Improve company productivity with a Business Account.Sign Up

x
?
Solved

Named Pipe Security for Domain Users only...

Posted on 2004-04-29
5
Medium Priority
?
1,007 Views
Last Modified: 2008-02-01
I am creating a named pipe that I want to allow only domain users to access.  I have posted the code below that I am using.  When I run the application there are no exceptions, everything appears to run normally.  However, when I try to create a client for the named pipe, I always get and ERROR_ACCESS_DENIED Win32 error code.  If I create the security descriptor with a NULL ACL the application works properly.

Hopefully someone can help.

SID_IDENTIFIER_AUTHORITY      SIDDomainAuth = SECURITY_NT_AUTHORITY;            // The domain users authority
int            nSize;                                                // The size of the ACL

// Allocate memory for the security descriptor
m_pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH);

// Check for allocation failure
if (m_pSD == NULL)
      ThrowPipeException("Failed to allocate memory for the security descriptor.",false);

// Initialize the security descriptor
if (!InitializeSecurityDescriptor(m_pSD, SECURITY_DESCRIPTOR_REVISION))
      ThrowPipeException("Failed to initialize the security descriptor.");

//      m_pACL = NULL;

// Allocate memory for the ACL
m_pACL = (PACL)LocalAlloc(LPTR,sizeof(ACL));

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,1,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,0,&m_pSIDDomain))
      ThrowPipeException("Failed to allocate a domain user SID.");

// Calculate the size of the ACL
nSize = sizeof(ACL);
nSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof (DWORD) + GetLengthSid(m_pSIDDomain));

// Initialize the ACL
if (!InitializeAcl(m_pACL,nSize,ACL_REVISION))
      ThrowPipeException("Failed to initialize the ACL.");

// Add the appropriate access for the domain users
if (!AddAccessAllowedAce(m_pACL,ACL_REVISION,FILE_ALL_ACCESS,m_pSIDDomain))
      ThrowPipeException("Failed to grant access to domain users.");

// Check to make sure the ACL is valid
if (!IsValidAcl(m_pACL))
      ThrowPipeException("Invalid ACL.");

// Set the security descriptor's SACL
if (!SetSecurityDescriptorDacl(m_pSD,TRUE,m_pACL,FALSE))
      ThrowPipeException("Failed to set the security descriptor DACL.");

// Check to make sure the security descriptor is valid
if (!IsValidSecurityDescriptor(m_pSD))
      ThrowPipeException("Invalid security descriptor.");

// Initialize the security attributes
m_SA.nLength = sizeof(m_SA);
m_SA.lpSecurityDescriptor = m_pSD;
m_SA.bInheritHandle = FALSE;
0
Comment
Question by:stu_pb
  • 2
3 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 10952692
Shouldn't that be

// Allocate and initialize a domain SID
if (!AllocateAndInitializeSid(&SIDDomainAuth,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_GROUP_RID_USERS,0,0,0,0,0,0,&m_pSIDDomain))

?
0
 
LVL 3

Author Comment

by:stu_pb
ID: 10952803
I gave this a try and still no luck, is this method documented anywhere that I can look?
0
 
LVL 86

Accepted Solution

by:
jkr earned 1000 total points
ID: 10952918
Hm, I'd recommend http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_seccpp.asp ("Windows NT Security in Theory and Practice") and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secguts.asp ("The Guts of Security") in particular as starting points (both come with source code).
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Article by: SunnyDark
This article's goal is to present you with an easy to use XML wrapper for C++ and also present some interesting techniques that you might use with MS C++. The reason I built this class is to ease the pain of using XML files with C++, since there is…
This article will show you some of the more useful Standard Template Library (STL) algorithms through the use of working examples.  You will learn about how these algorithms fit into the STL architecture, how they work with STL containers, and why t…
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question