問：我在服務(wù)器上用 CreateFileMapping 創(chuàng)建了一段共享內(nèi)存。讓這個(gè)exe始終在服務(wù)器上跑。
  同時(shí)，別的用戶在客戶端用IE訪問服務(wù)器，將要查詢的數(shù)據(jù)通過C#制作的網(wǎng)頁提交上來，服務(wù)器得到網(wǎng)頁參數(shù)后，建立一個(gè)COM對(duì)象訪問上一個(gè)exe的共享內(nèi)存，然后將在共享內(nèi)存中的查詢結(jié)果返回給客戶。
 問題是現(xiàn)在這個(gè)COM無法用openmapping訪問exe的共享內(nèi)存，提示 訪問拒絕 。而我在服務(wù)器上隨便建議一個(gè)工程編譯成exe,文件就可訪問這段共享內(nèi)存!!為何在網(wǎng)頁中就不成？COM難道要有什么 權(quán)限 設(shè)置.兩個(gè)進(jìn)程之間的權(quán)限整合方法是什么？怎么用DACL?

我用ATL寫了一個(gè)Service,在這個(gè)Service中，我創(chuàng)建了一塊共享內(nèi)存(Memory Mapping)和一個(gè)Mutex
然后我在另一個(gè)普通程序中去訪問這塊共享內(nèi)存和Mutex,但是，我用CreateMutex打開Mutex失敗，GetLastError()返回5，含義是訪問被拒絕?。?BR>同樣，我在用MapViewOfFile時(shí)，也得到同樣的錯(cuò)誤?。。。。。?/P>

我已經(jīng)知道原因是因?yàn)樵趧?chuàng)建共享內(nèi)存和Mutext時(shí)，SECURITY_ATTRIBUTES我設(shè)為NULL!!!

但是我沒有解決的方法,希望各位大蝦幫幫忙！

答：檢查服務(wù)運(yùn)行所使用的用戶的權(quán)限。通常，為了安全起見，服務(wù)進(jìn)程的擁有者權(quán)限是很低的。為了讓服務(wù)進(jìn)程訪問對(duì)象，你需要在創(chuàng)建共享內(nèi)存時(shí)指定一個(gè)更加廣泛的的安全描述符，增加一個(gè)新的訪問控制項(xiàng)目(ACE)給你的ASP進(jìn)程的擁有者。默認(rèn)的訪問控制列表(ACL)只包含創(chuàng)建者和管理員組。

下列代碼創(chuàng)建一個(gè)所有用戶都可以訪問的安全描述符。你可以在創(chuàng)建共享內(nèi)存時(shí)使用這個(gè)安全描述符。
 CShareRestrictedSD ShareRestrictedSD;
 hMapFile = CreateFileMapping(INVALID_HANDLE_VALUE,    // Current file handle.
             ShareRestrictedSD.GetSA(),      // Default security. //    NULL,                             
             PAGE_READWRITE,                // Read/write permission.
             0,                                            // Max. object size.
             FileSize,                                  // Size of hFile.
             MapName);                              // Name of mapping object.

class CShareRestrictedSD 
{
public:
   CShareRestrictedSD();
   virtual ~CShareRestrictedSD();
   SECURITY_ATTRIBUTES* GetSA();
protected:
   PVOID  ptr;
   SECURITY_ATTRIBUTES sa;
   SECURITY_DESCRIPTOR sd;
};
//如果這家伙起作用，那么它的作者是jiangsheng；
//如果這家伙一點(diǎn)用沒有，那我不知道它的作者。
PVOID BuildRestrictedSD(PSECURITY_DESCRIPTOR pSD) {

   DWORD  dwAclLength;

   PSID   psidEveryone = NULL;

   PACL   pDACL   = NULL;
   BOOL   bResult = FALSE;

   PACCESS_ALLOWED_ACE pACE = NULL;

   SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY  ;
   SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
  
   __try {

      // initialize the security descriptor
      if (!InitializeSecurityDescriptor(pSD,  SECURITY_DESCRIPTOR_REVISION)) {
         printf("InitializeSecurityDescriptor() failed with error %d/n",
               GetLastError());
         __leave;
      }

      // obtain a sid for the Authenticated Users Group
      if (!AllocateAndInitializeSid(&siaWorld, 1,
            SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,
            &psidEveryone)) {
         printf("AllocateAndInitializeSid() failed with error %d/n",
               GetLastError());
         __leave;
      }

      // NOTE:
      //
      // The Authenticated Users group includes all user accounts that
      // have been successfully authenticated by the system. If access
      // must be restricted to a specific user or group other than
      // Authenticated Users, the SID can be constructed using the
      // LookupAccountSid() API based on a user or group name.

      // calculate the DACL length
      dwAclLength = sizeof(ACL)
            // add space for Authenticated Users group ACE
            + sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)
            + GetLengthSid(psidEveryone);

      // allocate memory for the DACL
      pDACL = (PACL) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
            dwAclLength);
      if (!pDACL) {
         printf("HeapAlloc() failed with error %d/n", GetLastError());
         __leave;
      }

      // initialize the DACL
      if (!InitializeAcl(pDACL, dwAclLength, ACL_REVISION)) {
         printf("InitializeAcl() failed with error %d/n",
               GetLastError());
         __leave;
      }
     
      // add the Authenticated Users group ACE to the DACL with
      // GENERIC_READ, GENERIC_WRITE, and GENERIC_EXECUTE access
      if (!AddAccessAllowedAce(pDACL, ACL_REVISION,
            GENERIC_ALL,
            psidEveryone)) {
         printf("AddAccessAllowedAce() failed with error %d/n",
               GetLastError());
         __leave;
      }

      // set the DACL in the security descriptor
      if (!SetSecurityDescriptorDacl(pSD, TRUE, pDACL, FALSE)) {
         printf("SetSecurityDescriptorDacl() failed with error %d/n",
               GetLastError());
         __leave;
      }

      bResult = TRUE;
    
   } __finally {

      if (psidEveryone) FreeSid(psidEveryone);
   }

   if (bResult == FALSE) {
      if (pDACL) HeapFree(GetProcessHeap(), 0, pDACL);
      pDACL = NULL;
   }

   return (PVOID) pDACL;
}

// The following function frees memory allocated in the
// BuildRestrictedSD() function
VOID FreeRestrictedSD(PVOID ptr) {

   if (ptr) HeapFree(GetProcessHeap(), 0, ptr);

   return;
}

CShareRestrictedSD::CShareRestrictedSD()
{
 ptr=NULL;
 sa.nLength = sizeof(sa);
 sa.lpSecurityDescriptor = &sd;
 sa.bInheritHandle = FALSE;
 // build a restricted security descriptor
 ptr = BuildRestrictedSD(&sd);
 if (!ptr) {
  TRACE("BuildRestrictedSD() failed/n");
 }
}