ACCESS_DENIED on CreateSemaphore

OSR_Community_User · January 19, 2001, 12:32pm

Hi,

I have some hardware which currently has an API in the form of a DLL and
Kernel Mode Driver. The DLL has uses a named Semaphore to prevent multiple
processes accessing the hardware at the same time.
The semaphore is created with the following code:
{
SECURITY_ATTRIBUTES saSecurity;
saSecurity.nLength = sizeof( SECURITY_ATTRIBUTES );
saSecurity.lpSecurityDescriptor = NULL;
saSecurity.bInheritHandle = TRUE;
hSemaphore = CreateSemaphore( &saSecurity, 1, 1,
“DK2DriverAccessSemaphore” );
if( hSemaphore == NULL )
{
return FALSE;
}
}

I have created a service to expose the hardware API across the network, the
service runs in the LocalSystem account. The service also loads the API
creating the semaphore as above to prevent multiple processes accessing the
hardware.

Problem:
If the service is started and an application is then run, the call to
CreateSemaphore fails, GetLastError returns 5 (ACCESS_DENIED). I changed the
service account to the same one I am logged into Win2K as, it still fails in
the same way.

Does anyone know how I can have a Named Semaphore available to both
application and service at the same time.

Alun Carp
Driver Development Team Leader
Data Encryption Systems Limited
Email: xxxxx@des.co.uk
Phone: 01823 352357
Fax: 01823 352358
Please email support queries to: xxxxx@des.co.uk
Visit our website at: http://www.des.co.uk

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Paul_Bunn · January 19, 2001, 2:08pm

This creates access for no-one. You need to create to do something like the
following to create an ACL for everyone:

SECURITY_ATTRIBUTES saAnyone;
CHAR aszpSDBuffer[SECURITY_DESCRIPTOR_MIN_LENGTH];
pSD = (PSECURITY_DESCRIPTOR) aszpSDBuffer;

if(!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
return FALSE;

// add a NULL disc. ACL to the security descriptor.
//
if(!SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE))
return FALSE;

saAnyone.nLength = sizeof(saAnyone);
saAnyone.lpSecurityDescriptor = pSD;
saAnyone.bInheritHandle = TRUE;

Regards,

Paul Bunn, UltraBac.com, 425-644-6000
Microsoft MVP - WindowsNT/2000
http://www.ultrabac.com

-----Original Message-----
From: Alun Carp [mailto:xxxxx@des.co.uk]
Sent: Friday, January 19, 2001 9:32 AM
To: NT Developers Interest List
Subject: [ntdev] ACCESS_DENIED on CreateSemaphore

Hi,

I have some hardware which currently has an API in the form of a DLL and
Kernel Mode Driver. The DLL has uses a named Semaphore to prevent multiple
processes accessing the hardware at the same time.
The semaphore is created with the following code:
{
SECURITY_ATTRIBUTES saSecurity;
saSecurity.nLength = sizeof( SECURITY_ATTRIBUTES );
saSecurity.lpSecurityDescriptor = NULL;
saSecurity.bInheritHandle = TRUE;
hSemaphore = CreateSemaphore( &saSecurity, 1, 1,
“DK2DriverAccessSemaphore” );
if( hSemaphore == NULL )
{
return FALSE;
}
}

I have created a service to expose the hardware API across the network, the
service runs in the LocalSystem account. The service also loads the API
creating the semaphore as above to prevent multiple processes accessing the
hardware.

Problem:
If the service is started and an application is then run, the call to
CreateSemaphore fails, GetLastError returns 5 (ACCESS_DENIED). I changed the
service account to the same one I am logged into Win2K as, it still fails in
the same way.

Does anyone know how I can have a Named Semaphore available to both
application and service at the same time.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · January 22, 2001, 5:33am

Hi Paul,

Thanks for the tip, it did the trick.

Alun

This creates access for no-one. You need to create to do something like the
following to create an ACL for everyone:

SECURITY_ATTRIBUTES saAnyone;
CHAR aszpSDBuffer[SECURITY_DESCRIPTOR_MIN_LENGTH];
pSD = (PSECURITY_DESCRIPTOR) aszpSDBuffer;

if(!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
return FALSE;

// add a NULL disc. ACL to the security descriptor.
//
if(!SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE))
return FALSE;

saAnyone.nLength = sizeof(saAnyone);
saAnyone.lpSecurityDescriptor = pSD;
saAnyone.bInheritHandle = TRUE;

Regards,

Paul Bunn, UltraBac.com, 425-644-6000
Microsoft MVP - WindowsNT/2000
http://www.ultrabac.com

-----Original Message-----
From: Alun Carp [mailto:xxxxx@des.co.uk]
Sent: Friday, January 19, 2001 9:32 AM
To: NT Developers Interest List
Subject: [ntdev] ACCESS_DENIED on CreateSemaphore

Hi,

I have some hardware which currently has an API in the form of a DLL and
Kernel Mode Driver. The DLL has uses a named Semaphore to prevent multiple
processes accessing the hardware at the same time.
The semaphore is created with the following code:
{
SECURITY_ATTRIBUTES saSecurity;
saSecurity.nLength = sizeof( SECURITY_ATTRIBUTES );
saSecurity.lpSecurityDescriptor = NULL;
saSecurity.bInheritHandle = TRUE;
hSemaphore = CreateSemaphore( &saSecurity, 1, 1,
“DK2DriverAccessSemaphore” );
if( hSemaphore == NULL )
{
return FALSE;
}
}

I have created a service to expose the hardware API across the network, the
service runs in the LocalSystem account. The service also loads the API
creating the semaphore as above to prevent multiple processes accessing the
hardware.

Problem:
If the service is started and an application is then run, the call to
CreateSemaphore fails, GetLastError returns 5 (ACCESS_DENIED). I changed the
service account to the same one I am logged into Win2K as, it still fails in
the same way.

Does anyone know how I can have a Named Semaphore available to both
application and service at the same time.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com