1

Basically I want to create my shared memory with the equivalent of UNIX 600 permissions. How would I do this in Windows?

I think when I call CreateFileMapping I would need to pass a LPSECURITY_ATTRIBUTES object that I set using SetSecurityDescriptorDacl but I'm not sure the proper values to pass to SetSecurityDescriptorDacl. The documentation is a bit confusing for me since I don't really work with windows so any help is appreciated.

TreeWater
  • 761
  • 6
  • 13
  • You can't expect to secure an object without doing the ground work. – David Heffernan Apr 04 '20 at 13:32
  • in general you need to determine *Sids / Access* which you want in *DACL*. use `InitializeAcl` + `AddAccessAllowedAce` here. and build *SD* with this *DACL* via `InitializeSecurityDescriptor` + `SetSecurityDescriptorDacl`. current user *Sid* you can get from process token with *TokenUser*. or instead user sid cal use *TokenLogonSid* for restrict access for current logon session. but anyway - what this give you ? – RbMm Apr 04 '20 at 14:06
  • @DavidHeffernan I'm not sure what you are trying to say. – TreeWater Apr 04 '20 at 20:13
  • @RbMm Ok, so basically I need to find the sid for the current user and then build the ACL with that info, and eventually get a LPSECURITY_ATTRIBUTES object which will secure my shared data, correct? – TreeWater Apr 04 '20 at 20:19
  • yes. exactly. only i be not say "find". simply `OpenProcessToken` + `GetTokenInformation` for `TokenUser`. also instead user sid usually more sense use logon session sid. so use `TokenLogonSid` – RbMm Apr 04 '20 at 22:58
  • 1
    @TreeWater It will be helpful for others if you can sharing your solution as an answer. – Rita Han Apr 06 '20 at 07:42
  • @RitaHan-MSFT I haven't written or tested anything yet and I'm not 100% sure how to accomplish this. I just have a general idea which is what I outlined in my comments above. When I figure it out and get it tested I can update – TreeWater Apr 07 '20 at 12:40
  • The equivalent of Unix `0600` restricts access to the owner. Windows Vista added an "OWNER RIGHTS" (OW) SID for this. When using this SID, you have to explicitly grant standard read-control and write-DAC access, which otherwise are granted to the owner implicitly. Generally you'd want to grant the owner generic-all access, but if you don't want to allow execute or size-extension access to the Section object, assign all standard access rights (WO,WD,RC,SD) and generic-read (GR) and generic-write (GW) access, e.g. via SDDL `"D:P(A;;GRGWWOWDRCSD;;;OW)"`. – Eryk Sun May 16 '20 at 08:12
  • You can convert SDDL to a security descriptor via `ConvertStringSecurityDescriptorToSecurityDescriptor`. – Eryk Sun May 16 '20 at 08:16

0 Answers0