Is anyone aware of an easy (easier) way to obtain or create some 'mainstream' SECURITY_DESCRIPTOR ?
In my case i just need something like an "Everyone can do anything to this" for a CreateMutex call (if I pass NULL(meaning default) a non-elevated user cannot obtain the mutex created by an elevated one). This is sort of the same thing you see when you look at the security tab of a file - and it can be quite verbose.
MSDN has an example of how to create one from scratch:
https://learn.microsoft.com/da-dk/windows/desktop/SecAuthZ/creating-a-security-descriptor-for-a-new-object-in-c--
As you can see, it is very verbose (4-5 steps needed). I guess Im hoping for a higher level function that makes this trivial or something like query the system for the "Everyone" group and copy from that, etc.
Related
I would like, if possible, to have some control on the job description and name. I tried to add the JobDisplayName to the Controller that is activating the job, also to the method that is being called to run in background but no luck.
Also the job description page is very polluted with unnecessary information that i would like to remove, or to format to a readable information.
In the A case, i would like to remove this, or to format it to a more readable format.
In the B case what can i do to output it to a human readable object?
Issue A: there are quite a few bugs that have been opened but most of them suggest there is no way to update the information displayed there, but, you should follow the Best Practices and keep the method and arguments small.
Fix B
Change the return statement of your method that's enqeued to fix the data displayed.
There is setgroups(size_t size, const gid_t *list) method in C which would allow me to set the supplementary group ids of the calling process.
Question 1:
But in order run this we need to have proper rights so the only way I got to run this program without getting Operation not permitted error is to run it using root. But does that mean using this method we could only set the groups of root??
Question 2:
On the other hand what I intend to do is given a particular user and a list of gid's I want to set the given gid's as the supplementary groups to given user. Is there a method defined for this in C/C++?
Thanks in advance
Technically under Linux you need the CAP_SETGID capability, which need not be root (but normally is).
Note that this works with the effective gid, not the actual gid. Note also the actual / effective gid of the calling process is not necessarily the same as the actual / effective uid. You should have a look at the manpages for setuid, seteuid, setgid and setegid for more details, but one scenario would be for a SUID program to setegid back to an unprivileged group then use setgroups.
I'm helping develop a new API for an existing database.
I'm using Python 2.7.3, Django 1.5 and the django-rest-framework 2.2.4 with PostgreSQL 9.1
I need/want good documentation for the API, but I'm shorthanded and I hate writing/maintaining documentation (one of my many flaws).
I need to allow consumers of the API to add new "POS" (points of sale) locations. In the Postgres database, there is a foreign key from pos to pos_location_type. So, here is a simplified table structure.
pos_location_type(
id serial,
description text not null
);
pos(
id serial,
pos_name text not null,
pos_location_type_id int not null references pos_location_type(id)
);
So, to allow them to POST a new pos, they will need to give me a "pos_name" an a valid pos_location_type. So, I've been reading about this stuff all weekend. Lots of debates out there.
How is my API consumers going to know what a pos_location_type is? Or what value to pass here?
It seems like I need to tell them where to get a valid list of pos_locations. Something like:
GET /pos_location/
As a quick note, examples of pos_location_type descriptions might be: ('school', 'park', 'office').
I really like the "Browseability" of of the Django REST Framework, but, it doesn't seem to address this type of thing, and I actually had a very nice chat on IRC with Tom Christie earlier today, and he didn't really have an answer on what to do here (or maybe I never made my question clear).
I've looked at Swagger, and that's a very cool/interesting project, but take a look at their "pet" resource on their demo here. Notice it is pretty similar to what I need to do. To add a new pet, you need to pass a category, which they define as class Category(id: long, name: string). How is the consumer suppose to know what to pass here? What's a valid id? or name?
In Django rest framework, I can define/override what is returned in the OPTION call. I guess I could come up with my own little "system" here and return some information like:
pos-location-url: '/pos_location/'
in the generic form, it would be: {resource}-url: '/path/to/resource_list'
and that would sort of work for the documentation side, but I'm not sure if that's really a nice solution programmatically. What if I change the resources location. That would mean that my consumers would need to programmatically make and OPTIONS call for the resource to figure out all of the relations. Maybe not a bad thing, but feels like a little weird.
