Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

C6248

warning C6248: setting a SECURITY_DESCRIPTOR’s DACL to NULL will result in an unprotected object

This warning identifies a call that sets a SECURITY_DESCRIPTOR's DACL field to null. If the DACL that belongs to the security descriptor of an object is set to NULL, a null DACL is created. A null DACL grants full access to any user who requests it; normal security checking is not performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL is a properly allocated and initialized DACL that contains no ACEs. An empty DACL grants no access to the object it is assigned to.

Objects that have null DACLs can have their security descriptors altered by malicious users so that no one has access to the object.

Even if everyone needs access to an object, the object should be secured so that only administrators can alter its security. If only the creator needs access to an object, a DACL should not be set on the object; the system will choose an appropriate default.

The following code generates this warning because a null DACL is passed to the SetSecurityDescriptorDacl function:

#include <windows.h>

void f( PSECURITY_DESCRIPTOR pSecurityDescriptor )
{
  if (SetSecurityDescriptorDacl(pSecurityDescriptor,
                                TRUE,     // Dacl Present
                                NULL,     // NULL pointer to DACL    
                                FALSE))   // Defaulted

    {
      // Dacl is now applied to an object
    }
}

To see a complete example on how to create security descriptor, see Creating a Security Descriptor for a New Object in C++. For more information, see Creating a DACL.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.