The Pipe DACL
When a named pipe channel listener creates a new named pipe it has to supply a discretionary ACL that describes who can connect to the pipe. Here is how that DACL is constructed:
1.
An access control entry is added to deny GENERIC_ALL access to the well-known network SID (S-1-5-2).
2.
Access control entries are added to allow GENERIC_READ and GENERIC_WRITE access to a list of SIDs that is defined on the binding element. The default is to allow the well-known world SID (S-1-1-0). Since this list is an internal setting, you will almost always be using the default.
3.
An access control entry is added to allow GENERIC_READ and GENERIC_WRITE access to the well-known creator owner SID (S-1-3-0).
And that's how the DACL gets built.
There are a few other settings as well required to create the pipe if you're interested in their values. The pipe is bidirectional (PIPE_ACCESS_DUPLEX), data is written to the pipe as messages (PIPE_TYPE_MESSAGE), data is read from the pipe as messages (PIPE_READMODE_MESSAGE), we use overlapped IO (FILE_FLAG_OVERLAPPED), and if this is the first pipe created by the listener, then we need to say that more pipes are coming (FILE_FLAG_FIRST_PIPE_INSTANCE).
Next time: Writing Multiple Detail Elements in Faults
Comments
Anonymous
April 01, 2008
How do I use username credentials with IPSec? I'm told that I need to turn on security but my connectionAnonymous
July 11, 2008
The comment has been removed