{"id":23303,"date":"2008-02-27T10:00:00","date_gmt":"2008-02-27T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2008\/02\/27\/if-you-ask-for-standard_rights_required-you-may-as-well-ask-for-the-moon\/"},"modified":"2008-02-27T10:00:00","modified_gmt":"2008-02-27T10:00:00","slug":"if-you-ask-for-standard_rights_required-you-may-as-well-ask-for-the-moon","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20080227-00\/?p=23303","title":{"rendered":"If you ask for STANDARD_RIGHTS_REQUIRED, you may as well ask for the moon"},"content":{"rendered":"<p>\nOne of the predefined security access masks is\n<code>STANDARD_RIGHTS_REQUIRED<\/code>.\nYou see it used in defining the <code>_ALL_ACCESS<\/code> masks for\nvarious objects.\nHere are just a few examples:\n<\/p>\n<pre>\n#define PROCESS_ALL_ACCESS        (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \\\n                                   0xFFF)\n#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)\n#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)\n<\/pre>\n<p>\nThe <code>STANDARD_RIGHTS_REQUIRED<\/code> mask is meant to be used\nwhen defining access masks for object types.\nI&#8217;m guessing it&#8217;s called <code>STANDARD_RIGHTS_REQUIRED<\/code> because\nit&#8217;s the set of access masks that all securable objects must support.\n<a HREF=\"http:\/\/msdn2.microsoft.com\/en-us\/library\/aa379607.aspx\">\nLook at the documentation<\/a>\nor just at the definition:\n<\/p>\n<pre>\n#define DELETE                           (0x00010000L)\n#define READ_CONTROL                     (0x00020000L)\n#define WRITE_DAC                        (0x00040000L)\n#define WRITE_OWNER                      (0x00080000L)\n#define STANDARD_RIGHTS_REQUIRED         (0x000F0000L)\n<\/pre>\n<p>\nNotice that <code>STANDARD_RIGHTS_REQUIRED<\/code> is just\nan abbreviation for the union of the four access bits\n<code>DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER<\/code>.\n<\/p>\n<p>\nNow that you see what it&#8217;s for,\nyou can also see what it&#8217;s <strong>not<\/strong> for:\nYou&#8217;re not expected to pass it as the mask of <strong>requested<\/strong>\naccess bits when you attempt to open an object.\nIn other words, the following is wrong:\n<\/p>\n<pre>\n<i>\/\/ wrong!\nHANDLE hProcess =\n    OpenProcess(dwProcessId, FALSE,\n                STANDARD_RIGHTS_REQUIRED | PROCESS_QUERY_INFORMATION);<\/i>\n<\/pre>\n<p>\nThe person writing this code probably thought,\n&#8220;Well, I just want to be able to query information, so I need to\npass <code>PROCESS_QUERY_INFORMATION<\/code>.\nThere&#8217;s this other thing here called <code>STANDARD_RIGHTS_REQUIRED<\/code>;\nsince it&#8217;s required, I&#8217;ll pass that too.&#8221;\n<\/p>\n<p>\nThe &#8220;required&#8221;ness of <code>STANDARD_RIGHTS_REQUIRED<\/code> doesn&#8217;t\napply to you, the program opening the object.\nIt applies to the person who is designing the object.\n<\/p>\n<p>\nYour attempt to be a &#8220;good security citizen&#8221; and ask only for the\naccess you need (namely, <code>PROCESS_QUERY_INFORMATION<\/code>)\nhas backfired due to the addition of <code>STANDARD_RIGHTS_REQUIRED<\/code>.\nIf you ask for\n<code>STANDARD_RIGHTS_REQUIRED<\/code>,\nyou are asking for <strong>everything<\/strong>.\n<\/p>\n<p>\nWhy is that?\nNotice that <code>STANDARD_RIGHTS_REQUIRED<\/code> includes\n<code>WRITE_DAC<\/code>.\nIf you have <code>WRITE_DAC<\/code> permission, that means that you\nhave permission to\nchange the security descriptor on the object,\nat which point you totally 0wnz0r it.\nYou want <code>PROCESS_VM_WRITE<\/code> access but the security\ndescriptor doesn&#8217;t let you?\nNo problem.\nJust set a new security descriptor that grants you\n<code>PROCESS_ALL_ACCESS<\/code> to the process object.\nTada! You now have all the access in the world.\n<\/p>\n<p>\nMoral of the story:\nDon&#8217;t ask for <code>STANDARD_RIGHTS_REQUIRED<\/code>,\nbecause only somebody with full control will be able to get it.\nAsk for what you actually want.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the predefined security access masks is STANDARD_RIGHTS_REQUIRED. You see it used in defining the _ALL_ACCESS masks for various objects. Here are just a few examples: #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \\ 0xFFF) #define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) The STANDARD_RIGHTS_REQUIRED mask is meant to be used when defining [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-23303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>One of the predefined security access masks is STANDARD_RIGHTS_REQUIRED. You see it used in defining the _ALL_ACCESS masks for various objects. Here are just a few examples: #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \\ 0xFFF) #define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) The STANDARD_RIGHTS_REQUIRED mask is meant to be used when defining [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/23303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=23303"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/23303\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=23303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=23303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=23303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}