11

I was looking to implement a named pipe for service/client communication in .NET and came across this code that, while initializing server side of the pipe had to set up a security descriptor for the pipe. They did it this way:

PipeSecurity pipeSecurity = new PipeSecurity();

// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Authenticated Users",
    PipeAccessRights.ReadWrite, AccessControlType.Allow));

// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Administrators",
    PipeAccessRights.FullControl, AccessControlType.Allow));

But I'm looking at it, and I'm concerned about specifying SIDs as strings, or Authenticated Users and Administrators parts. What is the guarantee that they will be called that, say, in Chinese or some other language?

Shimmy Weitzhandler
  • 101,809
  • 122
  • 424
  • 632
ahmd0
  • 16,633
  • 33
  • 137
  • 233

2 Answers2

5

You can use WellKnownSidType enum to get sid and translate into IdentityReference:

        var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
        var everyone = sid.Translate(typeof(NTAccount));
        security.AddAccessRule(new PipeAccessRule(everyone, PipeAccessRights.ReadWrite, AccessControlType.Allow));
Andrey Burykin
  • 700
  • 11
  • 23
  • 1
    "Everyone" is not a great idea. You probably want at least `WellKnownSidType.AuthenticatedUserSid`. Is there a particular reason you use `WorldSid` (Everyone) other than paranoia that it might not work? – doug65536 Sep 21 '16 at 22:00
  • Exactly! Changed. – Andrey Burykin Sep 22 '16 at 11:10
  • 1
    Everyone is a good idea when you running into unknown security problems, using it allows you to pass a sanity test to ensure you code is working after which you can narrow down what level of security is really needed. – TheLegendaryCopyCoder Feb 19 '17 at 09:17
2

(Extracted from OP's original question)

I came up with this alternative:

PipeSecurity pipeSecurity = new PipeSecurity();

// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
    "Authenticated Users",
    new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),   
    PipeAccessRights.ReadWrite, AccessControlType.Allow));

// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
    "Administrators",
    new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),   
    PipeAccessRights.FullControl, AccessControlType.Allow));
Shimmy Weitzhandler
  • 101,809
  • 122
  • 424
  • 632
  • 1
    That doesn't work for me, there is no overload that takes the string and the `SecurityIdentifier`, [see here](https://msdn.microsoft.com/en-us/library/system.io.pipes.pipeaccessrule.pipeaccessrule(v=vs.110).aspx). Remove the string literals `"Authenticated Users"` and `"Administrators"`. – doug65536 Sep 21 '16 at 21:09