设置 ACL,指定允许在请求队列上接收 I/O 的工作进程
Set the ACL specifying the worker processes that are allowed to receive I/O on the request queue
我正在玩 WinHTTP Server API 2.0,我正在尝试执行以下步骤(https://msdn.microsoft.com/en-us/library/windows/desktop/aa364672(v=vs.85).aspx):
- 创建请求队列并指定名称。
- 使用
HttpSetRequestQueueProperty函数配置请求队列。
- 使用
HttpQueryRequestQueueProperty函数查询请求队列配置参数。
- 创建 URL 组并将它们与请求队列相关联。
- 设置 ACL,指定允许在请求队列I/O 上接收 I/O 的工作进程。
- 调用
HttpWaitForDemandStart 延迟工作进程的实例化,直到第一个请求到达请求队列。
任何人都可以帮助步骤:
Set the ACL specifying the worker processes that are allowed to receive I/O on the request queue
我不确定这到底是什么意思(我从未使用过 ACL API),但我想我需要在某个时间点调用 ::GetNamedSecurityInfo() 来修改它:
if (NO_ERROR == ::HttpCreateRequestQueue(HTTPAPI_VERSION_2,
requestQueueName,
0,
HTTP_CREATE_REQUEST_QUEUE_FLAG_CONTROLLER,
&m_requestQueue))
// setup queue
if (NO_ERROR == ::HttpCreateUrlGroup(m_sessionId, &m_groupId, 0))
{
HTTP_BINDING_INFO bindingInfo{ 1, m_requestQueue };
if (NO_ERROR == ::HttpSetUrlGroupProperty(m_groupId,
HttpServerBindingProperty,
&bindingInfo,
sizeof(bindingInfo)))
{
m_localUrl = (NO_ERROR == (::HttpAddUrlToUrlGroup(m_groupId, localUrl.c_str(), 0, 0)));
m_globalUrl = (NO_ERROR == (::HttpAddUrlToUrlGroup(m_groupId, globalUrl.c_str(), 0, 0)));
PACL pacl = NULL;
PSECURITY_DESCRIPTOR securityDescriptor = NULL;
DWORD result = ::GetNamedSecurityInfo(requestQueueName,
SE_KERNEL_OBJECT,
SACL_SECURITY_INFORMATION,
NULL,
NULL,
NULL,
&pacl,
&securityDescriptor);
// it (result != 0) fails when passing various SE_OBJECT_TYPEs
}
}
Set the ACL specifying the worker processes that are allowed to
receive I/O on the request queue
寻找其他一张纸条:
The named request queue is created with the HttpCreateRequestQueue
function. When the request queue is created, the application specifies
the ACL in the pSecurityAttribute parameter. The ACL, which can only
be set when the request queue is created, allows worker processes to
open the request queue, receive requests, and send responses. By
default, processes are not allowed to open a request queue unless they
have been granted permission in the ACL. Applications do not require
administrative privileges to create the request queue.
