R
Richard M. Hartman
Trying to set permissions on a directory tree to cut off write access to
everyone except a designated priviledged account. Having problem with Power
User. Even though the top level key blocks off write access to Power User
group, the sub-keys can still be written to by that group. The top level
key is cutting off inheritance from above, and it has the proper
permissions. Keys below it inherit from it ... but also show write access
by the Power Users group (apparently inherited from thin air) when you look
at the security permissions. The code we are using is below. I am hoping
somebody can tell me what we are doing wrong. The key we are setting is
HKLM/Software/YourCompanyNameHere.
void SecureRegistry(LPCTSTR szKeyName, LPCTSTR pszAccount)
{
// printf("special account=%s\n", (pszAccount==NULL?"none"
szAccount));
// These groups will have READ access
CSid sidEveryone(CSid::WST_EVERYONE);
CSid sidLocalUsers(CSid::WST_LOCALUSERS);
CSid sidPowerUsers(CSid::WST_LOCALPOWERUSERS);
// These groups will have FULL access
CSid sidAdmins(CSid::WST_LOCALADMINS);
CSid sidLocalSystem(CSid::WST_LOCALSYSTEM);
CSid sidCreatorOwner(CSid::WST_CREATOROWNER);
CTrustee trEveryone(TRUSTEE_IS_GROUP, sidEveryone);
CTrustee trLocalUsers(TRUSTEE_IS_GROUP, sidLocalUsers);
CTrustee trPowerUsers(TRUSTEE_IS_GROUP, sidPowerUsers);
CTrustee trAdmins(TRUSTEE_IS_GROUP, sidAdmins);
CTrustee trLocalSystem(TRUSTEE_IS_GROUP, sidLocalSystem);
CTrustee trCreatorOwner(TRUSTEE_IS_GROUP, sidCreatorOwner);
CTrustee trSpecialAccount(TRUSTEE_IS_USER, pszAccount);
EXPLICIT_ACCESS ea[MAX_DACL_LEN];
DWORD dwInherit = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
int iCount = 0;
ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trEveryone);
ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trLocalUsers);
ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trPowerUsers);
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trAdmins);
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trLocalSystem);
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trCreatorOwner);
if (pszAccount) {
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trSpecialAccount);
}
int ii;
printf("the EA we created\n");
printf("oea has %d entries\n", iCount);
for (ii=0; ii<iCount; ii++) {
if (VERBOSE) printf("\nea[%d]:", ii);
PrintEA(ea[ii], VERBOSE);
}
// Create a new ACL and set the EA entries in it
CAcl acl;
if ( acl.SetEntriesInAcl(iCount, ea) == ERROR_SUCCESS )
{
// Initialize a security descriptor and add our ACL to it
CSecurityDescriptor sd;
BOOL bIsPresent = FALSE;
BOOL bIsDefaulted = FALSE;
PACL oldDacl;
#if DIAG
printf("the ACL we created\n");
PrintPACL(acl, VERBOSE); // test by printing the one we created first
#endif
bIsPresent = false;
sd.GetSecurityDescriptorDacl(&bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe ACL initialized by the sd");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
if ( sd.SetSecurityDescriptorDacl(
TRUE,
acl,
FALSE ) )
{
HKEY hkey;
bIsPresent = false;
sd.GetSecurityDescriptorDacl(&bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe sd ACL modified by our ACL");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
printf("open key %s\n", szKeyName);
if ( RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
szKeyName,
0,
KEY_ALL_ACCESS,
&hkey ) == ERROR_SUCCESS )
{
unsigned long buf[1024];
DWORD bufsize = sizeof(buf);
if
:RegGetKeySecurity(hkey, DACL_SECURITY_INFORMATION, &buf[0],
&bufsize) == ERROR_SUCCESS) {
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
bIsPresent = false;
GetSecurityDescriptorDacl(psd, &bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe original key sd ACL\n");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
}
RegSetKeySecurity(
hkey,
DACL_SECURITY_INFORMATION,
sd );
bufsize = sizeof(buf);
if:RegGetKeySecurity(hkey, DACL_SECURITY_INFORMATION, &buf[0],
&bufsize) == ERROR_SUCCESS) {
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
bIsPresent = false;
GetSecurityDescriptorDacl(psd, &bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe key sd ACL modified by our ACL\n");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
}
RegCloseKey( hkey );
}
}
}
}
everyone except a designated priviledged account. Having problem with Power
User. Even though the top level key blocks off write access to Power User
group, the sub-keys can still be written to by that group. The top level
key is cutting off inheritance from above, and it has the proper
permissions. Keys below it inherit from it ... but also show write access
by the Power Users group (apparently inherited from thin air) when you look
at the security permissions. The code we are using is below. I am hoping
somebody can tell me what we are doing wrong. The key we are setting is
HKLM/Software/YourCompanyNameHere.
