a matter of just who
have access to open the file. Obviously the file I/O drivers are
returning a simple ERROR_ACCESS_DENIED and no other clue, and in the
security arena, the less clues the better.
Apparently, this is an not an isolated issue (goggle show many issues
related to this) and it occurs in many service applications where the
user has the full unrestricted option and ability to encrypt his file
system. Once he does that, he must know that the 'transparent' and
automated backend loader services (NT services) must have the same
'transparent' privilege to access it, load/decrypt.
The key word is 'transparent'
The user should explore the encrypted folder and see the properties
for the encrypted exe and see the Advanced | Details, it will show who
has "transparent" access to encryption/decryption access this file
with the certificate thumb print.
I don't see why the calling process can not inherit ownership just
like the interactive owner would (via impersonating the right account
for the calling process).
--
- Follow-Ups:
- Re: StartService() API and encrypted file systems.
- From: Alexander Grigoriev
- Re: StartService() API and encrypted file systems.
- References:
- StartService() API and encrypted file systems.
- From: Jayasimha Ananth
- Re: StartService() API and encrypted file systems.
- From: Tommy
- Re: StartService() API and encrypted file systems.
- From: Alexander Grigoriev
- Re: StartService() API and encrypted file systems.
- From: Tommy
- Re: StartService() API and encrypted file systems.
- From: Tim Roberts
- Re: StartService() API and encrypted file systems.
- From: Tommy
- Re: StartService() API and encrypted file systems.
- From: Jayasimha Ananth
- Re: StartService() API and encrypted file systems.
- From: Alexander Grigoriev
- StartService() API and encrypted file systems.
- Prev by Date: Re: REG_EXPAND_SZ?
- Next by Date: Re: StartService() API and encrypted file systems.
- Previous by thread: Re: StartService() API and encrypted file systems.
- Next by thread: Re: StartService() API and encrypted file systems.
- Index(es):
Relevant Pages
|