所以你真的可以(但不是必须,这是可选的)创建和初始化一些安全描述符并通过 In_opt_ PSECURITY_ATTRIBUTES pSecurityAttributes 将它传递给 HttpCreateRequestQueue 函数 - 这里绝对没有什么特别的,SECURITY_ATTRIBUTES 在任何内核对象创建 api。例如说 CreateEvent(这里是第一个参数)。
如何初始化它,为谁授予访问权限 - 这已经是一个悬而未决的问题 - 边界案例 - 允许所有人这样做:
ULONG cb = MAX_SID_SIZE;
PSID UntrustedLabelSid = (PSID)alloca(MAX_SID_SIZE);
if (CreateWellKnownSid(WinUntrustedLabelSid, 0, UntrustedLabelSid, &cb))
{
PACL Sacl = (PACL)alloca(cb += sizeof(ACL) + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
InitializeAcl(Sacl, cb, ACL_REVISION);
if (AddMandatoryAce(Sacl, ACL_REVISION, 0, 0, UntrustedLabelSid))
{
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
SetSecurityDescriptorSacl(&sd, TRUE, Sacl, FALSE);
SECURITY_ATTRIBUTES sa = { sizeof(sa), &sd, FALSE };
if (NO_ERROR == HttpCreateRequestQueue(HTTPAPI_VERSION_2,
requestQueueName,
&sa,
HTTP_CREATE_REQUEST_QUEUE_FLAG_CONTROLLER,
&m_requestQueue))
{
}
}
}
作为替代方案,我们可以使用 string-format security descriptor and then convert it with ConvertStringSecurityDescriptorToSecurityDescriptor 例如:
SECURITY_ATTRIBUTES sa = { sizeof(sa), 0, FALSE };
ULONG dwError;
if (ConvertStringSecurityDescriptorToSecurityDescriptorW(
L"D:NO_ACCESS_CONTROLS:(ML;;;;;LW)",
SDDL_REVISION_1, &sa.lpSecurityDescriptor, 0))
{
dwError = HttpCreateRequestQueue(HTTPAPI_VERSION_2,
requestQueueName,
&sa,
HTTP_CREATE_REQUEST_QUEUE_FLAG_CONTROLLER,
&m_requestQueue);
LocalFree(sa.lpSecurityDescriptor);
}
else
{
dwError = GetLastError();
}
这里 "D:NO_ACCESS_CONTROLS:(ML;;;;;LW)" 允许所有访问所有 - NO_ACCESS_CONTROLS 和 LW - LowLabel。 (不像第一个例子那样不受信任)
另一种变体(仅作为示例)使用说下一个字符串:
"D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGX;;;BU)(A;;GRGX;;;AC)S:(ML;;;;;LW)"
这里我们允许 GENERIC_ALL (GA) 到 System (SY) 和 Administrators (BA) 和 GENERIC_READ|GENERIC_EXECUTE for Users (BU) 和 ALL APPLICATION PACKAGES (AC)
我正在玩 WinHTTP Server API 2.0,我正在尝试执行以下步骤(https://msdn.microsoft.com/en-us/library/windows/desktop/aa364672(v=vs.85).aspx):
- 创建请求队列并指定名称。
- 使用
HttpSetRequestQueueProperty函数配置请求队列。 - 使用
HttpQueryRequestQueueProperty函数查询请求队列配置参数。 - 创建 URL 组并将它们与请求队列相关联。
- 设置 ACL,指定允许在请求队列I/O 上接收 I/O 的工作进程。
- 调用
HttpWaitForDemandStart延迟工作进程的实例化,直到第一个请求到达请求队列。
任何人都可以帮助步骤:
Set the ACL specifying the worker processes that are allowed to receive I/O on the request queue
我不确定这到底是什么意思(我从未使用过 ACL API),但我想我需要在某个时间点调用 ::GetNamedSecurityInfo() 来修改它:
if (NO_ERROR == ::HttpCreateRequestQueue(HTTPAPI_VERSION_2,
requestQueueName,
0,
HTTP_CREATE_REQUEST_QUEUE_FLAG_CONTROLLER,
&m_requestQueue))
// setup queue
if (NO_ERROR == ::HttpCreateUrlGroup(m_sessionId, &m_groupId, 0))
{
HTTP_BINDING_INFO bindingInfo{ 1, m_requestQueue };
if (NO_ERROR == ::HttpSetUrlGroupProperty(m_groupId,
HttpServerBindingProperty,
&bindingInfo,
sizeof(bindingInfo)))
{
m_localUrl = (NO_ERROR == (::HttpAddUrlToUrlGroup(m_groupId, localUrl.c_str(), 0, 0)));
m_globalUrl = (NO_ERROR == (::HttpAddUrlToUrlGroup(m_groupId, globalUrl.c_str(), 0, 0)));
PACL pacl = NULL;
PSECURITY_DESCRIPTOR securityDescriptor = NULL;
DWORD result = ::GetNamedSecurityInfo(requestQueueName,
SE_KERNEL_OBJECT,
SACL_SECURITY_INFORMATION,
NULL,
NULL,
NULL,
&pacl,
&securityDescriptor);
// it (result != 0) fails when passing various SE_OBJECT_TYPEs
}
}
Set the ACL specifying the worker processes that are allowed to receive I/O on the request queue
寻找其他一张纸条:
The named request queue is created with the HttpCreateRequestQueue function. When the request queue is created, the application specifies the ACL in the pSecurityAttribute parameter. The ACL, which can only be set when the request queue is created, allows worker processes to open the request queue, receive requests, and send responses. By default, processes are not allowed to open a request queue unless they have been granted permission in the ACL. Applications do not require administrative privileges to create the request queue.
