指定当前用户的 ACE 字符串
我正在尝试以“正确”的方式设置命名管道的权限。
似乎设置访问权限的最简单、正确的方法是通过 ACE 字符串,如下所示:
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
if (ConvertStringSecurityDescriptorToSecurityDescriptor(aceStr,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL))
{
pipe = CreateNamedPipe(..., &sa);
}
我希望管道所有者具有完全控制权,而其他人仅具有读写访问权限。我还希望管道具有较低的完整性级别,以便低完整性级别的客户端可以连接。
过去我总是只使用 NULL DACL,因为它很简单,但微软明确表示这不是一个好主意,因为它允许任何客户端完全拥有管道。
我知道字符串的 SADL 部分需要使
S:(ML;;NW;;;LW)
管道的完整性级别为低。
DACL 部分需要包括
D:(A;;FRFW;;;WD)
给予“每个人”读写访问权限的部分。我需要在其末尾附加另一个 ACE 字符串,以设置所有者的完全控制权。但我找不到Windows最终位置的代码来将其替换为当前进程的SID。
S:(ML;;NW;;;LW)D:(A;;FRFW;;;WD)(A;;FA;;;<current process?>)
我发现了一些获取当前进程的SID的代码,但它涉及连续大约4或5个API调用。这应该是一项微不足道的任务,所以我确信这不是做我想做的事情的正确方法。
最后,我是否走在正确的轨道上?为什么这么复杂?
两个补充问题:传递给 CreateNamedPipe() 的安全属性结构必须与管道具有相同的生命周期,还是可以在调用返回后立即将其删除?您是否可以对多个管道实例使用相同的结构,或者 CreateNamedPipe() 会修改它吗?
I'm trying to set up the permissions on a named pipe the 'correct' way.
It seems that the easiest correct way to set access permissions is through an ACE string, like this:
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
if (ConvertStringSecurityDescriptorToSecurityDescriptor(aceStr,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL))
{
pipe = CreateNamedPipe(..., &sa);
}
I want the pipe owner to have full control, and everyone else to have read and write access only. I also want the pipe to have a low integrity level so that low integrity level clients can connect.
In the past I've always just used a NULL DACL because it is easy, but Microsoft clearly state this is not a good idea because it allows any client to take full ownership of the pipe.
I know the SADL part of the string needs to be
S:(ML;;NW;;;LW)
which gives the pipe an integrity level of low.
The DACL part needs to include
D:(A;;FRFW;;;WD)
which gives 'Everyone' read and write access. I need to append another ACE string onto the end of this to set full control for the owner. But I can't find a code that goes in the final position for Windows to replace it with the SID of the current process.
S:(ML;;NW;;;LW)D:(A;;FRFW;;;WD)(A;;FA;;;<current process?>)
I found some code that gets the SID of the current process, but it involves a succession of about 4 or 5 API calls. This ought to be a trivial task, so I'm certain that is not the right way to do what I want.
Finally, am I even remotely on the right track? Why is this so complicated?
Two supplementary questions: Must the security attributes structure passed to CreateNamedPipe() have the same lifetime as the pipe or can you delete it as soon as the call returns? Can you use the same structure for more than one pipe instance, or does CreateNamedPipe() modify it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看起来像
CO(创建者所有者)是最接近的匹配。Seems like
CO(creator owner) is the closest match.看来我的问题是基于我的困惑和误解。
文件的所有者始终有权更改文件的权限。
所以我不需要明确地为所有者设置权限。我需要的 ACE 字符串是:(
我想为所有者明确设置权限的原因是,我认为如果我不这样做,那么所有者将实际上失去所有权。)
It seems my question was based on my confusion and misunderstanding.
The owner of a file always has permission to change the file's permissions.
So I do not need explicitly to set permissions for the owner. The ACE string I needed was:
(The reason I wanted to set permissions explicitly for the owner was that I thought if I didn't do this then the owner would effectively lose ownership.)