[英]Change Named Pipe Access Permissions
I have created a named pipe using System.IO.Pipes
. 我已经使用
System.IO.Pipes
创建了一个命名管道。 It worked fine until I had to run the program in admin mode. 在我不得不以管理员模式运行该程序之前,它运行良好。 When elevated, the client can no longer connect (client is not running elevated).
提升后,客户端将无法连接(客户端未在提升状态下运行)。 If I run the client as administrator, it connects fine so it looks like a permissions issue.
如果我以管理员身份运行客户端,则连接正常,因此看起来像是权限问题。 I've been researching how to fix this and have been unsuccessful (I find dealing with Windows security mind boggling).
我一直在研究如何解决此问题,但一直没有成功(我发现处理Windows安全性令人感到困惑)。 My goal is to allow any client - whether elevated or not - to be able to connect to the pipe.
我的目标是允许任何客户端(无论是否提升)都可以连接到管道。
The first thing I changed was opening the pipe with access rights: 我更改的第一件事是使用访问权限打开管道:
pipeServer = new NamedPipeServerStream(pipeName,
PipeDirection.InOut,
1,
PipeTransmissionMode.Message,
PipeOptions.Asynchronous,
0x4000,
0x400,
null,
HandleInheritability.Inheritable,
PipeAccessRights.ChangePermissions | PipeAccessRights.AccessSystemSecurity);
Then I cobbled this code together. 然后我将这段代码拼凑在一起。 Everything works until the
SetEntriesInAcl
call which fails with: 一切正常,直到
SetEntriesInAcl
调用失败为止:
Error: 0x534
错误:0x534
"No mapping between account names and security IDs was done."“在帐户名和安全性ID之间未完成映射。”
IntPtr ownerSid = IntPtr.Zero;
IntPtr groupSid = IntPtr.Zero;
IntPtr dacl = IntPtr.Zero, newDacl = IntPtr.Zero;
IntPtr sacl = IntPtr.Zero;
IntPtr securityDescriptor = IntPtr.Zero;
if (SUCCEEDED(GetSecurityInfo(pipeServer.SafePipeHandle.handle.DangerousGetHandle(),
SE_OBJECT_TYPE.SE_KERNEL_OBJECT,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out ownerSid,
out groupSid,
out dacl,
out sacl,
out securityDescriptor))) {
EXPLICIT_ACCESS ea = new EXPLICIT_ACCESS();
BuildExplicitAccessWithName(ref ea, "Everyone", GENERIC_ALL, ACCESS_MODE.GRANT_ACCESS, NO_INHERITANCE);
// Next line fails
if (SUCCEEDED(SetEntriesInAcl(1, ref ea, dacl, out newDacl))) {
uint retval = SetSecurityInfo(handle,
SE_OBJECT_TYPE.SE_KERNEL_OBJECT,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
IntPtr.Zero,
IntPtr.Zero,
newDacl,
IntPtr.Zero);
// Haven't reached this point yet
}
}
The BuildExplicitAccessWithName
function does not return a value but seems to succeed ok. BuildExplicitAccessWithName
函数不返回值,但似乎可以成功。 This is what it looks like after the call: 通话后的样子如下:
I would appreciate any help here. 在这里,我将不胜感激。
(All the Win32 functions and data types were found on pinvoke.net. Also, I'm using Windows 10.) (所有Win32函数和数据类型都在pinvoke.net上找到。此外,我使用的是Windows10。)
I ended up not having to use any native calls. 我最终不必使用任何本地电话。 The
PipeSecurity
class worked. PipeSecurity
类起作用。 The trick was I had to pass it to the constructor: 诀窍是我必须将其传递给构造函数:
// Creates a PipeSecurity that allows users read/write access
PipeSecurity CreateSystemIOPipeSecurity()
{
PipeSecurity pipeSecurity = new PipeSecurity();
var id = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(id, PipeAccessRights.ReadWrite, AccessControlType.Allow));
return pipeSecurity;
}
Use that function when creating the pipe: 创建管道时使用该函数:
PipeSecurity pipeSecurity = CreateSystemIOPipeSecurity();
pipeServer = new NamedPipeServerStream(pipeName,
PipeDirection.InOut,
1,
PipeTransmissionMode.Message,
PipeOptions.Asynchronous,
0x4000,
0x400,
pipeSecurity,
HandleInheritability.Inheritable);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.