由于完整性进程不受信任,CreateNamedPipe 失败并出现 ERROR_ACCESS_DENIED
我正在使用命名管道实现进程间通信,当涉及到不受信任的完整性级别进程(例如chrome的一些子进程)时,CreateNamedPipe(https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea)失败并出现 ERROR_ACCESS_DENIED。我想知道安全描述符是否有问题?
static VOID BuildDACL(PSECURITY_DESCRIPTOR pDescriptor)
{
PSID pSid;
EXPLICIT_ACCESS ea;
PACL pAcl;
SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&sia, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,
&pSid);
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = FILE_ALL_ACCESS;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName = (LPTSTR)pSid;
if (SetEntriesInAcl(1, &ea, NULL, &pAcl) == ERROR_SUCCESS)
{
if (SetSecurityDescriptorDacl(pDescriptor, TRUE, pAcl, FALSE) == 0)
_tprintf(_T("[*] Failed to set DACL (%u)\n"), GetLastError());
}
else
_tprintf(_T("[*] Failed to add ACE in DACL (%u)\n"), GetLastError());
}
/* Create a SACL that will allow low integrity processes connect to our pipe. */
static VOID BuildSACL(PSECURITY_DESCRIPTOR pDescriptor)
{
PSID pSid;
PACL pAcl;
SID_IDENTIFIER_AUTHORITY sia = SECURITY_MANDATORY_LABEL_AUTHORITY;
DWORD dwACLSize = sizeof(ACL) + sizeof(SYSTEM_MANDATORY_LABEL_ACE) +
GetSidLengthRequired(1);
pAcl = (PACL)LocalAlloc(LPTR, dwACLSize);
InitializeAcl(pAcl, dwACLSize, ACL_REVISION);
AllocateAndInitializeSid(&sia, 1, SECURITY_MANDATORY_LOW_RID, 0, 0, 0, 0,
0, 0, 0, &pSid);
if (AddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
pSid) == TRUE)
{
if (SetSecurityDescriptorSacl(pDescriptor, TRUE, pAcl, FALSE) == 0)
_tprintf(_T("[*] Failed to set SACL (%u)\n"), GetLastError());
}
else
_tprintf(_T("[*] Failed to add ACE in SACL (%u)\n"), GetLastError());
}
static VOID InitSecurityAttributes(PSECURITY_ATTRIBUTES pAttributes)
{
PSECURITY_DESCRIPTOR pDescriptor;
pDescriptor = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(pDescriptor, SECURITY_DESCRIPTOR_REVISION);
BuildDACL(pDescriptor);
BuildSACL(pDescriptor);
pAttributes->nLength = sizeof(SECURITY_ATTRIBUTES);
pAttributes->lpSecurityDescriptor = pDescriptor;
pAttributes->bInheritHandle = TRUE;
}
DWORD initIpc()
{
SECURITY_ATTRIBUTES sa;
InitSecurityAttributes(&sa);
HANDLE pipe = CreateNamedPipe(_MYIPC_NAME_, PIPE_ACCESS_INBOUND | PIPE_ACCESS_OUTBOUND, PIPE_WAIT, 1, sizeof(IPC_MESSAGE), sizeof(IPC_MESSAGE), 60 * 1000, &sa);
if (pipe == INVALID_HANDLE_VALUE)
{
// ERROR_ACCESS_DENIED
return 0;
}
...
}
I am implementing inter-process communication with named pipe, when it comes to untrusted integrity level processes(e.g. some child processes of chrome), CreateNamedPipe(https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea) fails with ERROR_ACCESS_DENIED. I wonder if there is anything wrong with security descriptor?
static VOID BuildDACL(PSECURITY_DESCRIPTOR pDescriptor)
{
PSID pSid;
EXPLICIT_ACCESS ea;
PACL pAcl;
SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&sia, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,
&pSid);
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = FILE_ALL_ACCESS;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName = (LPTSTR)pSid;
if (SetEntriesInAcl(1, &ea, NULL, &pAcl) == ERROR_SUCCESS)
{
if (SetSecurityDescriptorDacl(pDescriptor, TRUE, pAcl, FALSE) == 0)
_tprintf(_T("[*] Failed to set DACL (%u)\n"), GetLastError());
}
else
_tprintf(_T("[*] Failed to add ACE in DACL (%u)\n"), GetLastError());
}
/* Create a SACL that will allow low integrity processes connect to our pipe. */
static VOID BuildSACL(PSECURITY_DESCRIPTOR pDescriptor)
{
PSID pSid;
PACL pAcl;
SID_IDENTIFIER_AUTHORITY sia = SECURITY_MANDATORY_LABEL_AUTHORITY;
DWORD dwACLSize = sizeof(ACL) + sizeof(SYSTEM_MANDATORY_LABEL_ACE) +
GetSidLengthRequired(1);
pAcl = (PACL)LocalAlloc(LPTR, dwACLSize);
InitializeAcl(pAcl, dwACLSize, ACL_REVISION);
AllocateAndInitializeSid(&sia, 1, SECURITY_MANDATORY_LOW_RID, 0, 0, 0, 0,
0, 0, 0, &pSid);
if (AddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
pSid) == TRUE)
{
if (SetSecurityDescriptorSacl(pDescriptor, TRUE, pAcl, FALSE) == 0)
_tprintf(_T("[*] Failed to set SACL (%u)\n"), GetLastError());
}
else
_tprintf(_T("[*] Failed to add ACE in SACL (%u)\n"), GetLastError());
}
static VOID InitSecurityAttributes(PSECURITY_ATTRIBUTES pAttributes)
{
PSECURITY_DESCRIPTOR pDescriptor;
pDescriptor = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(pDescriptor, SECURITY_DESCRIPTOR_REVISION);
BuildDACL(pDescriptor);
BuildSACL(pDescriptor);
pAttributes->nLength = sizeof(SECURITY_ATTRIBUTES);
pAttributes->lpSecurityDescriptor = pDescriptor;
pAttributes->bInheritHandle = TRUE;
}
DWORD initIpc()
{
SECURITY_ATTRIBUTES sa;
InitSecurityAttributes(&sa);
HANDLE pipe = CreateNamedPipe(_MYIPC_NAME_, PIPE_ACCESS_INBOUND | PIPE_ACCESS_OUTBOUND, PIPE_WAIT, 1, sizeof(IPC_MESSAGE), sizeof(IPC_MESSAGE), 60 * 1000, &sa);
if (pipe == INVALID_HANDLE_VALUE)
{
// ERROR_ACCESS_DENIED
return 0;
}
...
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论