BorlandTalk.com Borland discussion newsgroups   Archives   FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  Assistance with AccessCheck() requested          BorlandTalk.com Forum Index -> C++ Builder (Native API) View previous topic :: View next topic   Author Message Andrue Cope Guest Posted: Wed Apr 11, 2007 5:22 pm    Post subject: Assistance with AccessCheck() requested Hiya, I'm trying to determine what Exchange permissions are available for an account and I've used LDAP to obtain the DACL for an account. My problem is that when I call AccessCheck() it always indicates that I have no permission to do anything. More oddly it indicates that it determined this without reference to any privilege (PRIVILEGE_SET.PrivilegeCount is zero). I have now implemented code to follow the ACL myself and on our system it always consists of a single entry granting permissions to NT_AUTHORITY/Self. (ACE SID=WinSelfSid). This means that I can write code to traverse the ACL myself but that seems rather silly given that it's what AccessCheck() is supposed to be doing :-/ Is there anyone here that has experience of DACLs and other security related matters? Looks like no-one on the MS newsgroups has. -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Bob Gonder Guest Posted: Wed Apr 11, 2007 6:25 pm    Post subject: Re: Assistance with AccessCheck() requested Andrue Cope wrote: Quote: Hiya, Hey m8. Quote: problem is that when I call AccessCheck() it always indicates that I have no permission to do anything. More oddly it indicates that it determined this without reference to any privilege (PRIVILEGE_SET.PrivilegeCount is zero). I'm sorry I have no experience in this, but reading the doc on AccessCheck, it looks like it would be extreemely easy to not get the parameters right. From this: "...receives the privileges used to perform the access validation. If no privileges were used... " It sounds like it didn't need to *use* any privilage sets to answer the querry. Maybe because the question didn't actually ask anything? Perhaps some actual code would help others rule that out? Back to top Andrue Cope Guest Posted: Wed Apr 11, 2007 7:06 pm    Post subject: Re: Assistance with AccessCheck() requested Bob Gonder wrote: Quote: I'm sorry I have no experience in this, but reading the doc on AccessCheck, it looks like it would be extreemely easy to not get the parameters right. From this: "...receives the privileges used to perform the access validation. If no privileges were used... " It sounds like it didn't need to use any privilage sets to answer the querry. Maybe because the question didn't actually ask anything? Perhaps some actual code would help others rule that out? Yeah that's possible I suppose. It's certainly not obvious what I should be asking for and what GENERIC_MAPPING should be. From my manual traversal of the ACL I can see that the single ACE has permissions of 0x20003 and so I've tried asking for that, for 0x3 and for 0x20000 but with no luck. I think that if I don't create the correct GENERIC_MAPPING structure it could go wrong there as well. Unfortunately it's not entirely clear how one goes about populating that structure. I can see why something like it is needed but that's not the same as knowing how to populate it :-/ Unfortunately for our application we can't just try to open the mailbox. We are effectively doing that ourselves and are just trying to provide the same level of security that Outlook does. I seem to have wandered into an area of Windows that no-one knows anything much about which is always fun -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Bob Gonder Guest Posted: Thu Apr 12, 2007 8:10 am    Post subject: Re: Assistance with AccessCheck() requested Andrue Cope wrote: Quote: Perhaps some actual code