Sharing memory between System Service and ASPNET web page

Discussion in 'ASP .Net Security' started by John Hynes, Dec 2, 2005.

  1. John Hynes

    John Hynes Guest

    Hi,

    I have a system service which monitors a network and stores some information
    in shared memory, and I want to be able to view this information from a web
    page.

    I first tried this with 1.1 using P/invoke to the appropriate security APIs
    as described in Q106387 in the MS knowledgebase. I then ported to 2.0 and
    the new security routines. In both cases I have the same problem, the only
    way I can share the data is if the ASP web page impersonates an
    Administrative user. This is not what I want, ideally I'd like it to work
    with anonymous users, but if thats not possible then with a guest user.

    Here's what I'm doing in 2.0:

    In the system service (which runs as the local system account):

    SecurityIdentifier sidOwner = new SecurityIdentifier(
    WellKnownSidType.CreatorOwnerSid, null );
    SecurityIdentifier sidAuthUsers = new SecurityIdentifier(
    WellKnownSidType.AuthenticatedUserSid, null );
    MutexSecurity mSec = new MutexSecurity();
    MutexAccessRule rule = new MutexAccessRule( sidOwner,
    MutexRights.FullControl, AccessControlType.Allow );
    mSec.AddAccessRule( rule );
    rule = new MutexAccessRule( sidAuthUsers, MutexRights.FullControl,
    AccessControlType.Allow );
    mSec.AddAccessRule( rule );
    m_Mutex = new Mutex( false, strName + "M", out bCreateNew, mSec );
    CommonSecurityDescriptor csd = new CommonSecurityDescriptor( false, false,
    "D:(A;;GRGW;;;CO)(A;;GRFR;;;AU)" );
    byte[] binarySecurityDescriptor = new byte[ csd.BinaryLength ];
    csd.GetBinaryForm( binarySecurityDescriptor, 0 );
    m_hFile = Win32.CreateFileMapping( -1, binarySecurityDescriptor,
    Win32.MappedFileProtection.PAGE_READWRITE, 0, nMaxLength, strName );

    Then in the web page:

    m_Mutex = Mutex.OpenExisting( strName + "M" );
    m_hFile = Win32.OpenFileMapping( Win32.FileMapAccess.FILE_MAP_READ, false,
    strName );

    The Mutex is opened successfully, but if the impersonating user is a Power
    User (or less) rather than an Administrator then the OpenFileMapping call
    fails with Access Denied.

    If the ACL allows all authenticated users read access then why can only
    Administrators access it, when the Mutex works ok? Why won't it work if I
    change the ACL to allow anonymous users read access?

    Thanks
    John
     
    John Hynes, Dec 2, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.