From: Richard Hartman [rhartman@realresume.com]
Sent: Wednesday, August 18, 1999 6:01 PM
To: ntdev@atria.com
Subject: [ntdev] smoking gun! (NT Services and USER32.DLL)

At 12:48 PM 08/18/1999 -0700, Richard Hartman wrote:
>Research suggests that the system replaces the winstation/desktop DACL's
>when an interactive user logs on or logs off. Note that I didn't say
>"updates the DACL's"... it appears to outright _replace_ them, because the
>ACE's we're adding are either vanishing or being altered in some way.

...and then I found this in KB article Q98890 (note the last sentence):

"The following sample code applies a NULL dacl to the interactive
windowstation and desktop objects. This application should be executed
before debugging the service. Once the debugging session has been completed,
the DACLs for the interactive windowstation and desktop objects can be reset
by logging off and then logging on again."

What do you suppose they mean by "reset"? I think - and the evidence
suggests - they mean they outright _replace_ the DACL's rather than
intelligently edit them. This leaves the following question in the air:

>This raises an interesting question. What happens if the service is busy
>when a user is logging in or out? There will always be a finite amount of
>time between our DACL updates and CreateProcessAsUser. If an interactive
>user happens to log in or out after DACL update, but before the end of
>the child process, the child process may have its access suddenly
>disappear out from under it. Any ideas on how to avoid this?

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[ To unsubscribe, send email to ntdev-request@atria.com with body
UNSUBSCRIBE (the subject is ignored). ]