Job Object Security and Access Rights
The Microsoft Windows security model enables you to control access to job objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a job object when you call the CreateJobObject function. If you specify NULL, the job object gets a default security descriptor. The ACLs in the default security descriptor for a job object come from the primary or impersonation token of the creator.
The valid access rights for job objects include the standard access rights and some job-specific access rights. The following table lists the standard access rights used by all objects.
|DELETE (0x00010000L)||Required to delete the object.|
|READ_CONTROL (0x00020000L)||Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right.|
|SYNCHRONIZE (0x00100000L)||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.|
|WRITE_DAC (0x00040000L)||Required to modify the DACL in the security descriptor for the object.|
|WRITE_OWNER (0x00080000L)||Required to change the owner in the security descriptor for the object.|
The following table lists the job-specific access rights.
|JOB_OBJECT_ALL_ACCESS (0x1F001F)||Combines all valid job object access rights.|
|JOB_OBJECT_ASSIGN_PROCESS (0x0001)||Required to call the AssignProcessToJobObject function to assign processes to the job object.|
|JOB_OBJECT_QUERY (0x0004)||Required to retrieve certain information about a job object, such as attributes and accounting information (see QueryInformationJobObject and IsProcessInJob).|
|JOB_OBJECT_SET_ATTRIBUTES (0x0002)||Required to call the SetInformationJobObject function to set the attributes of the job object.|
|JOB_OBJECT_SET_SECURITY_ATTRIBUTES (0x0010)||This flag is not supported. You must set security limitations individually for each process associated with a job object.|
|JOB_OBJECT_TERMINATE (0x0008)||Required to call the TerminateJobObject function to terminate all processes in the job object.|
The handle returned by CreateJobObject has JOB_OBJECT_ALL_ACCESS access to the job object. When you call the OpenJobObject function, the system checks the requested access rights against the object's security descriptor. If a job object is in a hierarchy of nested jobs, a caller with access to the job object implicitly has access to all of its child jobs in the hierarchy.
You must set security limitations individually for each process associated with a job object, rather than setting them for the job object itself. For information, see Process Security and Access Rights.
Windows Server 2003 and Windows XP: You can use the SetInformationJobObject function to set security limitations for the job object. This capability was removed in Windows Vista and Windows Server 2008.
Build date: 11/21/2012