HOWTO: Share Objects with a Service

ID: Q106387

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API), used with:
- Microsoft Windows NT versions 3.1, 3.5
- Microsoft Windows 2000

SUMMARY

To share objects (file mapping, synchronization, and so forth) created by a service, you must place a null DACL (discretionary access-control list) in the security descriptor field when the object is created. This grants everyone access to the object.

MORE INFORMATION

This null DACL is not the same as a NULL, which is used to specify the default security descriptor. For example, the following code can be used to create a mutex with a null DACL:


   PSECURITY_DESCRIPTOR    pSD;
   SECURITY_ATTRIBUTES     sa;

   pSD = (PSECURITY_DESCRIPTOR) LocalAlloc( LPTR,
                  SECURITY_DESCRIPTOR_MIN_LENGTH);

   if (pSD == NULL)
   {
      Error(...);
   }

   if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
   {
      Error(...);
   }

   // Add a NULL DACL to the security descriptor..

   if (!SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE))
   {
      Error(...);
   }

   sa.nLength = sizeof(sa);
   sa.lpSecurityDescriptor = pSD;
   sa.bInheritHandle = TRUE;

   mutex = CreateMutex( &sa, FALSE, "SOMENAME" );

If you are creating one of these objects in an application and the object will be shared with a service, you could also use a null DACL to grant everyone access. As an alternative, you could add an access-control entry (ACE) to the DACL that grants access to the user account that the service is running under. This would restrict access to the object to the service.

For a more detailed example, please see the SERVICES sample.

Additional query words: 3.10 3.50

Keywords : kbAccCtrl kbAPI kbKernBase kbWinOS2000 kbSecurity kbService kbDSupport kbGrpKernBase
Version : winnt:3.1,3.5
Platform : winnt
Issue type : kbhowto