void SecureRegistry(LPCTSTR szKeyName, LPCTSTR pszAccount)
{
// printf("special account=%s\n", (pszAccount==NULL?"none"
szAccount));// These groups will have READ access
CSid sidEveryone(CSid::WST_EVERYONE);
CSid sidLocalUsers(CSid::WST_LOCALUSERS);
CSid sidPowerUsers(CSid::WST_LOCALPOWERUSERS);
// These groups will have FULL access
CSid sidAdmins(CSid::WST_LOCALADMINS);
CSid sidLocalSystem(CSid::WST_LOCALSYSTEM);
CSid sidCreatorOwner(CSid::WST_CREATOROWNER);
CTrustee trEveryone(TRUSTEE_IS_GROUP, sidEveryone);
CTrustee trLocalUsers(TRUSTEE_IS_GROUP, sidLocalUsers);
CTrustee trPowerUsers(TRUSTEE_IS_GROUP, sidPowerUsers);
CTrustee trAdmins(TRUSTEE_IS_GROUP, sidAdmins);
CTrustee trLocalSystem(TRUSTEE_IS_GROUP, sidLocalSystem);
CTrustee trCreatorOwner(TRUSTEE_IS_GROUP, sidCreatorOwner);
CTrustee trSpecialAccount(TRUSTEE_IS_USER, pszAccount);
EXPLICIT_ACCESS ea[MAX_DACL_LEN];
DWORD dwInherit = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
int iCount = 0;
ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trEveryone);
ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trLocalUsers);
ea[iCount++] = CExplicitAccess(KEY_READ, SET_ACCESS, dwInherit,
trPowerUsers);
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trAdmins);
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trLocalSystem);
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trCreatorOwner);
if (pszAccount) {
ea[iCount++] = CExplicitAccess(KEY_ALL_ACCESS, SET_ACCESS, dwInherit,
trSpecialAccount);
}
int ii;
printf("the EA we created\n");
printf("oea has %d entries\n", iCount);
for (ii=0; ii<iCount; ii++) {
if (VERBOSE) printf("\nea[%d]:", ii);
PrintEA(ea[ii], VERBOSE);
}
// Create a new ACL and set the EA entries in it
CAcl acl;
if ( acl.SetEntriesInAcl(iCount, ea) == ERROR_SUCCESS )
{
// Initialize a security descriptor and add our ACL to it
CSecurityDescriptor sd;
BOOL bIsPresent = FALSE;
BOOL bIsDefaulted = FALSE;
PACL oldDacl;
#if DIAG
printf("the ACL we created\n");
PrintPACL(acl, VERBOSE); // test by printing the one we created first
#endif
bIsPresent = false;
sd.GetSecurityDescriptorDacl(&bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe ACL initialized by the sd");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
if ( sd.SetSecurityDescriptorDacl(
TRUE,
acl,
FALSE ) )
{
HKEY hkey;
bIsPresent = false;
sd.GetSecurityDescriptorDacl(&bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe sd ACL modified by our ACL");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
printf("open key %s\n", szKeyName);
if ( RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
szKeyName,
0,
KEY_ALL_ACCESS,
&hkey ) == ERROR_SUCCESS )
{
unsigned long buf[1024];
DWORD bufsize = sizeof(buf);
if
:RegGetKeySecurity(hkey, DACL_SECURITY_INFORMATION, &buf[0],&bufsize) == ERROR_SUCCESS) {
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
bIsPresent = false;
GetSecurityDescriptorDacl(psd, &bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe original key sd ACL\n");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
}
RegSetKeySecurity(
hkey,
DACL_SECURITY_INFORMATION,
sd );
bufsize = sizeof(buf);
if
:RegGetKeySecurity(hkey, DACL_SECURITY_INFORMATION, &buf[0],&bufsize) == ERROR_SUCCESS) {
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
bIsPresent = false;
GetSecurityDescriptorDacl(psd, &bIsPresent, &oldDacl, &bIsDefaulted);
#if DIAG
if (bIsPresent) {
printf("\nthe key sd ACL modified by our ACL\n");
printf("initial descriptor defaulted? %s\n",
bIsDefaulted?"true":"false");
PrintPACL(oldDacl, VERBOSE);
}
#endif
}
RegCloseKey( hkey );
}
}
}
}