All geek questions in one place

Set default permissions when creating a new message queue (MSMQ) in C #

I am trying to programmatically create multiple Message Queues on a Windows 2003x64 / 2008R2 server. When a queue is created, Windows automatically applies the default permissions to the queue.

For MSMQ 4, the following users are added by default:

  • All
  • Queue creator
  • ANONYMOUS LOGIN

When I set the permissions for the queue using MessageQueue.SetPermissions() , the specified AccessControlList is only added to the default security permissions.

Can I delete or overwrite default permissions? In this MSDN article below, it states that

However, you cannot configure the default values ​​because they are hard-coded.

I know that queue settings are saved in a file located in C:\Windows\System32\msmq\storage\lqs . This file has a Security property that represents the permissions for the queue. Is it possible to change this key? However, it seems strange to me.

I am looking for a suitable way to specify my own AccessControlList that overwrites the default security permissions for the queue. Either when it is created, or later.

Any help is appreciated

Thanks.

+6
source share
3 answers

If you cannot remove or revoke permissions for these groups by default, you can always try to deny them rights. The ban takes precedence over allow. This code works:

 MessageQueue queue = new MessageQueue(".\\Private$\\QueueName"); queue.SetPermissions("Everyone", MessageQueueAccessRights.ReceiveMessage, AccessControlEntryType.Deny);

Permission AccessControlEntryType.Revoke ( AccessControlEntryType.Revoke ) should also work. There may be an error in your code. It works on my car.

The article says:

However, you cannot configure the default values ​​because they are hard-coded.

and this means that you cannot change what rights are specified when creating the queue, but you can change them later.

Edit: get "everyone" regardless of OS language: How to get an IdentityReference for "Everyone" create a MutexAccessRule for localized systems?

+12
source

I had the same problem with ACLs. When I switched to the SetPermissions () method, things got much better.

The code below works for me:

  queue.SetPermissions( "Everyone", MessageQueueAccessRights.FullControl, AccessControlEntryType.Allow); queue.SetPermissions( "ANONYMOUS LOGON", MessageQueueAccessRights.FullControl, AccessControlEntryType.Allow);
+6
source

Although Mike's answer is correct, he assumes that the server has English. If you use this code on a server that uses a different language (in this case, Dutch) ...

  queue.SetPermissions( "Everyone", MessageQueueAccessRights.FullControl, AccessControlEntryType.Allow);

... you get the following exception:

Kan de naam Everyone niet omzetten (fout = 1332). System.Messaging.AccessControlList.MakeAcl (IntPtr oldAcl) bij System.Messaging.MessageQueue.SetPermissions (AccessControlList dacl) bij System.Messaging.MessageQueue.SetPermissions (String User, MessageQueueAccessRights, AccessControlEntryType

which roughly translates to “Cannot convert the name to“ Everything. ”Instead, if you use this code, you will get a localized version of“ Everyone ”:

 using System.Security.Principal; ** code ommitted** string everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null).Translate(typeof(NTAccount)).Value; queue.SetPermissions( everyone, MessageQueueAccessRights.FullControl, AccessControlEntryType.Allow);
0
source

Source: https://habr.com/ru/post/914782/

More articles:


All Articles