所以你真的可以(但不是必须,这是可选的)创建和初始化一些安全描述符并通过 In_opt_ PSECURITY_ATTRIBUTES pSecurityAttributes 将它传递给 HttpCreateRequestQueue 函数 - 这里绝对没有什么特别的,SECURITY_ATTRIBUTES 在任何内核对象创建 api。例如说 CreateEvent(这里是第一个参数)。
如何初始化它,为谁授予访问权限 - 这已经是一个悬而未决的问题 - 边界案例 - 允许所有人这样做:
ULONG cb = MAX_SID_SIZE;
PSID UntrustedLabelSid = (PSID)alloca(MAX_SID_SIZE);
if (CreateWellKnownSid(WinUntrustedLabelSid, 0, UntrustedLabelSid, &cb))
{
PACL Sacl = (PACL)alloca(cb += sizeof(ACL) + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
InitializeAcl(Sacl, cb, ACL_REVISION);
if (AddMandatoryAce(Sacl, ACL_REVISION, 0, 0, UntrustedLabelSid))
{
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
SetSecurityDescriptorSacl(&sd, TRUE, Sacl, FALSE);
SECURITY_ATTRIBUTES sa = { sizeof(sa), &sd, FALSE };
if (NO_ERROR == HttpCreateRequestQueue(HTTPAPI_VERSION_2,
requestQueueName,
&sa,
HTTP_CREATE_REQUEST_QUEUE_FLAG_CONTROLLER,
&m_requestQueue))
{
}
}
}
作为替代方案,我们可以使用 string-format security descriptor and then convert it with ConvertStringSecurityDescriptorToSecurityDescriptor 例如:
SECURITY_ATTRIBUTES sa = { sizeof(sa), 0, FALSE };
ULONG dwError;
if (ConvertStringSecurityDescriptorToSecurityDescriptorW(
L"D:NO_ACCESS_CONTROLS:(ML;;;;;LW)",
SDDL_REVISION_1, &sa.lpSecurityDescriptor, 0))
{
dwError = HttpCreateRequestQueue(HTTPAPI_VERSION_2,
requestQueueName,
&sa,
HTTP_CREATE_REQUEST_QUEUE_FLAG_CONTROLLER,
&m_requestQueue);
LocalFree(sa.lpSecurityDescriptor);
}
else
{
dwError = GetLastError();
}
这里 "D:NO_ACCESS_CONTROLS:(ML;;;;;LW)" 允许所有访问所有 - NO_ACCESS_CONTROLS 和 LW - LowLabel。 (不像第一个例子那样不受信任)
另一种变体(仅作为示例)使用说下一个字符串:
"D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGX;;;BU)(A;;GRGX;;;AC)S:(ML;;;;;LW)"
这里我们允许 GENERIC_ALL (GA) 到 System (SY) 和 Administrators (BA) 和 GENERIC_READ|GENERIC_EXECUTE for Users (BU) 和 ALL APPLICATION PACKAGES (AC)