named <file>.
On Windows, listens on a local named pipe, creating a named pipe
- <file> to mimic the behavior of a Unix domain socket.
+ <file> to mimic the behavior of a Unix domain socket. The ACLs of the named
+ pipe include LocalSystem, Administrators, and Creator Owner.
All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an
IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive
#define LOCAL_PREFIX "\\\\.\\pipe\\"
/* Size of the allowed PSIDs for securing Named Pipe. */
-#define ALLOWED_PSIDS_SIZE 2
+#define ALLOWED_PSIDS_SIZE 3
/* This function has the purpose to remove all the slashes received in s. */
static char *
PACL acl = NULL;
PSECURITY_DESCRIPTOR psd = NULL;
HANDLE npipe;
+ HANDLE hToken = NULL;
+ DWORD dwBufSize = 0;
+ PTOKEN_USER pTokenUsr = NULL;
/* Disable access over network. */
if (!AllocateAndInitializeSid(&sia, 1, SECURITY_NETWORK_RID,
goto handle_error;
}
+ /* Open the access token of calling process */
+ if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
+ VLOG_ERR_RL(&rl, "Error opening access token of calling process.");
+ goto handle_error;
+ }
+
+ /* get the buffer size buffer needed for SID */
+ GetTokenInformation(hToken, TokenUser, NULL, 0, &dwBufSize);
+
+ pTokenUsr = xmalloc(dwBufSize);
+ memset(pTokenUsr, 0, dwBufSize);
+
+ /* Retrieve the token information in a TOKEN_USER structure. */
+ if (!GetTokenInformation(hToken, TokenUser, pTokenUsr, dwBufSize,
+ &dwBufSize)) {
+ VLOG_ERR_RL(&rl, "Error retrieving token information.");
+ goto handle_error;
+ }
+ CloseHandle(hToken);
+
+ if (!IsValidSid(pTokenUsr->User.Sid)) {
+ VLOG_ERR_RL(&rl, "Invalid SID.");
+ goto handle_error;
+ }
+ allowedPsid[2] = pTokenUsr->User.Sid;
+
for (int i = 0; i < ALLOWED_PSIDS_SIZE; i++) {
aclSize += sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(allowedPsid[i]) -
npipe = CreateNamedPipe(name, PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED,
PIPE_TYPE_MESSAGE | PIPE_READMODE_BYTE | PIPE_WAIT,
64, BUFSIZE, BUFSIZE, 0, &sa);
+ free(pTokenUsr);
free(acl);
free(psd);
return npipe;
handle_error:
+ free(pTokenUsr);
free(acl);
free(psd);
return INVALID_HANDLE_VALUE;