I would like to do the following: create an event registered with the global namespace and modify it's DACL so that:
SetEvent or ResetEvent)In addition, the event will, most of the time, be initially created by a non-admin user during application initialization
The idea is to allow system administrators on a terminal service server to send a signal to all processes belonging to my application (there are many) that they should terminate as soon as possible and keep them locked. This must work across all user sessions but also provide some layer of security.
I'm struggling to find the right DACLs for the event object during creation: I cannot seem to limit the ability to change the object state to administrators only.
I'm using ConvertStringSecurityDescriptorToSecurityDescriptor to create a DACL from a SSDL string. Here is the closest I came to a working sample:
Format('D:(A;OICI;GA;;;BA)(A;OICI;0x%.8xF;;;WD)',[(SYNCHRONIZE)])
This should give ALL_ACCESS to members of the built-in Administrators group and SYNCHRONIZE to EVERYONE.
Unfortunately, the resulting ACL doesn't work at all the way I want: if I check the resulting object state with ProcessExplorer, I see that Administrators have all the rights (as wanted) but EVERYONE still have the "Modify state" right set.
In case this matters, I'm using Delphi 6. The resulting application must be compatible with windows 2003 server/XP and up.
Thanks in advance
In the second ACE you set the access rights using a format string containing 0x%.8xF (note the trailing 'F') so the value is set to (SYNCHRONIZE<<4) | 0xF.
EVENT_MODIFY_STATE is 0x0002 so this permission is being included.
Lose the trailing 'F' and it should work.