locked
Creating a DACL for a named pipe...... RRS feed

  • Question

  • User-1856513798 posted

    I have two named pipes each created in a separate windows service, each of which executes under the same NETWORK_SERVICE account.

     At the client end, these named pipes are accessed from an ISAPI extension in IIS, and also in a PHP PECL extension, which runs under the FastCGI module for IIS.

     The whole scheme works fine at the moment, but I'm keen to ensure that nothing outside of the machine on which the services run, has any access to these named pipes.

     At the moment I simply create the named pipes in the server service with "CreateNamedPipe", with LPSECURITY_ATTRIBUTES set to NULL. I connect them from the client using "CreateFile" also with LPSECURITY_ATTRIBUTES set to NULL. Clearly this is great for getting things up and running, but I am not clear about the scope of potential users that could read and write these server owned pipes.

     I'm assuming that by specifying a DACL for these global objects in the server, that I can restrict access to just the ISAPI extension, and the FastCGI module respectively. Clearly this leads me to wonder what security context these processes run under within the IIS environment.

     I have noticed that IIS provides a scheme where application pools can run under a specific user identity, but I am not sure if setting this parameter will affect either of the binaries that connect with the pipes from IIS, or if the defaults actually specify the security context that I am interested in.

     In a default configuration what would the security context be in the ISAPI and FastCGI modules?

    Also, does the application pool "identity" field specify this context.

     TIA,

    Clutz.

    Wednesday, February 4, 2009 1:55 AM

Answers

  • User511787461 posted

    Hopefully, you are not setting DACL to NULL - that means giving everyone access to do anything to your object - this is different than setting security-descriptor to NULL which means that your object gets default ACL based on the process object's default DACL.

    To learn more about app-pool sids and other aspects of app-pool isolation in IIS7, you can read this blog post.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, February 5, 2009 2:23 PM

All replies

  • User511787461 posted

    Access is not granted to a particular dll, but to a particular identity or group - so, you need to think about what identity or group membership is the ISAPI extension and fastcgi running as - the NULL security-attributes would cause the object to get the default DACL based on the worker process's default DACL, will give it LocalSystem (full), Administrators (full), IIS AppPool\AppPoolSid (full) access which probably the exact ACL you want.  So, I would recommend just sticking with the NULL security descriptor.

    Wednesday, February 4, 2009 1:41 PM
  • User-1856513798 posted

     Hmm, that's interesting. 'Kinda what I thought in some respects, but perhaps not others.

     It might be worth re-reading my first post, because I have slightly changed it to read better, and perhaps convey more meaning.

    I fully expect to have to do a bit of trial and error on this, but it certainly helps to have a few clues so I at least have a chance at stabbing in roughly the right area to start with.

    (*) The "AppPool\AppPoolSid" ACE? is that the one that changes depending on the "identity setting" for the Application pool, or does the identity settting augment it in a bigger ACL? Perhaps the ACL, is completely different as a result of a different default DACL inherited from a different primary/impersonation token?

     I was a bit reluctant to leave the DACL to default, especially since it just worked. I mean I think I figured that, using NULL, must leave the thing wide open, because I didn't have to think about it!

     FWIW, I just did a test. Everything uses the default DACL. If I create a pipe server from an admin prompt, I can't connect it with an app at a user prompt. If I do it the other way around I get a connection. That gives me more confidence.

     I appreciate this is outside the bound of the  IIS forum, but I suppose the default DACL for the NETWORK_SERVICE user, would allow local admin and above, plus authenticated domain admins.

    If you know, I'd be interested to hear, but I'd still  like to know about the point marked (*).

     

    Many thanks for the clues.

    Thursday, February 5, 2009 2:29 AM
  • User511787461 posted

    Hopefully, you are not setting DACL to NULL - that means giving everyone access to do anything to your object - this is different than setting security-descriptor to NULL which means that your object gets default ACL based on the process object's default DACL.

    To learn more about app-pool sids and other aspects of app-pool isolation in IIS7, you can read this blog post.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, February 5, 2009 2:23 PM
  • User-903626278 posted

     Are you JEE #1 rank holder?

    Thursday, February 5, 2009 4:35 PM
  • User-1856513798 posted

     That link is "top banana".

    It answers not just the question I was asking, but many that I wasn't. Whilst I have coded the whole of my app up, the whole context in which my ISAPI runs has been something of a mystery. It's never been something I've been entirely comfortable with, and there seem to be precious little information on the subject out there. Perhaps I'm just not so good at finding it.

     Certainly if MS is thinking of doing any writing on IIS, this dark art, would benefit from some illumination.

     Very many thanks for the link.

    :)


    ETA, (NULL Descriptor, Default DACL  - NOT NULL DACL - my verbal, not coding, slip!!)

    Friday, February 6, 2009 12:31 AM
  • User-1856513798 posted

     Are you JEE #1 rank holder?

    Not sure what this means TBH, but I suspect it's a mild insult.

    If so, the questions are simple for a reason! No such thing as a dumb question, in my book.

    Friday, February 6, 2009 12:44 AM
  • User-903626278 posted

     sorry please discard was meant for Anil

    Friday, February 6, 2009 8:20 AM