\nA customer wanted some help deciding what security attributes to place\non an event object intended to be used by multiple security contexts.\n<\/p>\n
\nWe have two processes, call them A and B, running in different\nsecurity contexts.\nI have an event that process A creates and shares with process B.\nThe only thing process A does with the event is signal it,\nand the only thing process B does with the event is wait on it.\nOur question is what ACLs you recommend for the event.\nFor now, we’re using O:BAD:(A;;GR;;;WD)(A;;GA;;;LS)(A;;GA;;;BA).\n(In case it matters, process A is usually running as a service\nwith Local System privileges,\nthough for testing purposes it may be running as local administrator.\nProcess B runs as a service with Local Service privileges.)\n<\/p><\/blockquote>\n
\nFor those who don’t speak\n\nSDDL<\/a>, that weird line noise is shorthand for\n<\/p>\n
\n
- O<\/u>wner:\n B<\/u>uiltin\n A<\/u>dministrators<\/p>\n
- D<\/u>ACL:\n
\n
- A<\/u>llow\n G<\/u>eneric R<\/u>ead\n to\n Everyone (aka W<\/u>orld<\/u>).<\/p>\n
- A<\/u>llow\n G<\/u>eneric A<\/u>ll\n to\n L<\/u>ocal S<\/u>ervice.<\/p>\n
- A<\/u>llow\n G<\/u>eneric A<\/u>ll\n to\n B<\/u>uiltin A<\/u>dministrators.\n <\/ul>\n<\/ul>\n
\nGiven the requirements, there is no need to grant Everyone\nany access at all, so we can delete the (A;;GR;;;WD) ACE.\n<\/p>\n
\nSince process B needs only to wait on the object,\ngranting it Generic All access is far too broad.\nThat would allow process B to signal the event or even change its ACL!\nTo wait on an object, all you need is Synchronize,\nso the second ACE can be tightened to\n(A;;0x00100000;;;LS).\n(There is no shorthand for Synchronize, so we use its hex value.)\n<\/p>\n
\nThe intention of the third ACE is to allow process A to\nsignal the event,\nbut for that all it needs is
EVENT_MODIFY_STATE<\/code>,\nnot Generic All.\nBut we can do better:\nWe can delete the ACE entirely.\n<\/p>\n\n“But Mister Wizard,\nif you delete the third ACE,\nthen process A won’t be able to signal the event!”\n<\/p>\n
\nAh yes it can, thanks to a special feature of\n\nthe
CreateEvent<\/code> function<\/a>:\n<\/p>\n\nThe handle returned by CreateEvent<\/b>\nhas the EVENT_ALL_ACCESS<\/b> access right.\n<\/p><\/blockquote>\n
\nIf you created the event, you get full access to the event\nregardless of what the ACLs on the event would normally say.\n<\/p>\n
\nTherefore, the event can be ACL’d with simply\nO:BAD:(A;;0x00100000;;;LS).\nWhen process A creates the event, it needs to hold on tight\nto that event handle, since that is the process’s only way of\nsetting the event!\n(If it loses the handle, it won’t be able to get it back because\nthe attempt to reacquire the handle will be blocked by the ACL.)\n<\/p>\n
\nHere’s a quick program that demonstrates the behavior.\n<\/p>\n
\n#include <windows.h>\n#include <sddl.h>\n#include <tchar.h>\n\/\/ This is a demonstration, so there is no error checking\n\/\/ and we leak memory.\nint __cdecl _tmain(int, TCHAR **)\n{\n ULONG cb;\n SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, FALSE };\n \/\/ Create a security descriptor that grants access to no one.\n ConvertStringSecurityDescriptorToSecurityDescriptor(TEXT(\"D:\"),\n SDDL_REVISION_1, &sa.lpSecurityDescriptor, &cb);\n \/\/ Create a handle with that security descriptor\n HANDLE h = CreateEvent(&sa, TRUE, TRUE,\n TEXT(\"NobodyCanAccessMeButMe<\/a>\"));\n \/\/ Even though nobody has access to the object, we can still\n \/\/ signal it using the handle returned by CreateEvent.\n SetEvent(h); \/\/ succeeds\n \/\/ But nobody else can obtain the handle via the object name.\n HANDLE h2 = OpenEvent(EVENT_MODIFY_STATE, FALSE,\n TEXT(\"NobodyCanAccessMeButMe\")); \/\/ fails\n return 0;\n}\n<\/pre>\n\nThe customer wrote back,\n“This worked perfectly. Thanks!”\n<\/p>\n