Incorrect Registry Read Permissions Being Set

delphi package - easy access to security apis

Incorrect Registry Read Permissions Being Set

Postby mimar » Sun Mar 26, 2006 12:38 am

It seems setting read permissions on a registry key assigns an incorrect attribute. The KEY_CREATE_LINK is assigned instead of the correct KEY_NOTIFY value.

Is there a possible fix/workaround for this? Can an API be called to resolve the issue, or do we wait for the next madSec update?
mimar
 
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Postby madshi » Mon Mar 27, 2006 9:04 am

Which code are you using to set read permission?
madshi
Site Admin
 
Posts: 9543
Joined: Sun Mar 21, 2004 5:25 pm

Postby mimar » Mon Apr 03, 2006 10:10 pm

I am using the following code:

Code: Select all
acc: IAccount;
sec: ISecurityObject;

sec := RegistrySecurity(...)
AccountCache_Clear;
acc := Account(...);
sec.DAcl.SetFileAccess(acc, false);
sec.DAcl.Flush;
mimar
 
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Postby madshi » Tue Apr 04, 2006 7:31 am

SetFileAccess is meant for file accesses, not for registry key accesses. You should do "DeleteItems(acc)" plus "NewItem(...)" instead. This will remove all old ACEs in the ACL for the specified account and then add one new one with exactly the right combination you want.
madshi
Site Admin
 
Posts: 9543
Joined: Sun Mar 21, 2004 5:25 pm

Postby mimar » Tue Apr 04, 2006 8:06 am

I just want to be able to set Read and Write access.
Might it be possible for you to post a code snippet for those tasks?
mimar
 
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Postby mimar » Tue Apr 04, 2006 8:09 am

I mean, how can I grant a named user Read, or Write access, to a specified key; without damaging existing permissions? (Just like the way the file version works)
mimar
 
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Postby madshi » Tue Apr 04, 2006 8:12 am

I'd suggest this:

Use regedit to set the access rights you want to have. Then use madSecurity to enumerate the ACEs to find out which access rights are needed. Afterwards you can use IACL.AddItem to realize exactly this combination of rights.

I'm sorry, but I'm at work now. I can't do all the work for you! :)
madshi
Site Admin
 
Posts: 9543
Joined: Sun Mar 21, 2004 5:25 pm

Postby mimar » Tue Apr 04, 2006 9:26 pm

Please, I can find out the required settings myself, but can you show a code snippet so I know what madAPI functions I need to call in which order?

Please :crazy:
mimar
 
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Postby madshi » Wed Apr 05, 2006 6:50 am

I already told you. You can use the same code as before, just replace SetFileAccess with "DeleteItems" plus "NewItem".
madshi
Site Admin
 
Posts: 9543
Joined: Sun Mar 21, 2004 5:25 pm

Postby mimar » Wed Apr 05, 2006 8:12 am

So like this?
Code: Select all
acc: IAccount;
sec: ISecurityObject;

sec := RegistrySecurity(...)
AccountCache_Clear;
acc := Account(...);
sec.DAcl.DeleteItems(acc);
sec.DAcl.NewItem(...);
sec.DAcl.Flush;


Also, is it the same way then for all other types of permissions? Do we only have pre-built functions for only files and printers, and have to use above method for registry, shares, and services? :crazy:
mimar
 
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Postby madshi » Wed Apr 05, 2006 8:50 am

Shares have identical access rights as files/printers have. Services and registry have different rights. And yes, the code looks alright to me.
madshi
Site Admin
 
Posts: 9543
Joined: Sun Mar 21, 2004 5:25 pm


Return to madSecurity

Who is online

Users browsing this forum: No registered users and 1 guest