[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Named Pipe Security for Domain Users only...

Posted on 2004-04-29
5
Medium Priority
?
996 Views
Last Modified: 2008-02-01
I am creating a named pipe that I want to allow only domain users to access.  I have posted the code below that I am using.  When I run the application there are no exceptions, everything appears to run normally.  However, when I try to create a client for the named pipe, I always get and ERROR_ACCESS_DENIED Win32 error code.  If I create the security descriptor with a NULL ACL the application works properly.

Hopefully someone can help.

SID_IDENTIFIER_AUTHORITY      SIDDomainAuth = SECURITY_NT_AUTHORITY;            // The domain users authority
int            nSize;                                                // The size of the ACL

// Allocate memory for the security descriptor
m_pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH);

// Check for allocation failure
if (m_pSD == NULL)
      ThrowPipeException("Failed to allocate memory for the security descriptor.",false);

// Initialize the security descriptor
if (!InitializeSecurityDescriptor(m_pSD, SECURITY_DESCRIPTOR_REVISION))
      ThrowPipeException("Failed to initialize the security descriptor.");

//      m_pACL = NULL;

// Allocate memory for the ACL
m_pACL = (PACL)LocalAlloc(LPTR,sizeof(ACL));

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,1,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,0,&m_pSIDDomain))
      ThrowPipeException("Failed to allocate a domain user SID.");

// Calculate the size of the ACL
nSize = sizeof(ACL);
nSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof (DWORD) + GetLengthSid(m_pSIDDomain));

// Initialize the ACL
if (!InitializeAcl(m_pACL,nSize,ACL_REVISION))
      ThrowPipeException("Failed to initialize the ACL.");

// Add the appropriate access for the domain users
if (!AddAccessAllowedAce(m_pACL,ACL_REVISION,FILE_ALL_ACCESS,m_pSIDDomain))
      ThrowPipeException("Failed to grant access to domain users.");

// Check to make sure the ACL is valid
if (!IsValidAcl(m_pACL))
      ThrowPipeException("Invalid ACL.");

// Set the security descriptor's SACL
if (!SetSecurityDescriptorDacl(m_pSD,TRUE,m_pACL,FALSE))
      ThrowPipeException("Failed to set the security descriptor DACL.");

// Check to make sure the security descriptor is valid
if (!IsValidSecurityDescriptor(m_pSD))
      ThrowPipeException("Invalid security descriptor.");

// Initialize the security attributes
m_SA.nLength = sizeof(m_SA);
m_SA.lpSecurityDescriptor = m_pSD;
m_SA.bInheritHandle = FALSE;
0
Comment
Question by:stu_pb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 10952692
Shouldn't that be

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,&m_pSIDDomain))

?
0
 
LVL 3

Author Comment

by:stu_pb
ID: 10952803
I gave this a try and still no luck, is this method documented anywhere that I can look?
0
 
LVL 86

Accepted Solution

by:
jkr earned 1000 total points
ID: 10952918
Hm, I'd recommend http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_seccpp.asp ("Windows NT Security in Theory and Practice") and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secguts.asp ("The Guts of Security") in particular as starting points (both come with source code).
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In days of old, returning something by value from a function in C++ was necessarily avoided because it would, invariably, involve one or even two copies of the object being created and potentially costly calls to a copy-constructor and destructor. A…
Introduction This article is the first in a series of articles about the C/C++ Visual Studio Express debugger.  It provides a quick start guide in using the debugger. Part 2 focuses on additional topics in breakpoints.  Lastly, Part 3 focuses on th…
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question