diff --git a/src/launcher/launcher.c b/src/launcher/launcher.c index a2cfb58a..fd9194db 100644 --- a/src/launcher/launcher.c +++ b/src/launcher/launcher.c @@ -232,6 +232,8 @@ NTSTATUS SvcInstanceCreate(HANDLE ClientToken, goto exit; } + FspDebugLogSD(__FUNCTION__ ": SDDL = %s", SecurityDescriptor); + Result = SvcInstanceAccessCheck(ClientToken, SERVICE_START, SecurityDescriptor); if (!NT_SUCCESS(Result)) goto exit; @@ -460,6 +462,8 @@ static NTSTATUS SvcStart(FSP_SERVICE *Service, ULONG argc, PWSTR *argv) &SecurityAttributes.lpSecurityDescriptor, 0)) goto fail; + FspDebugLogSD(__FUNCTION__ ": SDDL = %s", SecurityAttributes.lpSecurityDescriptor); + SvcEvent = CreateEventW(0, TRUE, FALSE, 0); if (0 == SvcEvent) goto fail; diff --git a/src/launcher/launcher.h b/src/launcher/launcher.h index 919da6ad..f62a903b 100644 --- a/src/launcher/launcher.h +++ b/src/launcher/launcher.h @@ -27,22 +27,22 @@ /* * The launcher named pipe SDDL gives full access to LocalSystem and Administrators. - * It also gives generic read access and FILE_WRITE_DATA (SC) to Everyone. Note that + * It also gives generic read access and FILE_WRITE_DATA (DC) to Everyone. Note that * we cannot give generic write access or equivalently FILE_GENERIC_WRITE (FW) because * we would also grant the FILE_CREATE_PIPE_INSTANCE right. */ -#define PIPE_SDDL "D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRSC;;;WD)" +#define PIPE_SDDL "D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRDC;;;WD)" /* * The default service instance SDDL gives full access to LocalSystem and Administrators. * The only possible service instance rights are as follows: * RP SERVICE_START * WP SERVICE_STOP - * SC SERVICE_QUERY_STATUS + * LC SERVICE_QUERY_STATUS * * To create a service that can be started, stopped or queried by Everyone, you can set * the following SDDL: - * D:P(A;;RPWPSC;;;WD) + * D:P(A;;RPWPLC;;;WD) */ #define SVC_INSTANCE_DEFAULT_SDDL "O:SYG:SYD:P(A;;RPWPSC;;;SY)(A;;RPWPSC;;;BA)"