Hi,

I need to create pipe between “Service” that runs as a Local System (Session 0) and process that runs in User’s Session.

I’m using Poco::SharedMemory class and I have Access Denied error code when try to access shared memory from process in User’s Session.

According to Microsoft the pointer to appropriate Security Attribute should be passed as a second parameter to “CreateFileMapping” method to
allow process from User’s session access Shared Memory created in Session 0.

The following code in Poco::SharedMemoryImpl explains the limitation of the current implementation.

 

#if defined (POCO_WIN32_UTF8)

                std::wstring utf16name;

                UnicodeConverter::toUTF16(_name, utf16name);

                _memHandle = CreateFileMappingW(INVALID_HANDLE_VALUE, NULL, _mode, 0, _size, utf16name.c_str());

#else

                _memHandle = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, _mode, 0, _size, _name.c_str());

#endif

 

Is someone tries to address this issue?

 

This is the way how I deal with this.

Added one more constructor to pass Security Descriptor as a string(this parameter could be ignored on other platforms) .

 

SharedMemoryImpl::SharedMemoryImpl(const std::string& name,const std::string& sd, std::size_t size, SharedMemory::AccessMode mode, const void* addrHint, bool server):

                _name(name),

                _memHandle(INVALID_HANDLE_VALUE),

                _fileHandle(INVALID_HANDLE_VALUE),

                _size(static_cast<DWORD>(size)),

                _mode(PAGE_READONLY),

                _address(0)

{

                if (mode == SharedMemory::AM_WRITE)

                                _mode = PAGE_READWRITE;

 

                PSECURITY_DESCRIPTOR securityDesc = NULL;

                BOOL bSucceded = false;

 

#if defined (POCO_WIN32_UTF8)

                std::wstring utf16sd;

                UnicodeConverter::toUTF16(sd, utf16sd);

                bSucceded = ConvertStringSecurityDescriptorToSecurityDescriptorW(utf16sd.c_str(), SDDL_REVISION_1, &securityDesc, NULL);

#else

                bSucceded = ConvertStringSecurityDescriptorToSecurityDescriptorA(sd.c_str(), SDDL_REVISION_1, &securityDesc, NULL);

#endif

 

                if (bSucceded == FALSE)

                {

                                throw SystemException("Cannot create shared memory object. Failed to get security descriptor", _name);

                }

 

                SECURITY_ATTRIBUTES sa;

                sa.bInheritHandle = FALSE;

                sa.lpSecurityDescriptor = securityDesc;

                sa.nLength = sizeof(sa);

               

#if defined (POCO_WIN32_UTF8)

                std::wstring utf16name;

                UnicodeConverter::toUTF16(_name, utf16name);

                _memHandle = CreateFileMappingW(INVALID_HANDLE_VALUE, &sa, _mode, 0, _size, utf16name.c_str());

#else

                _memHandle = CreateFileMappingA(INVALID_HANDLE_VALUE, &sa, _mode, 0, _size, _name.c_str());

#endif

 

                if (!_memHandle)

                                throw SystemException("Cannot create shared memory object", _name);

 

                map();

 

}

 

The same security issue applicable to Poco:: NamedEvent and Poco::NamedMutex classes.

I followed the same approach (pass string representation of security descriptor ).

 

Please advise.

 

Thank you.

 

Gurami Palagashvili

 



The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email, you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse or copying or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message.