Solved

Named Pipe Security for Domain Users only...

Posted on 2004-04-29
5
985 Views
Last Modified: 2008-02-01
I am creating a named pipe that I want to allow only domain users to access.  I have posted the code below that I am using.  When I run the application there are no exceptions, everything appears to run normally.  However, when I try to create a client for the named pipe, I always get and ERROR_ACCESS_DENIED Win32 error code.  If I create the security descriptor with a NULL ACL the application works properly.

Hopefully someone can help.

SID_IDENTIFIER_AUTHORITY      SIDDomainAuth = SECURITY_NT_AUTHORITY;            // The domain users authority
int            nSize;                                                // The size of the ACL

// Allocate memory for the security descriptor
m_pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH);

// Check for allocation failure
if (m_pSD == NULL)
      ThrowPipeException("Failed to allocate memory for the security descriptor.",false);

// Initialize the security descriptor
if (!InitializeSecurityDescriptor(m_pSD, SECURITY_DESCRIPTOR_REVISION))
      ThrowPipeException("Failed to initialize the security descriptor.");

//      m_pACL = NULL;

// Allocate memory for the ACL
m_pACL = (PACL)LocalAlloc(LPTR,sizeof(ACL));

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,1,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,0,&m_pSIDDomain))
      ThrowPipeException("Failed to allocate a domain user SID.");

// Calculate the size of the ACL
nSize = sizeof(ACL);
nSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof (DWORD) + GetLengthSid(m_pSIDDomain));

// Initialize the ACL
if (!InitializeAcl(m_pACL,nSize,ACL_REVISION))
      ThrowPipeException("Failed to initialize the ACL.");

// Add the appropriate access for the domain users
if (!AddAccessAllowedAce(m_pACL,ACL_REVISION,FILE_ALL_ACCESS,m_pSIDDomain))
      ThrowPipeException("Failed to grant access to domain users.");

// Check to make sure the ACL is valid
if (!IsValidAcl(m_pACL))
      ThrowPipeException("Invalid ACL.");

// Set the security descriptor's SACL
if (!SetSecurityDescriptorDacl(m_pSD,TRUE,m_pACL,FALSE))
      ThrowPipeException("Failed to set the security descriptor DACL.");

// Check to make sure the security descriptor is valid
if (!IsValidSecurityDescriptor(m_pSD))
      ThrowPipeException("Invalid security descriptor.");

// Initialize the security attributes
m_SA.nLength = sizeof(m_SA);
m_SA.lpSecurityDescriptor = m_pSD;
m_SA.bInheritHandle = FALSE;
0
Comment
Question by:stu_pb
  • 2
5 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 10952692
Shouldn't that be

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,&m_pSIDDomain))

?
0
 
LVL 3

Author Comment

by:stu_pb
ID: 10952803
I gave this a try and still no luck, is this method documented anywhere that I can look?
0
 
LVL 86

Accepted Solution

by:
jkr earned 250 total points
ID: 10952918
Hm, I'd recommend http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_seccpp.asp ("Windows NT Security in Theory and Practice") and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secguts.asp ("The Guts of Security") in particular as starting points (both come with source code).
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Written by John Humphreys C++ Threading and the POSIX Library This article will cover the basic information that you need to know in order to make use of the POSIX threading library available for C and C++ on UNIX and most Linux systems.   [s…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question