Setting a DACL to NULL in a SECURITY_DESCRIPTOR
ID: cpp/unsafe-dacl-security-descriptor
Kind: problem
Security severity: 7.8
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-732
Query suites:
- cpp-code-scanning.qls
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
This query indicates that a call is setting the DACL field in a
SECURITY_DESCRIPTOR
to null.
When using
SetSecurityDescriptorDacl
to set a discretionary access control (DACL), setting the
bDaclPresent
argument to
TRUE
indicates the presence of a DACL in the security description in the argument
pDacl
.
When the
pDacl
parameter does not point to a DACL (i.e. it is
NULL
) and the
bDaclPresent
flag is
TRUE
, a
NULL
DACL
is specified.
A
NULL
DACL
grants full access to any user who requests it; normal security checking is not performed with respect to the object.
Recommendation
You should not use a
NULL
DACL
with an object because any user can change the DACL and owner of the security descriptor.
Example
In the following example, the call to
SetSecurityDescriptorDacl
is setting an unsafe DACL (
NULL
DACL
) to the security descriptor.
SECURITY_DESCRIPTOR
pSD
;
SECURITY_ATTRIBUTES
SA
;
if
(
!
InitializeSecurityDescriptor
(
&
pSD
,
SECURITY_DESCRIPTOR_REVISION
))
{
// error handling
}
if
(
!
SetSecurityDescriptorDacl
(
&
pSD
,
TRUE
,
// bDaclPresent - this value indicates the presence of a DACL in the security descriptor
NULL
,
// pDacl - the pDacl parameter does not point to a DACL. All access will be allowed
FALSE
))
{
// error handling
}
To fix this issue,
pDacl
argument should be a pointer to an
ACL
structure that specifies the DACL for the security descriptor.