would help others rule that out? Yeah that's possible I suppose. It's certainly not obvious what I should be asking for and what GENERIC_MAPPING should be. From my manual traversal of the ACL I can see that the single ACE has permissions of 0x20003 and so I've tried asking for that, for 0x3 and 0x00 02 00 03 Specific Rights == 3 Standard rights == READ_CONTROL GenericRights == 0 So perhaps GENERIC_MAPPING gm = { 0x20003, 0, 0, 0x20003 }; DWORD AccessMask = GENERIC_READ; MapGenericMask( &AccessMask, &gm ); As I read this, GENERIC_READ causes MapGenericMask to copy GenericRead from gm, so we should be able to skip that part and just use DWORD AccessMask = 0x20003; Unless we are supposed to be getting GENERIC_MAPPING from the system? AccessCheck( something, something, AccessMask, &gm, etc. One wonders why you need to call MapGenericMask if you are going to be passing gm anyway. Are you doing this for some files at driver level? If so, look at http://msdn2.microsoft.com/en-us/library/aa490870.aspx GENERIC_MAPPING* IoGetFileObjectGenericMapping(void); Here's an example of using AcessCheck Date: Tue, 23 May 2006 18:16:05 -0400 From: Colin B Maharaj Newsgroups: borland.public.cppbuilder.nativeapi Subject: Re: WHat is my account type References: <lko372tv8d3pmfa8aljurjaqc4st3e5g9n (AT) 4ax (DOT) com> Message-ID: <447389a3 (AT) newsgroups (DOT) borland.com> An older message that looks similar From: "Stephane Baillargeon" Newsgroups: borland.public.cppbuilder.winapi Subject: RE:Administrator priviliges Date: Fri, 18 Jan 2002 17:17:10 -0500 Message-ID: <3c489efd_2@dnews> Go to Google/More/Groups and search on the Message-ID http://groups.google.com/group/borland.public.cppbuilder.nativeapi/browse_thread/thread/283096f94514b8ce http://groups.google.com/group/borland.public.cppbuilder.winapi/browse_thread/thread/c3cf04a2b1ba722c Back to top Andrue Cope Guest Posted: Thu Apr 12, 2007 1:19 pm    Post subject: Re: Assistance with AccessCheck() requested Bob Gonder wrote: Quote: As I read this, GENERIC_READ causes MapGenericMask to copy GenericRead from gm, so we should be able to skip that part and just use DWORD AccessMask = 0x20003; Unless we are supposed to be getting GENERIC_MAPPING from the system? AccessCheck( something, something, AccessMask, &gm, etc. One wonders why you need to call MapGenericMask if you are going to be passing gm anyway. I think I've tried it with and without. If you want to play around with it (and I suppose it has educational value concerning LDAP <g>) I've uploaded a BCB6 project 'AccessCheck.zip'. You'll need to change main() to use your login and domain details and you'll need to be running MS Exchange though unless you want to try for some other permission. -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Bob Gonder Guest Posted: Thu Apr 12, 2007 8:49 pm    Post subject: Re: Assistance with AccessCheck() requested Andrue Cope wrote: Quote: I think I've tried it with and without. First thing I've noticed is that as soon as you hit while(pAttribute != NULL) All returns leave the Connection Bound, and values allocated. TOKEN_READ|TOKEN_QUERY, Note that TOKEN_READ includes TOKEN_QUERY You call it clientToken, but it is a process token (TRUE == process) if(!ConvertSidToStringSidW(ownerInfo->Owner, &ourSid)) { delete[] ourSid; Doesn't look right, should be LocalFree, or better yet, nothing Also, you never use it nor LocalFree( ourSid ) it. The links I gave last night mention (among other things) // AccessCheck is sensitive about what is in the SD; set // the group and owner. SetSecurityDescriptorGroup(psdAdmin, psidAdmin, FALSE); SetSecurityDescriptorOwner(psdAdmin, psidAdmin, FALSE); dwAccessDesired = FM_ACCESS_READ; // Initialize GenericMapping structure even though we // won't be using generic rights. GenericMapping.GenericRead = FM_ACCESS_READ; GenericMapping.GenericWrite = FM_ACCESS_WRITE; GenericMapping.GenericExecute = 0; GenericMapping.GenericAll = FM_ACCESS_READ | FM_ACCESS_WRITE; if (!AccessCheck(psdAdmin, hToken, dwAccessDesired, Quote: If you want to play around with it (and I suppose it has educational value concerning LDAP <g>) I've uploaded a BCB6 project 'AccessCheck.zip'. You'll need to change main() to use your login and domain details and you'll need to be running MS Exchange though unless you want to try for some other permission. I don't think I have login and domain details, nor MS Exchange (XPHome). No idea what to change to be meaningfull on my system. Back to top Andrue Cope Guest Posted: Fri Apr 13, 2007 1:08 pm    Post subject: Re: Assistance with AccessCheck() requested Bob Gonder wrote: Quote: First thing I've noticed is that as soon as you hit while(pAttribute != NULL) All returns leave the Connection Bound, and values allocated. Doesn't surprise me. This is proof of concept code mostly grabbed from the Web and hacked around a lot. That's the trouble with example code from the web - it is nearly all ugly, poorly written stuff frequently using hungarian notation. So fear not - I already have plans to convert it to a nice RAII class based solution but I first want to get it working :) Quote: // AccessCheck is sensitive about what is in the SD; set // the group and owner. SetSecurityDescriptorGroup(psdAdmin, psidAdmin, FALSE); SetSecurityDescriptorOwner(psdAdmin, psidAdmin, FALSE); Aye but that example is /creating/ a DACL. I got my DACL from Active Directory so I shouldn't be modifying it. Quote: I don't think I have login and domain details, nor MS Exchange (XPHome). No idea what to change to be meaningfull on my system. Ah. You'd need to find another DACL attribute within the Active Directory that you could query. -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Andrue Cope Guest Posted: Fri Apr 13, 2007 5:21 pm    Post subject: Re: Assistance with AccessCheck() requested Actually I just had a thought. The ACL contains an entry with NT_AUTHORITY/SELF which seems to be a reference meaning 'the SID to which this ACL belongs'. AccessCheck() has no way of resolving that and therefore probably just compares it to the user SID which will fail. It looks like I might have to fix up the DACL before I can query it. -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Andrue Cope Guest Posted: Fri Apr 13, 2007 7:28 pm    Post subject: Re: Assistance with AccessCheck() requested Success! The answer /was/ to fix up that SID and now everything seems good. Apart from the source code, lol. Thanks for all your help :) -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Bob Gonder Guest Posted: Fri Apr 13, 2007 9:42 pm    Post subject: Re: Assistance with AccessCheck() requested Andrue Cope wrote: Quote: Thanks for all your help np. Beats mining Veldspar Back to top Alan Bellingham Guest Posted: Sat Apr 14, 2007 3:01 pm    Post subject: Re: Assistance with AccessCheck() requested Bob Gonder <notbg (AT) notmindspring (DOT) invalid> wrote: Quote: np. Beats mining Veldspar Is that beyond the Dark Portal? Alan Bellingham -- ACCU Conference 2006 - 19-22 April, Randolph Hotel, Oxford, UK Back to top Alan Bellingham Guest Posted: Sat Apr 14, 2007 4:09 pm    Post subject: Re: Assistance with AccessCheck() requested Alan Bellingham <alanb (AT) episys (DOT) com> wrote: Quote: -- ACCU Conference 2006 - 19-22 April, Randolph Hotel, Oxford, UK Oh my, that signature is really out of date, since I'm sitting in a panel on concepts a year later, at a different hotel. Back to top Bob Gonder Guest Posted: Sun Apr 15, 2007 3:35 am    Post subject: Re: Assistance with AccessCheck() requested Alan Bellingham wrote: Quote: Is that beyond