SECURITY_ATTRIBUTES 实现最低权限总结



SetSecurityDescriptorDacl函数可以用来设置DACL中的信息。如果一个DACL已经在security descriptor中存在，那么此DACL将被替换。
值得注意的是MSDN中的Remarks中有这样的描述:
There is an important difference between an empty and a nonexistent DACL.
1.When a DACL is empty, it contains no access control entries (ACEs); therefore, no access rights are explicitly granted.As a result, access to the object is implicitly denied.

2.When an object has no DACL (when the pDacl parameter is NULL), no protection is assigned to the object, and all access requests are granted. To help maintain security, restrict access by using a DACL.

根据上面的描述，为了在多进程间实现最低权限访问安全对象，只需把参数三设置为NULL，其实相当于将object的安全级别降到了最低，
所有的访问请求都将成功。(要想使用第三、四两个参数，那么参数二需要设置为TRUE；如果参数二设置为FALSE，那么参数三、四被忽略).下面的代码将创建一个比everyone更开放(域用户和everyone都可以访问----everyone权限只包含本地所有用户，不包含域用户)的访问列表：

        SECURITY_ATTRIBUTES sa;
	SECURITY_DESCRIPTOR sd;
	InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
	SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
	sa.nLength = sizeof(SECURITY_ATTRIBUTES);
	sa.bInheritHandle = TRUE;
	sa.lpSecurityDescriptor = &sd;
	utilStartedEvt = CreateEvent(&sa,FALSE,FALSE,L"Global\\utilStarted");
	drvInstalledEvt = CreateEvent(&sa,FALSE,FALSE,L"Global\\drvInstalled");