c++ - CreateSemaphoreEx Security Attribute vs Access Mask -
the createsemaphoreex api on windows platform has following parameters:
lpsecurity_attributes lpsemaphoreattributes, , dword dwdesiredaccess
i understand both serve control access, however, not sure relationships , differences between them. example, if set dwdesiredaccess synchronize, create security attribute empty dacl (i.e. no access @ all), how work together? if can share information on purposes of these parameters , how interact together, great.
thanks.
if object exists:
the
lpsemaphoreattributes.lpsecuritydescriptor
parameter ignored.the
dwdesiredaccess
parameter determines access rights given new handle returned function. if these access rights incompatible security permissions on object, call failerror_access_denied
.
if object not exist:
the
lpsemaphoreattributes.lpsecuritydescriptor
parameter determines security permissions assigned newly created object. if security descriptor not provided, default permissions used.the
dwdesiredaccess
parameter determines access rights given new handle returned function. these rights not restricted security permissions on newly created object. conceptually, handle object opened before new permissions applied.
so if specify dacl empty acl (thus implicitly denying access everybody) way access object via handle created object, or duplicate of handle. not possible open object again, same process, unless first change permissions allow so.
note other security rules still apply when creating object. example, can't obtain access_system_security
access right, newly created object, unless have se_security_name
privilege.
it should emphasized when access object using existing open handle, handle's access rights checked, not current security permissions on object. if obtained particular access right when opened handle, not matter if security permissions on object have since been changed deny right.
conversely, if handle not opened access permission need perform given operation, cannot perform operation using handle, if security permissions on object give right so.
that why dwdesiredaccess
parameter important; if leave out right particular operation needs, operation fail, if ask broad set of rights, might denied access. luckily, in cases, documentation straightforward, takes bit of attention detail.