The SECURITY_ATTRIBUTES struct and CreateNamedPipe()

Question

My scenario is the following: the process that creates the named pipe object with CreateNamedPipe() has administrator privileges, but the client process \"connectin

Answer 1

You can set the descriptor's DACL to NULL instead to allow anyone to access the pipe:

pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!pSD)
{
    ...
}

if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
    ...
}

if (!SetSecurityDescriptorDacl(pSD, TRUE, NULL, FALSE))
{
    ...
}

SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;

... = CreateNamedPipe(..., &sa);

Answer 2

error in line SetEntriesInAcl(2, ea, NULL, &pACL); when need SetEntriesInAcl(1, ea, NULL, &pACL); - you really init and use only 1 entry. and not check result returned by SetEntriesInAcl. the next code will be work correct:

        EXPLICIT_ACCESS ea = {
            STANDARD_RIGHTS_ALL,SET_ACCESS, NO_INHERITANCE, { 0, NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_SID, TRUSTEE_IS_WELL_KNOWN_GROUP, (LPTSTR)pEveryoneSID }
        };
        PACL pACL;
        if (SetEntriesInAcl(1, &ea, NULL, &pACL) == ERROR_SUCCESS)
        {
        }

here also can be access denied by Integrity Level. need check os version, and if vista+ set LowLabel in security descriptor. and can use 0 DACL. ( by default system assume MediumLabelSid if it not explicitly set, as result LowIntegrity clients fail open pipe, but for usual not admin clients solution by @Remy Lebeau is enough )

PSECURITY_DESCRIPTOR pSecurityDescriptor = (PSECURITY_DESCRIPTOR)alloca(SECURITY_DESCRIPTOR_MIN_LENGTH);

BOOL fOk = FALSE;

if (
    InitializeSecurityDescriptor(pSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION) 
    && 
    SetSecurityDescriptorDacl(pSecurityDescriptor, TRUE, 0, 0)
    )
{
    RTL_OSVERSIONINFOW rov = { sizeof (rov)};

    if (0 <= RtlGetVersion(&rov))
    {
        if (rov.dwMajorVersion < 6)
        {
            fOk = TRUE;
        }
        else
        {
            PSID LowLabelSid = (PSID)alloca(64);
            ULONG cbSid = 64;
            if (CreateWellKnownSid(::WinLowLabelSid, 0, LowLabelSid, &cbSid))
            {
                ::PACL LowLabelAcl = (::PACL)alloca(64+cbSid);
                InitializeAcl(LowLabelAcl, 64+cbSid, ACL_REVISION);
                if (AddMandatoryAce(LowLabelAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, LowLabelSid))
                {
                    fOk = SetSecurityDescriptorSacl(pSecurityDescriptor, TRUE, LowLabelAcl, FALSE);
                }
            }
        }
    }
}

Answer 3

Here's your problem:

ea[0].grfAccessPermissions = STANDARD_RIGHTS_ALL;

STANDARD_RIGHTS_ALL is not all rights, only all standard rights, i.e., delete, read control, synchronize, write DAC, and write owner. In particular it does not grant FILE_READ_DATA or FILE_WRITE_DATA, which a client needs in order to read and/or write data to the pipe.

I'd recommend

ea[0].grfAccessPermissions = GENERIC_READ | FILE_WRITE_DATA;

and have the client request the same access rights when opening the pipe. (Obviously, you can leave out the FILE_WRITE_DATA right if this is an outbound pipe, although in that case the default permissions should be OK.)