Try adding this line after you initialize the security descriptor:
SetSecurityDescriptorDacl(&sd, TRUE, (PACL) NULL, FALSE);
Regards,
Will
The only (apparent) effect of the SetSecurityDescriptorDacl call is to set
the Control field on the SD to SE_DACL_PRESENT. The documentation for this
flag says "Indicates a security descriptor that has a DACL. If this flag is
not set, or if this flag is set and the DACL is NULL, the security
descriptor allows full access to everyone. " Previously the flag was not
set, and now it is set but the DACL is NULL. It looks a bit like the first
clause quoted from the docs is incorrect, and that "if this flag is not set"
is not sufficient to grant access to everyone.
Thanks very much for the help.
"William DePalo [MVP VC++ ]" <depalow...@compuserve.com> wrote in
message news:#67vNnS2...@TK2MSFTNGP11.phx.gbl...
You are welcome.
> The only (apparent) effect of the SetSecurityDescriptorDacl call is to set
> the Control field on the SD to SE_DACL_PRESENT. The documentation for
this
> flag says "Indicates a security descriptor that has a DACL. If this flag
is
> not set, or if this flag is set and the DACL is NULL, the security
> descriptor allows full access to everyone. " Previously the flag was not
> set, and now it is set but the DACL is NULL. It looks a bit like the
first
> clause quoted from the docs is incorrect, and that "if this flag is not
set"
> is not sufficient to grant access to everyone.
To those of us (me included) who don't "major in security" it is confusing.
As I understand the issue is there is a difference between a NULL DACL
present and empty DACL. I took this from an article in the MSDN on security
by Ruediger Asche:
"The semantics of ACLs leave wide room for variation, so this behavior can
be implemented in several ways. By convention, an SD that has a NULL DACL is
unprotected (that is, every attempt to access the object that is associated
with the SD will succeed), whereas an SD with a DACL that is empty (it has
no ACEs) is fully protected (that is, access to the object associated with
the SD will fail)."
Regards,
Will