Page 1 of 1

Incorrect Registry Read Permissions Being Set

Posted: Sun Mar 26, 2006 12:38 am
by mimar
It seems setting read permissions on a registry key assigns an incorrect attribute. The KEY_CREATE_LINK is assigned instead of the correct KEY_NOTIFY value.

Is there a possible fix/workaround for this? Can an API be called to resolve the issue, or do we wait for the next madSec update?

Posted: Mon Mar 27, 2006 9:04 am
by madshi
Which code are you using to set read permission?

Posted: Mon Apr 03, 2006 10:10 pm
by mimar
I am using the following code:

Code: Select all

acc: IAccount;
sec: ISecurityObject;

sec := RegistrySecurity(...)
AccountCache_Clear;
acc := Account(...);
sec.DAcl.SetFileAccess(acc, false);
sec.DAcl.Flush;

Posted: Tue Apr 04, 2006 7:31 am
by madshi
SetFileAccess is meant for file accesses, not for registry key accesses. You should do "DeleteItems(acc)" plus "NewItem(...)" instead. This will remove all old ACEs in the ACL for the specified account and then add one new one with exactly the right combination you want.

Posted: Tue Apr 04, 2006 8:06 am
by mimar
I just want to be able to set Read and Write access.
Might it be possible for you to post a code snippet for those tasks?

Posted: Tue Apr 04, 2006 8:09 am
by mimar
I mean, how can I grant a named user Read, or Write access, to a specified key; without damaging existing permissions? (Just like the way the file version works)

Posted: Tue Apr 04, 2006 8:12 am
by madshi
I'd suggest this:

Use regedit to set the access rights you want to have. Then use madSecurity to enumerate the ACEs to find out which access rights are needed. Afterwards you can use IACL.AddItem to realize exactly this combination of rights.

I'm sorry, but I'm at work now. I can't do all the work for you! :)

Posted: Tue Apr 04, 2006 9:26 pm
by mimar
Please, I can find out the required settings myself, but can you show a code snippet so I know what madAPI functions I need to call in which order?

Please :crazy:

Posted: Wed Apr 05, 2006 6:50 am
by madshi
I already told you. You can use the same code as before, just replace SetFileAccess with "DeleteItems" plus "NewItem".

Posted: Wed Apr 05, 2006 8:12 am
by mimar
So like this?

Code: Select all

acc: IAccount;
sec: ISecurityObject;

sec := RegistrySecurity(...)
AccountCache_Clear;
acc := Account(...);
sec.DAcl.DeleteItems(acc);
sec.DAcl.NewItem(...);
sec.DAcl.Flush;
Also, is it the same way then for all other types of permissions? Do we only have pre-built functions for only files and printers, and have to use above method for registry, shares, and services? :crazy:

Posted: Wed Apr 05, 2006 8:50 am
by madshi
Shares have identical access rights as files/printers have. Services and registry have different rights. And yes, the code looks alright to me.