设置NULL DACL权限描述符解决ASP.NET通过FileMapping与其他进程..

来源：http://it.hywxfashion.cn/p/c/2008/05/15/c230bdbb-42d0-4c36-9bd6-bb8ee6606e87.shtml

最近做了一个采用filemapping进行进程间通信的程序，目的是希望通过这个程序实webservice和我写的其他服务之间通信，实现安全隔离以及一些状态的跟踪、保持和管理。做好后，先用两个普通的windows 进程测试了一下，在1.8g双核笔记本电脑上，每秒钟可以发送3万个1000字节大小的消息，效率基本达到我的要求（我没有把效率优化到极致，效率瓶颈和优化方法我基本知道，就是人懒，现在的方案已经可以达到系统要求，就暂时不想弄了，等以后有时间再优化吧）立即将客户端移植到asp.net中，结果打开 filemapping失败，立即意识到是权限问题。到网上搜了一遍，有网友说强制让asp.net扮演系统管理员权限来解决，觉得不妥，一听就觉得不是一个安全的解决方案。第二种是采用null dacl 权限描述符，赋予系统内核对象对任何用户都开放的完全的访问权限，这种方法比第一种好一些，不过攻击者依然可以用很低的权限录系统后对系统内核对象进行操作，破坏系统。第三种方法是只把服务自生和asp.net的权限描述符赋予系统内核对象，这种方法安全性最高。

网上代码大多是c++写的，我用c#先写了一个null dacl 的代码，用了一下，果然和预期的结果一样，webservice可以和服务进程通讯了。把这个代码给大家共享一下。第三种方法的代码以后再补充。

null dacl 的c#写法：

 

[structlayoutattribute(layoutkind.sequential)]
public struct security_descriptor
{
public byte revision;
public byte size;
public short control;
public intptr owner;
public intptr group;
public intptr sacl;
public intptr dacl;
}

[structlayout(layoutkind.sequential)]
public class securityattributes : idisposable
{
[dllimport("advapi32.dll", setlasterror = true)]
static extern bool setsecuritydescriptordacl(intptr sd, bool daclpresent,
intptr dacl, bool dacldefaulted);

[dllimport("advapi32.dll", setlasterror = true)]
static extern bool initializesecuritydescriptor(intptr psecuritydescriptor,
uint dwrevision);
private int nlength;

private intptr lpsecuritydescriptor;
private int binherithandle;
public securityattributes()
{
//get securityattributes size
nlength = marshal.sizeof(typeof(securityattributes));

//inherit handle
binherithandle = 1;
//create a null dacl 
security_descriptor sd = new security_descriptor();
//alloc memory for security descriptor
lpsecuritydescriptor = marshal.alloccotaskmem(marshal.sizeof(sd));
//struct to ptr
marshal.structuretoptr(sd, lpsecuritydescriptor, false);

initializesecuritydescriptor(lpsecuritydescriptor, 1);
setsecuritydescriptordacl(lpsecuritydescriptor, true, intptr.zero, false);
}
public void dispose()
{
lock (this)
{
if (lpsecuritydescriptor != intptr.zero)
{
marshal.freehglobal(lpsecuritydescriptor);
lpsecuritydescriptor = intptr.zero;
}
}
}
~securityattributes()
{
dispose();
}
}

和filemapping内核对象相关的api函数申明：

 

[dllimport("kernel32.dll", entrypoint = "createfilemapping", setlasterror = true, 
charset = charset.unicode)]
internal static extern intptr createfilemapping(uint hfile, securityattributes
lpattributes, uint flprotect, uint dwmaximumsizehigh, uint dwmaximumsizelow, string lpname);
[dllimport("kernel32.dll", entrypoint = "openfilemapping", setlasterror = true,
charset = charset.unicode)]
internal static extern intptr openfilemapping(uint dwdesiredaccess, bool binherithandle,
string lpname);
[dllimport("kernel32.dll", entrypoint = "mapviewoffile", setlasterror = true, charset = 
charset.unicode)]
internal static extern intptr mapviewoffile(intptr hfilemappingobject,
uint dwdesiredaccess, uint dwfileoffsethigh, uint dwfileoffsetlow, uint dwnumberofbytestomap);
 
[dllimport("kernel32.dll", entrypoint = "unmapviewoffile", setlasterror = 
true, charset = charset.unicode)]
[return: marshalas(unmanagedtype.variantbool)]
internal static extern bool unmapviewoffile(intptr lpbaseaddress);
[dllimport("kernel32.dll", entrypoint = "flushviewoffile", setlasterror = 
true, charset = charset.unicode)]
[return: marshalas(unmanagedtype.variantbool)]
internal static extern bool flushviewoffile(intptr lpbaseaddress, uint 
dwnumberofbytestoflush);