lib/stream-windows.c: Grant Access Privilege of Named Pipe to Creator

Current implementation of ovs on windows only allows LocalSystem and
Administrators to access the named pipe created with API of ovs.
Thus any service that needs to invoke the API to create named pipe
has to run as System account to interactive with ovs. It causes the
system more vulnerable if one of those services was break into.
The patch adds the creator owner account to allowed ACLs.

Signed-off-by: Ning Wu <nwu@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Anand Kumar <kumaranand@vmware.com>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>

diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst
index b1f3f5d494c321c46a58b19bfca034aabdc1f06b..da4dbedd22c15d13b1b26910914c4f714234de51 100644 (file)
--- a/Documentation/ref/ovsdb.7.rst
+++ b/Documentation/ref/ovsdb.7.rst
@@ -422,7 +422,8 @@ punix:<file>
     named <file>.
 
     On Windows, listens on a local named pipe, creating a named pipe
-    <file> to mimic the behavior of a Unix domain socket.
+    <file> to mimic the behavior of a Unix domain socket. The ACLs of the named
+    pipe include LocalSystem, Administrators, and Creator Owner.
 
 All IP-based connection methods accept IPv4 and IPv6 addresses.  To specify an
 IPv6 address, wrap it in square brackets, e.g.  ``ssl:[::1]:6640``.  Passive

diff --git a/lib/stream-windows.c b/lib/stream-windows.c
index 34bc610b6f499b8e4ab6dc1df260e0628d389f5e..5c4c55e5d4aa1f7a8699d8906d69b78b6225529f 100644 (file)
--- a/lib/stream-windows.c
+++ b/lib/stream-windows.c
@@ -41,7 +41,7 @@ static void maybe_unlink_and_free(char *path);
 #define LOCAL_PREFIX "\\\\.\\pipe\\"
 
 /* Size of the allowed PSIDs for securing Named Pipe. */
-#define ALLOWED_PSIDS_SIZE 2
+#define ALLOWED_PSIDS_SIZE 3
 
 /* This function has the purpose to remove all the slashes received in s. */
 static char *
@@ -412,6 +412,9 @@ create_pnpipe(char *name)
     PACL acl = NULL;
     PSECURITY_DESCRIPTOR psd = NULL;
     HANDLE npipe;
+    HANDLE hToken = NULL;
+    DWORD dwBufSize = 0;
+    PTOKEN_USER pTokenUsr = NULL;
 
     /* Disable access over network. */
     if (!AllocateAndInitializeSid(&sia, 1, SECURITY_NETWORK_RID,
@@ -438,6 +441,32 @@ create_pnpipe(char *name)
         goto handle_error;
     }
 
+    /* Open the access token of calling process */
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
+        VLOG_ERR_RL(&rl, "Error opening access token of calling process.");
+        goto handle_error;
+    }
+
+    /* get the buffer size buffer needed for SID */
+    GetTokenInformation(hToken, TokenUser, NULL, 0, &dwBufSize);
+
+    pTokenUsr = xmalloc(dwBufSize);
+    memset(pTokenUsr, 0, dwBufSize);
+
+    /* Retrieve the token information in a TOKEN_USER structure. */
+    if (!GetTokenInformation(hToken, TokenUser, pTokenUsr, dwBufSize,
+        &dwBufSize)) {
+        VLOG_ERR_RL(&rl, "Error retrieving token information.");
+        goto handle_error;
+    }
+    CloseHandle(hToken);
+
+    if (!IsValidSid(pTokenUsr->User.Sid)) {
+        VLOG_ERR_RL(&rl, "Invalid SID.");
+        goto handle_error;
+    }
+    allowedPsid[2] = pTokenUsr->User.Sid;
+
     for (int i = 0; i < ALLOWED_PSIDS_SIZE; i++) {
         aclSize += sizeof(ACCESS_ALLOWED_ACE) +
                    GetLengthSid(allowedPsid[i]) -
@@ -490,11 +519,13 @@ create_pnpipe(char *name)
     npipe = CreateNamedPipe(name, PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED,
                             PIPE_TYPE_MESSAGE | PIPE_READMODE_BYTE | PIPE_WAIT,
                             64, BUFSIZE, BUFSIZE, 0, &sa);
+    free(pTokenUsr);
     free(acl);
     free(psd);
     return npipe;
 
 handle_error:
+    free(pTokenUsr);
     free(acl);
     free(psd);
     return INVALID_HANDLE_VALUE;