0

Code from this question P/Invokes ConvertStringSecurityDescriptorToSecurityDescriptorW() WinAPI function to convert the following "magic string"

S:(ML;;NW;;;LW)

into a security descriptor object which is then used to set access control on a named pipe. The "magic string" is actually a so-called system access control list, also mentioned as SACL or system ACL in MSDN.

I'm trying to make use of .NET class System.IO.Pipes.PipeSecurity to achieve the same effect without P/Invoke. Looks like I need to create a SecurityIdentifier object but when I pass the string representation of ACL shown above into SecurityIdentifier constructor I get ArgumentException so it looks like it's not a proper SDDL string.

I tried to use RawSecurityDescriptor which I could later convert into SDDL form and pass the conversion result into SecurityIdentifier constructor. If I construct RawSecurityDescriptor from the string above I get a descriptor with empty SACL (SystemAcl getter returns S:). However RawSecurityDescriptor has a setter for SystemAcl too so maybe I could craft that myself and assign it to SystemAcl field.

I've looked into quite a lot of examples and I still cannot figure out how I would convert the string shown above into a SystemAcl. Is there any description of how those all-caps parts should be interpreted and converted into SystemAcl?

sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • Are you interested in general case, or specifically in this one string? – Evk Nov 12 '20 at 14:26
  • @Evk Either of those would help. I found this explanation of "ACE strings" https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings and I understand when the string means but I cannot figure out how to get it translated into anything usable. – sharptooth Nov 12 '20 at 14:28
  • in what question/problem ? you want set (or better just create) object with Low Mandatory Label or what is target ? – RbMm Nov 12 '20 at 18:18
  • @RbMm `NamedPipeServerStream` accepts `PipeSecurity` object. Would be nice to have the pipe server started in a regular process such that it accepts requests from "low integrity" processes. – sharptooth Nov 13 '20 at 09:13
  • @sharptooth - i dont know *.net*, and how do this in such environment, but this very easy can be done in win32/native api – RbMm Nov 13 '20 at 10:32
  • @RbMm I linked to an answer which contains code which P/Invokes WinAPI functions to achieve the same effect. – sharptooth Nov 13 '20 at 11:36
  • @sharptooth - not need call `SetSecurityInfo` or `SetKernelObjectSecurity` - need from begin create pipe with security descriptor. `ConvertStringSecurityDescriptorToSecurityDescriptor` correct used for convert string form to binary. and than need use this inside `SECURITY_ATTRIBUTES` – RbMm Nov 13 '20 at 11:45

0 Answers0