the Dark Portal? Eve. Andrue turned me onto it back in '05 Back to top Andrue Cope Guest Posted: Mon Apr 16, 2007 3:03 pm    Post subject: Re: Assistance with AccessCheck() requested Bob Gonder wrote: Quote: Thanks for all your help :) np. Beats mining Veldspar So do a lot of things :) L4 missions for me right now. -- Andrue Cope [Bicester, Uk] http://info.borland.com/newsgroups/guide.html Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         BorlandTalk.com Forum Index -> C++ Builder (Native API) All times are GMT Page 1 of 1   Jump to: Select a forum C++ Builder Newsgroups----------------C++ BuilderC++ Builder (ActiveX)C++ Builder (Announcements)C++ Builder (Command Line Tools)C++ Builder DatabasesC++ Builder Databases (ADO)C++ Builder Databases (Desktop)C++ Builder Databases (InterBase Express)C++ Builder Databases (Multi-Tier)C++ Builder Databases (SQL Servers)C++ Builder (Graphics)C++ Builder (IDE)C++ Builder (Internet)C++ Builder (Internet Socket)C++ Builder (Internet Web)C++ Builder (Jobs)C++ Builder (Language)C++ Builder (Language C++)C++ Builder (Compatibility with MFC)C++ Builder (Native API)C++ Builder (Non-Technical)C++ Builder (Students)C++ Builder (Third Party Tools)C++ Builder (Upgrade)C++ Builder (VCL)C++ Builder (VCL Components Usage)C++ Builder (VCL Components Development)C++ Builder (VCL Usage)C++ Builder (WinAPI)C++ Builder Installation Delphi Newsgroups----------------Delphi (General)Delphi ActiveX Controls UsageDelphi ActiveX Controls DevelopmentDelphi As400Delphi DatabasesDelphi Databases (ADO)Delphi Databases (dbExpress)Delphi Databases (Desktop)Delphi Databases (InterBase Express)Delphi Databases (Multi-Tier)Delphi Databases (SQL Servers)Delphi DeploymentDelphi GraphicsDelphi IDEDelphi InternationalizationDelphi InternetDelphi Internet Isapi-WebBrokerDelphi Internet WebSnapDelphi Internet WinsockDelphi JobsDelphi Language BASMDelphi Language ObjectPascalDelphi Model Driven Architecture (General)Delphi Model Driven Architecture (Third Party)Delphi MultimediaDelphi Native APIDelphi Non-TechnicalDelphi ObjectPascalDelphi OLE AutomationDelphi OO designDelphi OpenToolsAPIDelphi Reporting-ChartingDelphi RTLDelphi StudentsDelphi TeamSourceDelphi Thirdparty ToolsDelphi Thirdparty Tools (General)Delphi Thirdparty Tools (IntraWeb)Delphi Thirdparty Tools (RaveReports)Delphi UpgradeDelphi VCLDelphi VCL ComponentsDelphi VCL Components UsingDelphi VCL Components WritingDelphi WebServices SOAPDelphi WinAPIDelphi XMLDelphi Installationcomp.lang.pascal.delphi.components.misccomp.lang.pascal.delphi.components.usagecomp.lang.pascal.delphi.components.writingcomp.lang.pascal.delphi.databasescomp.lang.pascal.delphi.misccomp.sources.delphi JBuilder Newsgroups----------------JBuilderJBuilder AnnouncementsJBuilder Applet IssuesJBuilder As400JBuilder CompilerJBuilder CORBA/RMIJBuilder DatabasesJBuilder DB SwingJBuilder DebuggerJBuilder DeploymentJBuilder DocumentationJBuilder EnterpriseJBuilder HandheldJBuilder IDEJBuilder JavaJBuilder JavaAPIJBuilder Java LanguageJBuilder Java SwingJBuilder Java BeansJBuilder Java Beans UsageJBuilder Java Beans DevelopmentJBuilder JBCLJBuilder JDataStoreJBuilder JobsJBuilder LinuxJBuilder MacintoshJBuilder & MobileSetJBuilder MultiLingual AppsJBuilder Non-TechnicalJBuilder OpenToolsJBuilder Servlets (JSP)JBuilder StudentsJBuilder Team DevelopmentJBuilder Thirdparty ToolsJBuilder UpgradeJBuilder Installation InterBase Newsgroups----------------InterBaseInterBase Bug DiscussionInterBase GeneralInterBase IBConsoleInterBase OpenSourceInterBase ReplicationInterBase SQLInterBase ThirdpartyInterBase Installation Miscellaneous Borland Newsgroups----------------AppCenterAppServerEnteraVisiBroker  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2006 phpBB Group SEO toolkit © 2004-2006 webmedic.