How do I create a NULL/empty DACL?

Asked 24/1, 2013 at 13:26 Answered 19/2, 2022 at 20:51

I need to grant access to everyone for a named pipe I'm creating. I understand the way to do it is to create a NULL/empty DACL and pass it to CreateNamedPipe.

How do I create a NULL DACL? I was told that it is not the same as passing a NULL pointer for LPSECURITY_ATTRIBUTES.

Melanymelaphyre answered 24/1, 2013 at 13:26 Comment(0)

Like this:

SECURITY_DESCRIPTOR SD;
InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&SD, TRUE, NULL, FALSE);

I omitted error checking for the sake of brevity. You would not do that.

Then when you call CreateNamedPipe you can set up the security attributes record like this:

SA.nLength = sizeof(SA);
SA.lpSecurityDescriptor = &SD;
SA.bInheritHandle = TRUE;

The documentation for SetSecurityDescriptorDacl states:

When the pDacl parameter does not point to a DACL and the bDaclPresent flag is TRUE, a NULL DACL is specified. All access is allowed. You should not use a NULL DACL with an object because any user can change the DACL and owner of the security descriptor. This will interfere with use of the object.

So, the above is how to do it, but the documentation does stress that you should not do so.

Flynn answered 24/1, 2013 at 13:34 Comment(2)

Hm, the part about changing the ownership was a surprise. But in my case it is not a problem, I just need to be able to connect from my exe regardless of the user that runs it, and connecting to the pipe won't let them hack my windows service or anything. But it's still interesting - is possible to grant access to everyone to connect, without allowing them to change ownership? – Melanymelaphyre 24/1, 2013 at 13:55

Yes, then you'd need to use a real DACL. The code in my comment at your previous question explains how I do that. – Flynn 24/1, 2013 at 13:57

Here's the code we use in one of our projects:

SECURITY_DESCRIPTOR  pSD;
SECURITY_ATTRIBUTES  SA;

if(!InitializeSecurityDescriptor(&pSD, SECURITY_DESCRIPTOR_REVISION))
    throw error;
if(!SetSecurityDescriptorDacl(&pSD, true, NULL, false))
    throw error;
SA.nLength = sizeof(SA);
SA.lpSecurityDescriptor = &pSD;
SA.bInheritHandle = true;
pSA = &SA;
...
FMapping = CreateFileMapping(INVALID_HANDLE_VALUE, pSA, PAGE_READWRITE, 0, 4096, p);

This code creates a mapping with access for all

Pothouse answered 24/1, 2013 at 13:36 Comment(1)

Why use a pointer variable (pSA), and not just use address of SA ? – Parmenides 28/4, 2017 at 8:51

My case was somewhat different with Docker container development. I have an existing COM application installed and wanted to create a null DACL via PowerShell. First look up your AppID in Component Services:

Then run the following:

$appid = "{00020906-0000-0000-C000-000000000046}"  
$app = get-wmiobject -query ('SELECT * FROM Win32_DCOMApplicationSetting WHERE AppId = "' + $appid + '"') -enableallprivileges  
$sdRes = $app.GetLaunchSecurityDescriptor()  
$sd = $sdRes.Descriptor  
[System.Management.ManagementBaseObject[]] $newDACL = $null  
$sd.DACL = $newDACL  
$app.SetLaunchSecurityDescriptor($sd)

Now the app (MS Word 97-2003 in this example) is accessible to Everyone, with all the security risks mentioned by other answers and MS documentation.

Side note - use a null DACL in your case rather than empty. Empty DACL blocks permissions for all users: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/null-and-empty-dacls/ba-p/396323.

Uzia answered 19/2, 2022 at 20:51 Comment(0)

Recommended topics

Hot tags