I'm trying to create a named pipe between two Windows processes. The server process runs under a normal account, in a UI session. The client process runs in an unknown security context, apparently rather restricted.
Initially I called
pipe = CreateNamedPipeA(MY_PIPE_NAME, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, maxClients,
pipeChunkSize, pipeChunkSize, 0, nullptr);
I.e. leave pass no SECURITY_ATTRIBUTES
. Usually, this works - no security means no security. Apparently, this is no longer the case for named pips. The caller tried
CreateFileA(MY_PIPE_NAME, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
and got back a GetLastError=5
, access denied. Testing showed that this was due to a security failure; the exact same line would succeed if the client executable was run from a test environment in the same UI session as the server.
The logical solution would be to set the DACL to SECURITY_WORLD_SID_AUTHORITY, KEY_ALL_ACCESS
(S-1-1-0) in the SECURITY_ATTRIBUTES
used for CreateNamedPipeA
. This didn't fix the problem.
The only security downgrade left from "everybody can do everything" would be "no security whatsoever". What do I have to do in CreateNamedPipe
so that CreateFileA
never fails with an Access Denied?
Security is pretty irrelevant here. PIPE_TYPE_MESSAGE
and pipeChunkSize
already mean that the server is safe against buffer overflows by rogue clients.
When I want a pipe accessible by anyone (e.g. it's hosted in a service and I can't predict what account will need it), I add a NULL-DACL SD:
static SECURITY_ATTRIBUTES g_sa = {0};
g_sa.nLength = sizeof(g_sa);
g_hsa = GlobalAlloc (GHND,SECURITY_DESCRIPTOR_MIN_LENGTH);
g_sa.lpSecurityDescriptor = GlobalLock(g_hsa);
g_sa.bInheritHandle = TRUE;
if (InitializeSecurityDescriptor (g_sa.lpSecurityDescriptor, 1))
{
if (SetSecurityDescriptorDacl (g_sa.lpSecurityDescriptor, TRUE,NULL,FALSE))
{
DebugMessage ("security descriptor DACL set OK\n");
where &g_sa is added as the param for CreateNamedPipe. Granted, this is blowing-the-bloody-doors-off territory, but if you want anyone to be able to access it, you don't have a lot of choice.