Win32 |
Author |
Message |
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Sat Jun 17, 2006 2:21 pm Post subject: Permissions in Windows |
|
|
At Joel: Permissions in Windows
"Every process in Windows runs as a user. What the process can do is by
and large what the user can do."
"There are two kinds of permissions in Windows: resource permissions and
policies. Resource permissions are associated with resources such as files,
directories, printers etc. There are typically several levels of resource
permissions, for example Modify, Write and Read on files and directories.
Policies are simple rules saying "X can(not) be done" or "X can(not) be
done by Y". There are no levels involved in policies." |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Wed Jul 05, 2006 1:22 am Post subject: Security |
|
|
Old New Thing: Security: Don't forget to initialize the stuff you don't care about
"Everybody should by now be familiar with the use of the
SecureZeroMemory function to ensure that buffers that used to contain
sensitive information are erased, but you also have to zero out buffers
before you write their contents to another location." |
|
Back to top |
|
|
XNote Kapetan
Joined: 16 Jun 2006 Posts: 532
|
Posted: Thu Jul 06, 2006 12:32 am Post subject: Run As |
|
|
CodeGuru: GUI-Based RunAsEx
Environment: Win2K+ ONLY, VC6+, MS SDK (Platform SDK), DDK for Win2K+, Process Explorer, Local Administrator Identity
Prerequisite Knowledge: Win2K Security stuff (SID, Token, ACL, Privilege, WinStation/Desktop, and so on), NT Service, SEH |
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
|
Back to top |
|
|
XNote Kapetan
Joined: 16 Jun 2006 Posts: 532
|
Posted: Sat Jul 22, 2006 12:03 am Post subject: |
|
|
Same place, The Code Project, a bit older article, but much shorter:
Using Access Control Lists to secure access to your objects,
by Rob Manderson
"However, Windows NT and descendant operating systems does
provide a pretty good level of security if we're prepared to use it." |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Sat Jul 22, 2006 11:47 am Post subject: |
|
|
Larry Osterman: Security Terms
"I’ve got a bunch of security-related articles that I’d like to write up, but
I’ve realized that doing this requires that I define some terms up front to
give a common framework for the articles. I’ll be using this post as a
reference for these posts in the future." |
|
Back to top |
|
|
Marko Guest
|
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Mon Aug 28, 2006 8:52 pm Post subject: |
|
|
RC: Moving a file does not recalculate inherited permissions
"When you move a file across volumes with the MOVEFILE_COPY_ALLOWED
flag, you're saying that "move the file if possible; if not, then convert it to a
copy/delete operation". The copy operation creates a new file, which
means that inheritable properties on the destination folder do take effect.
But only if the file motion crosses volumes. If you're moving the file within
the same volume, then the ACL remains unchanged. How confusing. When
you pass the MOVEFILE_COPY_ALLOWED flag, you lose control of the ACL.
(You actually lose control of much more than just the ACL. Since the file is
being copied, none of the attributes from the original file are kept on the
copy. The copy inherits its encryption and compression status from the new
parent directory. The copy also gets a new owner, which has follow-on
consequences for things like disk quota.)" |
|
Back to top |
|
|
Igor Guest
|
Posted: Mon Oct 02, 2006 8:34 pm Post subject: NetUserGetInfo |
|
|
msdn: NetUserGetInfo, NetUserSetInfo and NetUserEnum!
struct USER_INFO_1:
Code: | typedef struct _USER_INFO_1 {
LPWSTR usri1_name;
LPWSTR usri1_password;
DWORD usri1_password_age;
DWORD usri1_priv;
LPWSTR usri1_home_dir;
LPWSTR usri1_comment;
DWORD usri1_flags;
LPWSTR usri1_script_path;
} USER_INFO_1,
*PUSER_INFO_1,
*LPUSER_INFO_1; |
usri1_priv - Specifies a DWORD value that indicates the level of
privilege assigned to the usri1_name member: USER_PRIV_GUEST,
USER_PRIV_USER, USER_PRIV_ADMIN . |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Mon Oct 09, 2006 1:03 pm Post subject: |
|
|
Mark Russinovich: The Case of the Notepad that Wouldn't Run
"UAC allows for users, even administrators, to run as standard users
most of the time, while giving them the ability to run executables with
administrator rights when necessary. There are several mechanisms by
which executables can trigger a request for administrator rights:
* If the executable image includes a Vista manifest file that specifies a
desire or need for administrator rights (this would be added by the
developer who creates the image).
