J
John Hynes
Hi,
I have a system service which monitors a network and stores some information
in shared memory, and I want to be able to view this information from a web
page.
I first tried this with 1.1 using P/invoke to the appropriate security APIs
as described in Q106387 in the MS knowledgebase. I then ported to 2.0 and
the new security routines. In both cases I have the same problem, the only
way I can share the data is if the ASP web page impersonates an
Administrative user. This is not what I want, ideally I'd like it to work
with anonymous users, but if thats not possible then with a guest user.
Here's what I'm doing in 2.0:
In the system service (which runs as the local system account):
SecurityIdentifier sidOwner = new SecurityIdentifier(
WellKnownSidType.CreatorOwnerSid, null );
SecurityIdentifier sidAuthUsers = new SecurityIdentifier(
WellKnownSidType.AuthenticatedUserSid, null );
MutexSecurity mSec = new MutexSecurity();
MutexAccessRule rule = new MutexAccessRule( sidOwner,
MutexRights.FullControl, AccessControlType.Allow );
mSec.AddAccessRule( rule );
rule = new MutexAccessRule( sidAuthUsers, MutexRights.FullControl,
AccessControlType.Allow );
mSec.AddAccessRule( rule );
m_Mutex = new Mutex( false, strName + "M", out bCreateNew, mSec );
CommonSecurityDescriptor csd = new CommonSecurityDescriptor( false, false,
"D
A;;GRGW;;;CO)(A;;GRFR;;;AU)" );
byte[] binarySecurityDescriptor = new byte[ csd.BinaryLength ];
csd.GetBinaryForm( binarySecurityDescriptor, 0 );
m_hFile = Win32.CreateFileMapping( -1, binarySecurityDescriptor,
Win32.MappedFileProtection.PAGE_READWRITE, 0, nMaxLength, strName );
Then in the web page:
m_Mutex = Mutex.OpenExisting( strName + "M" );
m_hFile = Win32.OpenFileMapping( Win32.FileMapAccess.FILE_MAP_READ, false,
strName );
The Mutex is opened successfully, but if the impersonating user is a Power
User (or less) rather than an Administrator then the OpenFileMapping call
fails with Access Denied.
If the ACL allows all authenticated users read access then why can only
Administrators access it, when the Mutex works ok? Why won't it work if I
change the ACL to allow anonymous users read access?
Thanks
John
I have a system service which monitors a network and stores some information
in shared memory, and I want to be able to view this information from a web
page.
I first tried this with 1.1 using P/invoke to the appropriate security APIs
as described in Q106387 in the MS knowledgebase. I then ported to 2.0 and
the new security routines. In both cases I have the same problem, the only
way I can share the data is if the ASP web page impersonates an
Administrative user. This is not what I want, ideally I'd like it to work
with anonymous users, but if thats not possible then with a guest user.
Here's what I'm doing in 2.0:
In the system service (which runs as the local system account):
SecurityIdentifier sidOwner = new SecurityIdentifier(
WellKnownSidType.CreatorOwnerSid, null );
SecurityIdentifier sidAuthUsers = new SecurityIdentifier(
WellKnownSidType.AuthenticatedUserSid, null );
MutexSecurity mSec = new MutexSecurity();
MutexAccessRule rule = new MutexAccessRule( sidOwner,
MutexRights.FullControl, AccessControlType.Allow );
mSec.AddAccessRule( rule );
rule = new MutexAccessRule( sidAuthUsers, MutexRights.FullControl,
AccessControlType.Allow );
mSec.AddAccessRule( rule );
m_Mutex = new Mutex( false, strName + "M", out bCreateNew, mSec );
CommonSecurityDescriptor csd = new CommonSecurityDescriptor( false, false,
"D
A;;GRGW;;;CO)(A;;GRFR;;;AU)" );byte[] binarySecurityDescriptor = new byte[ csd.BinaryLength ];
csd.GetBinaryForm( binarySecurityDescriptor, 0 );
m_hFile = Win32.CreateFileMapping( -1, binarySecurityDescriptor,
Win32.MappedFileProtection.PAGE_READWRITE, 0, nMaxLength, strName );
Then in the web page:
m_Mutex = Mutex.OpenExisting( strName + "M" );
m_hFile = Win32.OpenFileMapping( Win32.FileMapAccess.FILE_MAP_READ, false,
strName );
The Mutex is opened successfully, but if the impersonating user is a Power
User (or less) rather than an Administrator then the OpenFileMapping call
fails with Access Denied.
If the ACL allows all authenticated users read access then why can only
Administrators access it, when the Mutex works ok? Why won't it work if I
change the ACL to allow anonymous users read access?
Thanks
John