Hi,
I'm trying to use the "-svc-security-descriptor" option in order to use a restricted security descriptor for the service pipe, however this seems to have no effect at all.
I've looked into this, and maybe I'm missing something here, but from reading the disassembly it appears to me that SetSecurityDescriptorDacl is only ever called with NULL for pDacl when setting up the security descriptor, making it an "allow all" descriptor. Is this functionality implemented at all?
Everything v1.4.1.992 x64
Can't set named pipe security descriptor
Re: Can't set named pipe security descriptor
Thanks for your post.
-svc-security-descriptor support was dropped in earlier versions in favor of allowing all local connections and rejecting all remote connections.
I've added support for -svc-security-descriptor in the latest nightly build.
You will need to manually set this command line option.
A typical descriptor might be:
D:(A;OICI;GRGW;;;AU)
-allow read write for all authenticated users.
Are you looking to connect remotely? -Currently, remote connections will always be rejected on Vista+.
-svc-security-descriptor support was dropped in earlier versions in favor of allowing all local connections and rejecting all remote connections.
I've added support for -svc-security-descriptor in the latest nightly build.
You will need to manually set this command line option.
- From the Start menu, run regedit
- In the Registry Editor, navigate to the following key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Everything
- Change the ImagePath to:
"C:\Program Files\Everything\Everything.exe" -svc -svc-security-descriptor <my security descriptor>
A typical descriptor might be:
D:(A;OICI;GRGW;;;AU)
-allow read write for all authenticated users.
Are you looking to connect remotely? -Currently, remote connections will always be rejected on Vista+.
Re: Can't set named pipe security descriptor
Thanks so much for the quick response. Using a custom security descriptor works using the nightly build.
I'm connecting locally, just want to avoid having to run applications with administrative privileges as best as I can, and using the service + client works nicely for that. However, since I have restricted accounts for other people on my machine, allowing anyone to connect to the service pipe would allow non-privileged users to bypass ACLs and list the contents of the entire file system, so I'm looking to lock down access to the service to trustworthy accounts.
I'm connecting locally, just want to avoid having to run applications with administrative privileges as best as I can, and using the service + client works nicely for that. However, since I have restricted accounts for other people on my machine, allowing anyone to connect to the service pipe would allow non-privileged users to bypass ACLs and list the contents of the entire file system, so I'm looking to lock down access to the service to trustworthy accounts.