HOWTO: Share Objects with a Service

ID: Q106387

3.10 3.50 WINDOWS NT kbprg

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API) included with:
```
    - Microsoft Windows NT versions 3.1 and 3.5
```

SUMMARY

To share objects (file mapping, synchronization, and so forth) created by a service, you must place a null DACL (discretionary access-control list) in the security descriptor field when the object is created. This grants everyone access to the object.

MORE INFORMATION

This null DACL is not the same as a NULL, which is used to specify the default security descriptor. For example, the following code can be used to create a mutex with a null DACL:

   PSECURITY_DESCRIPTOR    pSD;
   SECURITY_ATTRIBUTES     sa;

   pSD = (PSECURITY_DESCRIPTOR) LocalAlloc( LPTR,
                  SECURITY_DESCRIPTOR_MIN_LENGTH);

   if (pSD == NULL)
   {
      Error(...);
   }

   if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
   {
      Error(...);
   }

   // Add a NULL DACL to the security descriptor..

   if (!SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE))
   {
      Error(...);
   }

   sa.nLength = sizeof(sa);
   sa.lpSecurityDescriptor = pSD;
   sa.bInheritHandle = TRUE;

   mutex = CreateMutex( &sa, FALSE, "SOMENAME" );

If you are creating one of these objects in an application and the object will be shared with a service, you could also use a null DACL to grant everyone access. As an alternative, you could add an access-control entry (ACE) to the DACL that grants access to the user account that the service is running under. This would restrict access to the object to the service.

For a more detailed example, please see the SERVICES sample.

Additional reference words: 3.10 3.50 KBCategory: kbprg KBSubcategory: BseSecurity

Keywords          : kbAPI kbKernBase kbGrpKernBase 
Version           : 3.10 3.50
Platform          : NT WINDOWS
Issue type        : kbhowto

Last Reviewed: July 10, 1998