Permissions issues for accessing shared memory across processes

Q: I created a piece of shared memory on the server with CreateFileMapping.   Let this exe always run on the server.  At the same time, other users in the client with IE Access server, the data will be queried through C # produced by the Web page submitted, the server gets the page parameters, establish a COM object access to the previous EXE of shared memory, and then in the shared memory of the query results returned to the customer. The problem is that this COM cannot use openmapping to access the EXE's shared memory, prompting access denial. And I on the server casually recommend a project compiled into an EXE, file access to this section of shared memory!! Why not in the Web page. Does COM have any permission settings? What is the right integration method between two processes. How do I use a DACL?

I wrote a service in ATL, in which I created a shared memory (Memory Mapping) and a mutex and then I accessed the shared memory and the mutex in another normal program, but I failed to open the mutex with CreateMutex, GetLastError () returned 5, meaning that access was denied. Similarly, when I use MapViewOfFile, I get the same error ...

I already know the reason is because when creating shared memory and Mutext, security_attributes I set to NULL!!!

But I do not have a solution, I hope you can help prawns.

A: Check the permissions of the user who is running the service. Typically, for security purposes, the owner of the service process has very low permissions. In order for the service process to access objects, you need to specify a broader security descriptor when creating shared memory, adding a new access Control project (ACE) to the owner of your ASP process. The default Access control List (ACL) contains only the creator and the Administrators group.

The following code creates a security descriptor that is accessible to all users. You can use this security descriptor when creating shared memory.  CShareRestrictedSD ShareRestrictedSD;     hmapfile = createfilemapping (invalid_handle_value,   //Current file HANDLE.   Sharerestrictedsd.getsa (),    //Default security.     null,                                   page_readwrite,                    //read/write permission.     0,                                 //Max. Object size.     filesize,                                / /Size of hfile.     mapname);           //Name of mapping Object.

Class CSHARERESTRICTEDSD {PUBLIC:CSHARERESTRICTEDSD ();  Virtual ~CSHARERESTRICTEDSD (); Security_attributes* Getsa ();  Protected:pvoid ptr;  Security_attributes sa; Security_descriptor SD; }; If this guy works, then its author is Jiangsheng;//If this guy doesn't use it, I don't know its author. PVOID BUILDRESTRICTEDSD (Psecurity_descriptor PSD) {

DWORD dwacllength;

Psid psideveryone = NULL;

Pacl pdacl = NULL; BOOL bresult = FALSE;

Paccess_allowed_ace PACE = NULL;

Sid_identifier_authority Siaworld = security_world_sid_authority;       Security_information si = dacl_security_information; __try {

     //Initialize the security descriptor       if (! InitializeSecurityDescriptor (PSD,             security_ descriptor_revision)) {         printf ("InitializeSecurityDescriptor () Failed with error%d/n ",                GetLastError ());          __leave;      }

     //Obtain a SID for the authenticated Users Group       if (! AllocateAndInitializeSid (&siaworld, 1,             Security_world_rid, 0, 0, 0, 0, 0, 0, 0,             & Psideveryone)) {         printf ("AllocateAndInitializeSid () failed with Error%d/n ",                GetLastError ()) ;          __leave;      }

     //NOTE:      //     //The Authenticated Users group includes all user accounts      //have been successfully authent Icated by the system. If Access      //must be restricted to a specific user or group other than    &N bsp; //Authenticated Users, the SID can be constructed using the      //LookupAccountSid () API based on a user or group name.

Calculate the DACL length dwacllength = sizeof (ACL)//Add spaces for authenticated Users group ACE + sizeof (access_allowed_ace)-sizeof (DWORD) + getlengthsid (psideveryone);

Allocate memory for the DACL Pdacl = (pacl) HeapAlloc (GetProcessHeap (), Heap_zero_memory, Dwacllength       );          if (!pdacl) {printf ("HeapAlloc () failed with error%d/n", GetLastError ());       __leave; }

     //Initialize the DACL       if (! InitializeAcl (Pdacl, Dwacllength, acl_revision)) {         printf (" InitializeAcl () failed with error%d/n ",                 GetLastError ());          __leave;      }            //Add the Authenticated Users group ACE to the DACL with      //Generic_read, Generic_write, and Generic_ EXECUTE Access       if (! AddAccessAllowedAce (Pdacl, Acl_revision,             Generic_all,             Psideveryone)) {          printf ("AddAccessAllowedAce () failed with error%d/n",                GetLastError ());          __leave;      }

Set the DACL in the security descriptor if (! SetSecurityDescriptorDacl (PSD, TRUE, Pdacl, FALSE)) {printf ("SetSecurityDescriptorDacl () failed with error%d/n"          , GetLastError ());       __leave; }

Bresult = TRUE; } __finally {

if (psideveryone) Freesid (Psideveryone); }

if (bresult = = FALSE) {if (Pdacl) HeapFree (GetProcessHeap (), 0, Pdacl);    Pdacl = NULL; }

Return (PVOID) Pdacl; }

The following function frees memory allocated in the//BUILDRESTRICTEDSD () function VOID freerestrictedsd (pvoid ptr) {

if (PTR) HeapFree (GetProcessHeap (), 0, PTR);

Return }

CSHARERESTRICTEDSD::CSHARERESTRICTEDSD () {ptr=null;  sa.nlength = sizeof (SA);  Sa.lpsecuritydescriptor = &sd;  Sa.binherithandle = FALSE;  Build a restricted security descriptor ptr = BUILDRESTRICTEDSD (&SD);  if (!ptr) {TRACE ("BUILDRESTRICTEDSD () failed/n"); } }

CSHARERESTRICTEDSD::~CSHARERESTRICTEDSD () {if (PTR) {FREERESTRICTEDSD (PTR);  } security_attributes* Csharerestrictedsd::getsa () {if (PTR) {return &sa; else return NULL; }

More information can be consulted