更改名为 Pipe 的 SACL
[英]Change SACL on Named Pipe
问题描述
I have C++ code that change SACL of a folder as it is expected.
我有 C++ 代码可以按预期更改文件夹的 SACL。 The things become strange when I want to change SACL of an exsiting Named Pipe, the code executes successful but when I check it via Get-Acl -Path \\.\pipe\lsass -Audit | fl当我想更改现有的名为 Pipe 的 SACL 时,事情变得很奇怪,代码执行成功但是当我通过Get-Acl -Path \\.\pipe\lsass -Audit | fl检查它时Get-Acl -Path \\.\pipe\lsass -Audit | fl it returns error number 87 which is ERROR_INVALID_PARAMETER and SACL does not work. Get-Acl -Path \\.\pipe\lsass -Audit | fl它返回错误号 87,即ERROR_INVALID_PARAMETER ,SACL 不起作用。 The error may be caused by setting not zero to OVERLAPPED structure according to MS Support Site but it barely helping in setting SACL.根据MS 支持站点,该错误可能是由于 OVERLAPPED 结构设置不为零引起的,但它对设置 SACL 几乎没有帮助。
StackOverFlow wants me to add some details, so I will write some water here StackOverFlow要我补充一些细节,所以我会在这里写点水
Maybe I messed up with some of the rights to provide to SetSecurityInfo and it is specifical to Named Pipes or I need to suspend it before change SACL?也许我搞砸了一些提供给SetSecurityInfo的权利,它是命名管道特有的,或者我需要在更改 SACL 之前暂停它?
using namespace std;
int main()
{
SetSecurityPrivilage(TRUE); // Got SeSecurityPrivilage
//HANDLE hPipe = CreateFile(L"C\:\\Users\\simp\\Desktop\\test", ACCESS_SYSTEM_SECURITY, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL); // Folder SACL testing
HANDLE hPipe = CreateFile(L"\\\\.\\pipe\\lsass", ACCESS_SYSTEM_SECURITY, 0, NULL, OPEN_EXISTING, NULL, NULL);
if (hPipe != INVALID_HANDLE_VALUE)
{
PACL pOldSACL = NULL;
if (GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &pOldSACL, NULL) == ERROR_SUCCESS)
{
// SACL
TRUSTEE trusteeSACL[1];
trusteeSACL[0].TrusteeForm = TRUSTEE_IS_NAME;
trusteeSACL[0].TrusteeType = TRUSTEE_IS_GROUP;
trusteeSACL[0].ptstrName = (LPWCH)(L"Everyone");
trusteeSACL[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trusteeSACL[0].pMultipleTrustee = NULL;
EXPLICIT_ACCESS explicit_access_listSACL[1];
ZeroMemory(&explicit_access_listSACL[0], sizeof(EXPLICIT_ACCESS));
explicit_access_listSACL[0].grfAccessMode = SET_AUDIT_SUCCESS;
//explicit_access_listSACL[0].grfAccessMode = SET_AUDIT_FAILURE;
explicit_access_listSACL[0].grfAccessPermissions = ACCESS_SYSTEM_SECURITY;
explicit_access_listSACL[0].grfInheritance = NO_INHERITANCE;
explicit_access_listSACL[0].Trustee = trusteeSACL[0];
PACL pNewSACL = NULL;
if (SetEntriesInAcl(1, explicit_access_listSACL, pOldSACL, &pNewSACL) == ERROR_SUCCESS)
{
if (SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, pNewSACL) == ERROR_SUCCESS)
{
printf("%s\n", "SACL SetSecurityInfo IS WORKS");
}
else
{
//Error handling
printf("%s%d\n", "SetSecurityInfo SACL", GetLastError());
}
LocalFree(pNewSACL);
}
else
{
//Error handling
printf("%s%d\n", "SetEntriesInAcl", GetLastError());
}
LocalFree(pOldSACL);
}
else
{
//Error
printf("%s%d\n", "GetSecurityInfo SACL", GetLastError());
}
}
else
{
//Error handling
printf("%s%d", "Incorrect handle", GetLastError());
}
CloseHandle(hPipe);
1 个解决方案
解决方案1
0 已采纳 2021-10-11 20:37:59
Actually, the code is doing it's job.实际上,代码正在完成它的工作。 Then you compile and run this, you will change SACL of a pipe as well as a file.然后你编译并运行它,你将更改一个 pipe 的 SACL 以及一个文件。 My mistake was in this part:我的错误是在这部分:
explicit_access_listSACL[0].grfAccessPermissions = ACCESS_SYSTEM_SECURITY;
Which means that logs will be generate only when user will request ACCESS_SYSTEM_SECURITY rights to a pipe, so change it to your needs.这意味着只有当用户请求 pipe 的 ACCESS_SYSTEM_SECURITY 权限时才会生成日志,因此请根据您的需要进行更改。 However, the reason behind 87 error is still unknown.但是,87 错误背后的原因仍然未知。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.