How to make a raw PDO device accessible from user mode code in control panel?
-
Hi, I have a raw pdo device which sample code needs administrative rights in order to work, othwerwise fails with an access denied error. Which SSDL should I use to have it working under user mode code? I have tried SDDL_DEVOBJ_SYS_ALL but this specifies that the code must run as system. I'm trying to put the sample code that right now runs on the console, into a control panel applet. Should the applet run as system? Some help would be really appreaciatted. Thanks, Nuno
-
Hi, I have a raw pdo device which sample code needs administrative rights in order to work, othwerwise fails with an access denied error. Which SSDL should I use to have it working under user mode code? I have tried SDDL_DEVOBJ_SYS_ALL but this specifies that the code must run as system. I'm trying to put the sample code that right now runs on the console, into a control panel applet. Should the applet run as system? Some help would be really appreaciatted. Thanks, Nuno
Hi Nuno, What type of raw PDO device are we talking about here? SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R will allow untrusted code to access the device. Some documentation to assist you making your decision: Windows Security Model: What Every Driver Writer Needs to Know[^] Best Wishes, -David Delaune
-
Hi Nuno, What type of raw PDO device are we talking about here? SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R will allow untrusted code to access the device. Some documentation to assist you making your decision: Windows Security Model: What Every Driver Writer Needs to Know[^] Best Wishes, -David Delaune
Hi, I made it! I have read the document you passed me and decided to create a more open SDDL which I defined as: DECLARE_CONST_UNICODE_STRING( MY_SDDL, L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GA;;;WD)" ); And gave to the world GA permissions. My question now is.. what are the implications of having a not so restrictive security options? What are usually the SDDL for custom devices? Thanks, Nuno
-
Hi, I made it! I have read the document you passed me and decided to create a more open SDDL which I defined as: DECLARE_CONST_UNICODE_STRING( MY_SDDL, L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GA;;;WD)" ); And gave to the world GA permissions. My question now is.. what are the implications of having a not so restrictive security options? What are usually the SDDL for custom devices? Thanks, Nuno
sinosoidal wrote:
And gave to the world GA permissions. My question now is.. what are the implications of having a not so restrictive security options?
What part about World (Everyone) having ALL access do you not understand? Did you read the articles I gave you in this previous response[^]? More specifically the How safe is your device namespace?[^] article which outlines a possible security hole scenario.
sinosoidal wrote:
What are usually the SDDL for custom devices?
Have you tried SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R? "D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)" Best Wishes, -David Delaune