Permissions issues for accessing shared memory across processes

Source: Internet
Author: User
Tags mutex

Q: I created a piece of shared memory on the server with CreateFileMapping. Let this exe always run on the server.
At the same time, other users in the client with IE Access server, the data will be queried through C # produced by the Web page submitted, the server gets the page parameters, establish a COM object access to the previous EXE of shared memory, and then in the shared memory of the query results returned to the customer.
The problem is that this COM cannot use openmapping to access the EXE's shared memory, prompting access denial. And I on the server casually recommend a project compiled into an EXE, file access to this section of shared memory!! Why not in the Web page. Does COM have any permission settings? What is the right integration method between two processes. How do I use a DACL?

I wrote a service in ATL, and in this service I created a shared memory (Memory Mapping) and a mutex
Then I went to the shared memory and mutex in another normal program, but I failed to open the mutex with CreateMutex, GetLastError () returned 5, meaning access was denied.
Similarly, when I use MapViewOfFile, I get the same error ...

I already know the reason is because when creating shared memory and Mutext, security_attributes I set to NULL!!!

But I do not have a solution, I hope you can help prawns.

A: Check the permissions of the user who is running the service. Typically, for security purposes, the owner of the service process has very low permissions. In order for the service process to access objects, you need to specify a broader security descriptor when creating shared memory, adding a new access Control project (ACE) to the owner of your ASP process. The default Access control List (ACL) contains only the creator and the Administrators group.

The following code creates a security descriptor that is accessible to all users. You can use this security descriptor when creating shared memory.
CSHARERESTRICTEDSD SHARERESTRICTEDSD;
Hmapfile = CreateFileMapping (invalid_handle_value,//Current file HANDLE.
Sharerestrictedsd.getsa (),//Default security.
Null
Page_readwrite,//read/write permission.
0,//Max. Object size.
FileSize,//Size of hfile.
Mapname); Name of mapping object.

Class CSHARERESTRICTEDSD
{
Public
CSHARERESTRICTEDSD ();
Virtual ~CSHARERESTRICTEDSD ();
Security_attributes* Getsa ();
Protected
PVOID ptr;
Security_attributes sa;
Security_descriptor SD;
};
If this guy works, then its author is Jiangsheng;
If this guy has no use, then I don't know its author.
PVOID BUILDRESTRICTEDSD (Psecurity_descriptor PSD) {

DWORD dwacllength;

Psid psideveryone = NULL;

Pacl pdacl = NULL;
BOOL bresult = FALSE;

Paccess_allowed_ace PACE = NULL;

Sid_identifier_authority Siaworld = security_world_sid_authority;

Security_information si = dacl_security_information;

__try {

Initialize the security descriptor
if (! InitializeSecurityDescriptor (PSD,
Security_descriptor_revision)) {
printf ("InitializeSecurityDescriptor () failed with error%d/n",
GetLastError ());
__leave;
}

     //Obtain a SID for the authenticated Users Group
      if (! AllocateAndInitializeSid (&siaworld, 1,
             Security_world_rid, 0, 0, 0, 0, 0, 0, 0,
            & Amp;psideveryone)) {
         printf ("AllocateAndInitializeSid () Failed with error%d/n ",
               GetLastError ());
         __leave;
     }

     //Note:
     //
      The authenticated Users group includes all user accounts that
     //have been successful Ly authenticated by the system. If Access
     //must be restricted to a specific user or group other than
  & nbsp;  //Authenticated Users, the SID can be constructed using the
     //Lookup The Accountsid () API based on a user or group name.

Calculate the DACL length
dwacllength = sizeof (ACL)
Add space for authenticated Users group ACE
+ sizeof (access_allowed_ace)-sizeof (DWORD)
+ Getlengthsid (psideveryone);

Allocate memory for the DACL
Pdacl = (pacl) HeapAlloc (GetProcessHeap (), Heap_zero_memory,
Dwacllength);
if (!PDACL) {
printf ("HeapAlloc () failed with error%d/n", GetLastError ());
__leave;
}

Initialize the DACL
if (! InitializeAcl (Pdacl, Dwacllength, acl_revision)) {
printf ("InitializeAcl () failed with error%d/n",
GetLastError ());
__leave;
}

Add the authenticated Users group ACE to the DACL with
Generic_read, Generic_write, and Generic_execute access
if (! AddAccessAllowedAce (Pdacl, Acl_revision,
Generic_all,
Psideveryone)) {
printf ("AddAccessAllowedAce () failed with error%d/n",
GetLastError ());
__leave;
}

Set the DACL in the security descriptor
if (! SetSecurityDescriptorDacl (PSD, TRUE, Pdacl, FALSE)) {
printf ("SetSecurityDescriptorDacl () failed with error%d/n",
GetLastError ());
__leave;
}

Bresult = TRUE;

} __finally {

if (psideveryone) Freesid (Psideveryone);
}

if (bresult = = FALSE) {
if (PDACL) HeapFree (GetProcessHeap (), 0, Pdacl);
Pdacl = NULL;
}

Return (PVOID) Pdacl;
}

The following function frees memory allocated in the
BUILDRESTRICTEDSD () function
VOID FREERESTRICTEDSD (pvoid ptr) {

if (PTR) HeapFree (GetProcessHeap (), 0, PTR);

Return
}


CSHARERESTRICTEDSD::CSHARERESTRICTEDSD ()
{
Ptr=null;
sa.nlength = sizeof (SA);
Sa.lpsecuritydescriptor = &sd;
Sa.binherithandle = FALSE;
Build a restricted security descriptor
ptr = BUILDRESTRICTEDSD (&SD);
if (!ptr) {
TRACE ("BUILDRESTRICTEDSD () failed/n");
}
}

CSHARERESTRICTEDSD::~CSHARERESTRICTEDSD ()
{
if (PTR) {
FREERESTRICTEDSD (PTR);
}
}
Security_attributes* Csharerestrictedsd::getsa ()
{
if (PTR) {
Return &sa;
}
Else
return NULL;
}

More information can be consulted

Http://www.cnblogs.com/flier/archive/2004/07/15/24299.aspx

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.