PB173 - Systémové programování Windows Ukol 11 registry event log service client Rozšiřte projekt Service tak: • aby mohl komunikovat s klientem běžícím s oprávněními standardního uživatele. Nutné úpravy: • Aby stejnou konfiguraci viděl klient i služba, je nutné ji přesunout z HKCU do HKLM (v registrech i v kódu) Tipy: File Mapping Security and Access Rights http://msdn.microsoft.com/en-us/librarv/windows/desktop/aa366559(v=vs.85').aspx Synchronization Object Security and Access Rights http://msdn.microsoft.com/en- us/librarv/windows/desktop/ms686670(v=vs.85').aspx Služba zdroje vytváří, klient zdroje otevírá. Příloha 1 - Creating a Security Descriptor for a New Object in C+ + Zdroj: http://msdn.microsoft.com/en-us/library/windows/desktop/aa446595rv=vs.85').aspx #pragma comment(lib, "advapi32.lib") #include #include #include #include void main() { DWORD dwRes, dwDisposition; PSID pEveryoneSID = NULL, pAdminSID = NULL; PACL pACL = NULL; PSECURITY_DESCRIPTOR pSD = NULL; EXPLICIT_ACCESS ea[2]; SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY; SECURITY_ATTRIBUTES sa; LONG IRes; HKEY hkSub = NULL; // Create a well-known SID for the Everyone group, if(!AllocateAndlnitializeSid(SSIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID)) { _tprintf(_T("AllocateAndlnitializeSid Error %u\n"), GetLastError()); goto Cleanup; } // Initialize an EXPLICIT_ACCESS structure for an ACE. // The ACE will allow Everyone read access to the key. ZeroMemory(Sea, 2 * sizeof(EXPLICIT_ACCESS)); ea[0].grfAccessPermissions = KEY READ; ea[0].grfAccessMode = SET_ACCESS; ea[0].grfInheritance= NO_INHERITANCE; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID; // Create a SID for the BUILTIN\Administrators group. if(! AllocateAndlnitializeSid(SSIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RI D_ADMINS , 0, 0, 0, 0, 0, 0, SpAdminSID) ) { _tprintf(_T("AllocateAndlnitializeSid Error %u\n"), GetLastError()); goto Cleanup; } // Initialize an EXPLICIT_ACCESS structure for an ACE. // The ACE will allow the Administrators group full access to // the key. ea[1].grfAccessPermissions = KEY_ALL_ACCESS; ea[1].grfAccessMode = SET_ACCESS; ea[l].grfInheritance= NO_INHERITANCE; ea[l].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[l].Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea[l].Trustee.ptstrName = (LPTSTR) pAdminSID; // Create a new ACL that contains the new ACEs. dwRes = SetEntriesInAcl(2, ea, NULL, SpACL); if (ERROR_SUCCESS != dwRes) { _tprintf(_T("SetEntriesInAcl Error %u\n"), GetLastError()); goto Cleanup; } // Initialize a security descriptor. pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); if (NULL == pSD) { _tprintf(_T("LocalAlloc Error %u\n"), GetLastError()); goto Cleanup; } if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) { tprintf( T("InitializeSecurityDescriptor Error %u\n"), GetLastError ( ) ) ; goto Cleanup; } // Add the ACL to the security descriptor, if (!SetSecurityDescriptorDacl(pSD, TRUE, // bDaclPresent flag pACL, FALSE)) // not a default DACL { tprintf( T("SetSecurityDescriptorDacl Error %u\n"), GetLastError ( ) ) ; goto Cleanup; } // Initialize a security attributes structure. sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.IpSecurityDescriptor = pSD; sa.blnheritHandle = FALSE; // Use the security attributes to set the security descriptor // when you create a key. IRes = RegCreateKeyEx(HKEY_CURRENT_USER, _T("mykey"), 0, _T(""), 0, KEY_READ | KEY_WRITE, Ssa, ShkSub, SdwDisposition); _tprintf(_T("RegCreateKeyEx result %u\n"), IRes ); Cleanup: if (pEveryoneSID) FreeSid(pEveryoneSID); if (pAdminSID) FreeSid(pAdminSID); if (pACL) LocalFree(pACL); if (pSD) LocalFree(pSD); if (hkSub) RegCloseKey(hkSub); return; } Příloha 2 - Creating a D AC L Zdroj: http://msdn.microsoft.com/en-us/librarv/windows/desktop/ms717798(,v=vs.85').aspx #define _WIN32_WINNT 0x0500 #include #include #include #pragma comment(lib, "advapi32.lib") BOOL CreateMyDACL(SECURITY_ATTRIBUTES *); void main() { SECURITY_ATTRIBUTES sa; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.blnheritHandle = FALSE; // Call function to set the DACL. The DACL is set in the SECURITY_ATTRIBUTES // IpSecurityDescriptor member, if (!CreateMyDACL(Ssa)) { // Error encountered; generate message and exit, printf("Failed CreateMyDACL\n"); exit(1); } // Use the updated SECURITY_ATTRIBUTES to specify security attributes for // securable objects. This example uses security attributes during // creation of a new directory. if (0 == CreateDirectory (TEXT ( "C: WMyFolder" ) , Ssa)) { // Error encountered; generate message and exit. printf("Failed CreateDirectory\n"); exit(1); } // Free the memory allocated for the SECURITY_DESCRIPTOR. if (NULL != LocalFree(sa.IpSecurityDescriptor)) { // Error encountered; generate message and exit. printf("Failed LocalFree\n"); exit(1); } } // CreateMyDACL. // Create a security descriptor that contains the DACL you want. // This function uses SDDL to make Deny and Allow ACEs. // // Parameter: // SECURITY_ATTRIBUTES * pSA // Pointer to a SECURITY_ATTRIBUTES structure. It is your responsibility // to properly initialize the structure and to free the structure's // IpSecurityDescriptor member when you have finished using it. To free the structure's // IpSecurityDescriptor member, call the LocalFree function. // // Return value: // FALSE if the address to the structure is NULL. Otherwise, this function // returns the value from the ConvertStringSecurityDescriptorToSecurityDescriptor // function. BOOL CreateMyDACL(SECURITY_ATTRIBUTES * pSA) { // Define the SDDL for the DACL. This example sets the following access: // Built-in guests are denied all access. // Anonymous logon is denied all access. // Authenticated users are allowed // read/write/execute access. // Administrators are allowed full control. // Modify these values as needed to generate the proper DACL for your application. TCHAR * szSD = TEXT("D:") // Discretionary ACL TEXT("(D;OICI;GA;;;BG)") // Deny access to built-in guests TEXT("(D;OICI;GA;;;AN) ") // Deny access to anonymous logon TEXT("(A;OICI;GRGWGX;;;AU)") // Allow read/write/execute to authenticated users TEXT("(A;OICI;GA;;;BA) ") ; // Allow full control to administrators if (NULL == pSA) return FALSE; return ConvertStringSecurityDescriptorToSecurityDescriptor( szSD, SDDL_REVISI0N_1, &(pSA->lpSecurityDescriptor), NULL);