So, how do people handle this kind of thing?
Final notes: I get the fact that I don't really want a "leaking" abstaction here and have my database peaking thru the API layer, but the fact remains that there is a foreign_key constraint on this existing database and any insert that doesn't have a valid pos_location_type_id is raising an error.
Also, I'm not trying to open up the URI vs. ID debate. Whether the user has to use the pos_location_type_id int value or a URI doesn't matter for this discussion. In either case, they have no idea what to send me.
I've worked with this kind of stuff in the past. I think there is two ways of approaching this problem, the first you already said it, allow an endpoint for users of the API to know what is the id-like value of the pos_location_type. Many API's do this because a person developing from your API is gonna have to read your documentation and will know where to get the pos_location_type values from. End-users should not worry about this, because they will have an interface showing probably a dropdown list of text values.
On the other hand, the way I've also worked this, not very RESTful-like. Let's suppose you have a location in New York, and the POST could be something like:
POST /pos/new_york/
You can handle /pos/(location_name)/ by normalizing the text, then just search on the database for the value or some similarity, if place does not exist then you just create a new one. That in case users can add new places, if not, then the user would have to know what fixed places exist, which again is the first situation we are in.
that way you can avoid pos_location_type in the request data, you could programatically map it to a valid ID.
I have a BHO which on the first run is gathering activation information and storing this in the registry.
(I think) due to IE's permission's I am only able to store this in the registry branch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-0-0-00-000000000-000000000-000000000-0000\Software\MyBHO\MyKey
Where S-0-0-00-000000000-000000000-000000000-0000 is a unique key for each user.
Which is fine using RegCreateKey() with "Software\MyBHO\MyKey". It's all created and running lovely. It determines where in space to store the Key with no problems.
The Problem:
When I carry out an uninstall I want to remove this key and as this is run outside of IE I have no way to determine where that key is / what the user string is.
Options I have in mind:
Option 1 (Ideal)
Find out this user string first to then build a new path for the key I wish to remove and remove it. How?
Option 2
At the point of activation store the path to the key in another registry value that can be accessed. Then read, and delete both (Which seems a bit backwards and probably wont work due to the access restrictions of the BHO on the registry (Thus it being written there in the first place))
Do you know if there is any way to find this User key or even how to find the parent dir.
Edit Upon continued research I've found that the thing I'm referring to as "user key" is the current Users "SID". Maybe this will yield me better results.
Call GetUserName to get the user name, and LookupAccountName to get his SID.
ConvertSidToStringSid is a useful utility function to format a SID as a S-1-5-32-00000000-00000000-00000000-00000000-0000 string
If you really want to write per-user data to the registry, use IEGetWriteableHKCU().
In general there is no good way to remove per-user data at uninstall. For example, what if you install as user A and the uninstall as user B? Are you going to go find all of them and delete them? Just leave the turds behind.
Alternatively you could consider using a different data store. Do you really need the registry? Can you store this data in a file? What about Web Storage?
I am writing some C++ code for the Windows(XP/7) platform to check the permission associated to a file. I want to verify that the file I am reading cannot be written by accounts with non elevated privileges. This is what I am currently doing:
I get the DACL associated with the file calling GetNamedSecurityInfo
I call CreateWellKnownSid with well known Sids, such as WinAuthenticatedUserSid (the Users group)
I call BuildTrusteeWithSid to build a TRUSTEE with the previous SID
I call GetEffectiveRightsFromAcl with the previously created trustee to get the effective acl
I check that the ACL does not contain the Write Flag set.
This code is working perfectly for the Users group. What about the other groups such as Everyone, Guests, or other specific users which may have specific write access on the file? I would like to find a solution where I don't need to enumerate all possible SID and check against all of them. Is there a SID I could use such as "anything but not admin"?
Regards,
Ant
I'd take a slightly different approach:
Get all ACE's via GetExplicitEntriesFromAcl, for the file and all its parents
Select the GRANT_ACCESS and SET_ACCESS ACE's
Get the list of trustees from the selected ACE's
For each of the trustees, perform an access check. GetEffectiveRightsFromAcl is probably the easiest solution here.
You'll want to think specifically what you want to do with the OWNER. He can alter the rights at any time.