7

In Windows, is it possible for a program running under a limited user account to connect to a named pipe created by a program running under Administrator account or running as a Windows Service?

Or will I get access denied?

sashoalm
  • 75,001
  • 122
  • 434
  • 781

1 Answers1

4

It depends on the security attributes used to create the pipe. The pipe creator has to use security attributes that are permissive enough to let the limited user gain access to the pipe.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • 1
    Does this mean setting the `LPSECURITY_ATTRIBUTES` in `CreateNamedPipe`? I have no idea what to put in them, though, I usually set that to `NULL`. I'll try to find out what to put in it. – sashoalm Jan 24 '13 at 11:23
  • No, you are going to need to specify the security attributes. You need to apply more permissive security than the default since you are wanting a less privileged user to be able to use the other end of the pipe. – David Heffernan Jan 24 '13 at 11:25
  • 1
    An empty SA structure is not the same as a null SA structure. Passing null defaults to block everything. – Deanna Jan 24 '13 at 12:45
  • 2
    In my app I use `ConvertStringSecurityDescriptorToSecurityDescriptor` and pass this string descriptor: `D:(A;OICI;GRGW;;;AU)`. That grants read/write access for authenticated users, `AU`. You'll obviously need to work out what's right for you. – David Heffernan Jan 24 '13 at 13:23
  • *"That grants read/write access for authenticated users, AU"* - What does authenticated users mean? Is it like a whitelist of user accounts I must specify? – sashoalm Jan 24 '13 at 14:10
  • That's what works for me. You need to decide which security principle you want to use. More about AU here: http://superuser.com/questions/96948/what-is-authenticated-users-group-in-windows-7 But we are veering away from the question that you asked. I think I answered that. – David Heffernan Jan 24 '13 at 14:14