* If the executable is in Vista’s application compatibility database as a
legacy application that Microsoft has identified as requiring administrator
rights to run correctly.
* If the user explicitly requests an elevation using Explorer’s “Run as
administrator” menu item in the context menu for executables (also can
be set as an advanced shortcut property). Note that this does not run the
executable under the Administrator account, but rather under the account
of the logged in user, but with the Administrator group enabled in the
process security token.
* If the executable is determined to be a setup or installer program (for
example, if the word “setup” or “update” is in the image’s name)." |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Wed Feb 07, 2007 10:20 am Post subject: |
|
|
Ask Vista for system privileges
Uwe: "Self restart you application by means of ShellExecute and the "runas" parameter:
Code: | if ( ! IsUserAnAdmin() ) {
char szAppPath[MAX_PATH];
GetModuleFileName(NULL, szAppPath, MAX_PATH);
ShellExecute(NULL, "runas", szAppPath, lpCmdLine, NULL, nCmdShow);
return 1;
} |
|
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
Posted: Thu Mar 15, 2007 4:39 pm Post subject: |
|
|
Digg: Gain control of those "Access Denied" Folders in Windows
"This is a short guide to help gain ownership of a folder that give you those
annoying "Access denied" messages on your own Windows system. This
will reassign the ownership of the blocked folder giving you complete access
to whatever you want, giving control back to you!" |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Tue May 08, 2007 8:42 pm Post subject: |
|
|
OldNewThing: The administrator is an idiot
"Pre-3.7 versions of WinRAR weren't Vista compatible; upgrade. Vista-
compatible programs will tell the OS if and when the really need admin
privs, and extraction files should not be among these times (exception: if
it's extracting to Program Files or a system folder, then yes, it will need
admin privs, for obvious reasons." |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
Posted: Sun May 20, 2007 7:21 pm Post subject: |
|
|
JoS: Permissions & Vista
"Is there an API that I can run to elevate privileges mid-way through my app?" |
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
Posted: Fri Jun 08, 2007 5:50 pm Post subject: |
|
|
RC: Why does canonical order for ACEs put deny ACEs ahead of allow ACEs?
"In words, we go through the ACEs in the ACL in the order they appear, paying
attention only to the ones that apply to the user, i.e. the ones whose SIDs are
present in the user's token. If a permission is being denied, and the user is still
looking for that permission, then access is denied. If a permission is being
granted, then those permissions are subtracted from the permissions the user
is still looking for. If, at the end of the day, all the permissions the user requests
have been granted, then access is granted." |
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
Posted: Thu Jul 26, 2007 6:11 pm Post subject: |
|
|
RC: How do the names in the file security dialog map to access control masks?
"When you call up the file security dialog, you'll see options like "Full Control"
and "Read and Execute". That's really nice as friendly names go, but when
you're digging into the security descriptor, you may need to know what those
permissions really map to when it comes down to bits." |
|
Back to top |
|
|
XNote Kapetan
Joined: 16 Jun 2006 Posts: 532
|
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
Posted: Wed Jan 30, 2008 9:00 pm Post subject: |
|
|
JoS: Program Installation on Vista with UAC
"The first time I noticed this was after installing a game (Rise of Legends). I
played the campaign for a bit, then quit. The next time I went to play, the
game acted like I had just started it for the first time, and I couldn't find my
saved game." |
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
Posted: Mon Sep 29, 2008 6:35 pm Post subject: |
|
|
RC: Anybody can make up a generic mapping
"Each component that uses ACLs to control access has its own idea of what
GENERIC_READ, GENERIC_WRITE, and GENERIC_EXECUTE mean. It's not
like there's a master list that somebody can make that lists them all, because
I can make up a new one right here." |
|
Back to top |
|
|
delovski
Joined: 14 Jun 2006 Posts: 3524 Location: Zagreb
|
|
Back to top |
|
|
Ike Kapetan
Joined: 17 Jun 2006 Posts: 3146 Location: Europe
|
|
Back to top |
|
|
|