diff --git a/checkin_notes b/checkin_notes index 4d5d0d853c..ed3724dd7f 100644 --- a/checkin_notes +++ b/checkin_notes @@ -2257,3 +2257,12 @@ Charlie Mar 11 2008 (HEAD) / configure.ac version.h + +Rom Mar 11 2008 + - CLI: Adjust the shared memory ACLs so that everybody can read/write to + them, the default ACL limits read/write access to SYSTEM and boinc_master + when run in secure mode. + + lib/ + boinc_win.h + shmem.C diff --git a/lib/boinc_win.h b/lib/boinc_win.h index 08dbd76cbf..d3f9d05e8e 100644 --- a/lib/boinc_win.h +++ b/lib/boinc_win.h @@ -73,6 +73,7 @@ #include #include #include +#include #if !defined(__CYGWIN32__) || defined(USE_WINSOCK) diff --git a/lib/shmem.C b/lib/shmem.C index 9a337ceedb..97a41feedd 100644 --- a/lib/shmem.C +++ b/lib/shmem.C @@ -65,15 +65,76 @@ extern "C" int debug_printf(const char *fmt, ...); #ifdef _WIN32 HANDLE create_shmem(LPCTSTR seg_name, int size, void** pp, bool disable_mapview) { - SECURITY_ATTRIBUTES security; - HANDLE hMap; + HANDLE hMap = NULL; DWORD dwError = 0; + DWORD dwRes; + PSID pEveryoneSID = NULL; + PACL pACL = NULL; + PSECURITY_DESCRIPTOR pSD = NULL; + EXPLICIT_ACCESS ea; + SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY; + SECURITY_ATTRIBUTES sa; - security.nLength = sizeof(security); - security.lpSecurityDescriptor = NULL; - security.bInheritHandle = TRUE; + // Create a well-known SID for the Everyone group. + if(!AllocateAndInitializeSid(&SIDAuthWorld, 1, + SECURITY_WORLD_RID, + 0, 0, 0, 0, 0, 0, 0, + &pEveryoneSID)) + { + fprintf(stderr, "AllocateAndInitializeSid Error %u\n", GetLastError()); + goto Cleanup; + } - hMap = CreateFileMapping(INVALID_HANDLE_VALUE, &security, PAGE_READWRITE, 0, size, seg_name); + // Initialize an EXPLICIT_ACCESS structure for an ACE. + // The ACE will allow Everyone all access to the shared memory object. + ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); + ea.grfAccessPermissions = FILE_MAP_ALL_ACCESS; + ea.grfAccessMode = SET_ACCESS; + ea.grfInheritance= NO_INHERITANCE; + ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; + ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; + ea.Trustee.ptstrName = (LPTSTR) pEveryoneSID; + + // Create a new ACL that contains the new ACEs. + dwRes = SetEntriesInAcl(1, &ea, NULL, &pACL); + if (ERROR_SUCCESS != dwRes) + { + fprintf(stderr, "SetEntriesInAcl Error %u\n", GetLastError()); + goto Cleanup; + } + + // Initialize a security descriptor. + pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); + if (NULL == pSD) + { + fprintf(stderr, "LocalAlloc Error %u\n", GetLastError()); + goto Cleanup; + } + + if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) + { + fprintf(stderr, "InitializeSecurityDescriptor Error %u\n", GetLastError()); + goto Cleanup; + } + + // Add the ACL to the security descriptor. + if (!SetSecurityDescriptorDacl(pSD, + TRUE, // bDaclPresent flag + pACL, + FALSE)) // not a default DACL + { + fprintf(stderr, "SetSecurityDescriptorDacl Error %u\n", GetLastError()); + goto Cleanup; + } + + // Initialize a security attributes structure. + sa.nLength = sizeof (SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = pSD; + sa.bInheritHandle = FALSE; + + // Use the security attributes to set the security descriptor + // when you create a shared file mapping. + hMap = CreateFileMapping(INVALID_HANDLE_VALUE, &sa, PAGE_READWRITE, 0, size, seg_name); dwError = GetLastError(); if (disable_mapview && (NULL != hMap) && (ERROR_ALREADY_EXISTS == dwError)) { CloseHandle(hMap); @@ -84,6 +145,15 @@ HANDLE create_shmem(LPCTSTR seg_name, int size, void** pp, bool disable_mapview) *pp = MapViewOfFile( hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0 ); } +Cleanup: + + if (pEveryoneSID) + FreeSid(pEveryoneSID); + if (pACL) + LocalFree(pACL); + if (pSD) + LocalFree(pSD); + return hMap; }