tags:

views:

134

answers:

2
Q: 

Local System only ACL in Windows

I am using a named pipe for communications between two processes and want to restrict acess to any user on the local system in Windows.

I am building up and ACL for use in the SECURITY_ATTRIBUTES passed to CreateNamedPipe.

I am basing this code on that from Microsoft.

SID_IDENTIFIER_AUTHORITY siaLocal = SECURITY_LOCAL_SID_AUTHORITY;
if( !AllocateAndInitializeSid( &siaLocal, SECURITY_LOCAL_RID,
    0, 0, 0, 0, 0, 0, 0, 0,
    &pSidLocal ) )
{
    break;
}

I then use that sid with AddAccessAllowedAce.

All of this completes successfully and I can create the named pipe however when a client process then tries to connect using CreateFile it fails with access denied.

How do I create an ACL with a SID that allows any user of the local machine to access it?

+3  A: 

You don't need an ACL for that. When calling CreateNamedPipe, one of the parameters takes flag values of PIPE_ACCEPT_REMOTE_CLIENTS (the default) or PIPE_REJECT_REMOTE_CLIENTS.

MSDN

Edit: This is a fairly new feature, so if you're developing for anything but new WS2008 servers it won't work. The same page has the alternate answer in this case, however: deny access to the pipe to the NETWORK ACE using AddAccessDeniedAce.

Tim Sylvester  2009-07-13 05:53:08
Yes that flag would be useful but unfortunately this is for a service that needs to run on Windows 2000 and above.
JProgrammer  2009-07-13 06:12:11
Too bad, it's always a pain to have to use the security API, in my experience.
Tim Sylvester  2009-07-13 06:16:29
A: 

I am afraid this is a cross between RTFM and c's complete lack of strict typing.

The second parameter for AllocateAndInitializeSid is actually a count of the sub authorities not the first sub authority.

So by changing the code to:

SID_IDENTIFIER_AUTHORITY siaLocal = SECURITY_LOCAL_SID_AUTHORITY;
if( !AllocateAndInitializeSid( &siaLocal, 1,
    SECURITY_LOCAL_RID,
    0, 0, 0, 0, 0, 0, 0, 
    &pSidLocal ) )
{
    break;
}

I get the desired results.

I have tested this with different accounts and they can connect and by changing the Authority to SECURITY_NT_AUTHORITY and the sub authority to SECURITY_AUTHENTICATED_USER_RID I was able to connect from another computer to test that this ACL will actually allow and disallow different users.

JProgrammer  2009-07-14 04:29:34

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS