CODEWITHSUNDEEP
c++securitywinapidacl
sashoalm
sashoalm

Reputation: 79467

How do I create a NULL/empty DACL?

I need to grant access to everyone for a named pipe I'm creating. I understand the way to do it is to create a NULL/empty DACL and pass it to CreateNamedPipe.

How do I create a NULL DACL? I was told that it is not the same as passing a NULL pointer for LPSECURITY_ATTRIBUTES.

Upvotes: 6

Views: 3865

Answers (3)

jrbe228
jrbe228

Reputation: 578

My case was somewhat different with Docker container development. I have an existing COM application installed and wanted to create a null DACL via PowerShell. First look up your AppID in Component Services: enter image description here

Then run the following:

$appid = "{00020906-0000-0000-C000-000000000046}"  
$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE AppId = "' + $appid + '"') -enableallprivileges  
$sdRes = $app.GetLaunchSecurityDescriptor()  
$sd = $sdRes.Descriptor  
[System.Management.ManagementBaseObject[]] $newDACL = $null  
$sd.DACL = $newDACL  
$app.SetLaunchSecurityDescriptor($sd)

Now the app (MS Word 97-2003 in this example) is accessible to Everyone, with all the security risks mentioned by other answers and MS documentation.

Side note - use a null DACL in your case rather than empty. Empty DACL blocks permissions for all users: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/null-and-empty-dacls/ba-p/396323.

Upvotes: 1

David Heffernan
David Heffernan

Reputation: 612954

Like this:

SECURITY_DESCRIPTOR SD;
InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&SD, TRUE, NULL, FALSE);

I omitted error checking for the sake of brevity. You would not do that.

Then when you call CreateNamedPipe you can set up the security attributes record like this:

SA.nLength = sizeof(SA);
SA.lpSecurityDescriptor = &SD;
SA.bInheritHandle = TRUE;

The documentation for SetSecurityDescriptorDacl states:

When the pDacl parameter does not point to a DACL and the bDaclPresent flag is TRUE, a NULL DACL is specified. All access is allowed. You should not use a NULL DACL with an object because any user can change the DACL and owner of the security descriptor. This will interfere with use of the object.

So, the above is how to do it, but the documentation does stress that you should not do so.

Upvotes: 12

Eugene Mayevski 'Callback
Eugene Mayevski 'Callback

Reputation: 46050

Here's the code we use in one of our projects:

SECURITY_DESCRIPTOR  pSD;
SECURITY_ATTRIBUTES  SA;

if(!InitializeSecurityDescriptor(&pSD, SECURITY_DESCRIPTOR_REVISION))
    throw error;
if(!SetSecurityDescriptorDacl(&pSD, true, NULL, false))
    throw error;
SA.nLength = sizeof(SA);
SA.lpSecurityDescriptor = &pSD;
SA.bInheritHandle = true;
pSA = &SA;
...
FMapping = CreateFileMapping(INVALID_HANDLE_VALUE, pSA, PAGE_READWRITE, 0, 4096, p);

This code creates a mapping with access for all

Upvotes: 4

Related Questions