locked
CreateFileMapping and SeCreateGlobalPrivilege Issue RRS feed

  • Question

  • So I'm slowly realizing that some of my favorite tricks with global shared memory and CreateFileMapping are fading into the sunset, no longer viable due to security concerns. 

    But from direct experimentation on Win2K3 and from some posts and blogs, it sounds like if I can live with creating a file mapping object in the Local\ instead of Global\ namespace that there is hope - that any process can create a file mapping object in the Local namespace.

    Reading the following from the MSDN article "Kernel Object Namespaces" though, it says:

    Starting with Windows Server 2003, Windows XP SP2 and Windows 2000 Server SP4, the creation of a file-mapping object (using CreateFileMapping) from a session other than session zero is a privileged operation. Because of this, an application running in an arbitrary Terminal Server session must have SeCreateGlobalPrivilege enabled in order to create a file-mapping object successfully. Note that the privilege check is limited to the creation of file-mapping objects, and does not apply to opening existing ones. For example, if a service or the system creates a file-mapping object, any process running in any session can access that file-mapping object provided that the user has the necessary access.

    Notice that this quote makes no direct distinction between creating file mappings in the Global or Local namespaces - it doesn't directly mention that.  So the fact that any process right now can create a file mapping object in the Local namespace merely oversight on Microsoft's part?  That once I code some programs to create file mappings in the Local namespace that I'll suddenly, without warning, find that won't even work anymore?

    Call me paranoid and a little flame charred on this topic.... sigh.... :-)

    Thanks!

    Scott

    Saturday, March 10, 2007 2:40 AM

Answers

  • Scott, the privilege is only required to create Global\ named sections from sessions other than 0.

    Hence the name of the privilege.

     

    Ian, the reply depends on the session id of the caller.

    If the caller is in session 0, they're all equivalent.

    Otherwise, 1 triggers the creation of the section \BaseNamedObjects\foo.txt (the priv is then required), 2 to 4 target \Sessions\<sessionid>\BaseNamedObjects\foo.txt

    I'd recommend syntax 4.

    Wednesday, April 4, 2007 2:51 AM

All replies

  • I too am interested in this, especially with respect to UAC and Vista. But since this is my first post I'll keep it short, and

    ask a simple question. Can anyone point me to a clear explanation of the difference (*on Vista*) between:

     

    CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 2048, m_memory_name);

     

    when   1. m_memory_name = "Global\foo.txt"

                2. m_memory_name = "Local\foo.txt"

                3. m_memory_name = "Session\foo.txt"

                4. m_memory_name = "foo.txt"

     

    (I have read: http://msdn2.microsoft.com/en-us/library/aa382954.aspx  so am prepared to believe

    that 3. and 4. are equivalent).

    When my vista machine arrives, I will do some experiments, but I already

    know I can create memory like 4. above, without elevation, but only use it to communicate

    between (my) processes of the same integrity level.

    Tuesday, March 27, 2007 7:18 PM
  • Scott, the privilege is only required to create Global\ named sections from sessions other than 0.

    Hence the name of the privilege.

     

    Ian, the reply depends on the session id of the caller.

    If the caller is in session 0, they're all equivalent.

    Otherwise, 1 triggers the creation of the section \BaseNamedObjects\foo.txt (the priv is then required), 2 to 4 target \Sessions\<sessionid>\BaseNamedObjects\foo.txt

    I'd recommend syntax 4.

    Wednesday, April 4, 2007 2:51 AM
  • Thanks Eric for clearing that up for me and calming my paranoid fears!

    -- Scott

    Wednesday, April 4, 2007 3:01 AM
  • Eric,

    Thank you for resolving my initial question, it is kind of you to share your wisdom. Let
    me see if I can try your patience with a follow up question. Is there, perchance,  a detailed API that explains this and related issues anywhere on the web? (that I'm missing). Or even in a text reference?  If, for example, I  wanted to lower the integrity level of (the security tokens of) the so created file mapping, would syntax 4 still be the prefered route? I would like to use the shared memory to communicate between different processes (in the same session) with different integrity levels. The memory would initially be created by a medium level process, and be read/written by it and another low level process. The medium process would attempt
    to do the lowering.

    Cheers, Ian.
    Wednesday, April 4, 2007 4:10 AM
  • The article about kernel namespace referenced in the first post is the best source of information about this that I know of.

     With regards to what you're trying to do, 2 cases arise:

    * the low integrity process only needs to read the section, and you shouldn't need to do something special

    * it needs to write too, and in this case you need to specify a label for the section

     

    In the latter case, I'd recommend the use of SDDL.

    Code Snippet
    "S:(ML;;NW;;;LW)"

     

    is the label syntax.

    You can convert that into a security descriptor, and specify it at object creation time.

    You may not need to specify a DACL (I believe it will still be inherited), but if you need one, I suggest you use the LogonSID in the one ACE you'll have to specify.

    Wednesday, April 4, 2007 5:48 PM
  •  

    Thanks Eric,  I'll  post my progress. I have actually tried that once, but it was rushed (the Vista machine

    was on my CTO's desk) and I wasn't sure it was supposed to work.  Better put those SDDL's in quotes next time, hey :-)

    Wednesday, April 4, 2007 6:03 PM
  • I edited the post so that the SDDL doesn't include the emoticon anymore...
    Friday, April 6, 2007 1:07 AM
  • Thanks Eric,

     

    Indeed following your advice yielded smoothly functioning IPC between
    my low and medium processes, in the same session. However, it didn't
    let me communicate between my medium and "virtualized low" process,
    again in the same session.

     

    I gather this is what is meant in:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp

    when they say:

     

    "Note Even low integrity files will get redirected by Protected mode's
    compatibility shim except for known locations mentioned in the
    frequently-asked questions."


    My question is: "What is Microsoft's recommended form IPC method between, say a toolbar
    running inside IE, and e medium level process within the same session?"

     

    Since I think I have convinced myself that shared memory IPC is not supported.

    Any suggestions?

    Wednesday, April 18, 2007 8:07 PM
  • Hmm, what fails and which error code?

    The comment in question is mostly (if not entirely) meant for files.

     

    By the way, are you mapping an actual file or just memory backed by the paging file?

    The former may be affected by virtualization, but the latter shouldn't be.

    Monday, April 23, 2007 1:04 AM
  •  

    I'm just mapping memory backed by the OS, not an actual file. I'll prepare a more detailed

    message, detailing the problem, and get back to this thread with it. I

    Monday, April 23, 2007 4:25 PM
  •  

    Eric,

     

    Indeed you are correct. Further investigation revealed a comedy of errors, on my part,

    and once eliminated, happy IPC resulted.

     

    Cheers, Ian. 

    Wednesday, April 25, 2007 4:25 PM
  • Not directly in response to Scott's question, but on the topic of creating globally accessible shared memory under Vista UAC -- you can create the shared memory under the \Local object namespace and then access it from other sessions using the "\Session\[Session ID]\..." path.  If you set world access this will allow IPC across sessions.

     

    I've written a blog entry on this at (http://www.celceo.com/blogs/windows-insight/2007/09/global-createfilemapping-under.html) if you want details.

     

    Monday, September 24, 2007 4:28 PM
  • Not directly in response to Scott's question, but on the topic of creating globally accessible shared memory under Vista UAC -- you can create the shared memory under the \Local object namespace and then access it from other sessions using the "\Session\[Session ID]\..." path.  If you set world access this will allow IPC across sessions.

     

    I've written a blog entry on this at (http://www.celceo.com/blogs/windows-insight/2007/09/global-createfilemapping-under.html) if you want details.

     

    Link dead. Do you have your article somewhere else now?
    Tuesday, November 14, 2017 12:38 PM