C++ – Local System only ACL in Windows

cmfcwindows

I am using a named pipe for communications between two processes and want to restrict acess to any user on the local system in Windows.

I am building up and ACL for use in the SECURITY_ATTRIBUTES passed to CreateNamedPipe.

I am basing this code on that from Microsoft.

SID_IDENTIFIER_AUTHORITY siaLocal = SECURITY_LOCAL_SID_AUTHORITY;
if( !AllocateAndInitializeSid( &siaLocal, SECURITY_LOCAL_RID,
    0, 0, 0, 0, 0, 0, 0, 0,
    &pSidLocal ) )
{
    break;
}

I then use that sid with AddAccessAllowedAce.

All of this completes successfully and I can create the named pipe however when a client process then tries to connect using CreateFile it fails with access denied.

How do I create an ACL with a SID that allows any user of the local machine to access it?

Best Answer

You don't need an ACL for that. When calling CreateNamedPipe, one of the parameters takes flag values of PIPE_ACCEPT_REMOTE_CLIENTS (the default) or PIPE_REJECT_REMOTE_CLIENTS.

MSDN

Edit: This is a fairly new feature, so if you're developing for anything but new WS2008 servers it won't work. The same page has the alternate answer in this case, however: deny access to the pipe to the NETWORK ACE using AddAccessDeniedAce.

Related Solutions

Ios – How to develop for iPhone using a Windows development machine

It's certainly possible to develop on a Windows machine, in fact, my first application was exclusively developed on the old Dell Precision I had at the time :)

There are three routes;

Install OSx86 (aka iATKOS / Kalyway) on a second partition/disk and dual boot.
Run Mac OS X Server under VMWare (Mac OS X 10.7 (Lion) onwards, read the update below).
Use Delphi XE4 and the macincloud service. This is a commercial toolset, but the component and lib support is growing.

The first route requires modifying (or using a pre-modified) image of Leopard that can be installed on a regular PC. This is not as hard as you would think, although your success/effort ratio will depend upon how closely the hardware in your PC matches that in Mac hardware - e.g. if you're running a Core 2 Duo on an Intel Motherboard, with an NVidia graphics card you are laughing. If you're running an AMD machine or something without SSE3 it gets a little more involved.

If you purchase (or already own) a version of Leopard then this is a gray area since the Leopard EULA states you may only run it on an "Apple Labeled" machine. As many point out if you stick an Apple sticker on your PC you're probably covered.

The second option is more costly. The EULA for the workstation version of Leopard prevents it from being run under emulation and as a result, there's no support in VMWare for this. Leopard server, however, CAN be run under emulation and can be used for desktop purposes. Leopard server and VMWare are expensive, however.

If you're interested in option 1) I would suggest starting at Insanelymac and reading the OSx86 sections.

I do think you should consider whether the time you will invest is going to be worth the money you will save though. It was for me because I enjoy tinkering with this type of stuff and I started during the early iPhone betas, months before their App Store became available.

Alternatively, you could pick up a low-spec Mac Mini from eBay. You don't need much horsepower to run the SDK and you can always sell it on later if you decide to stop development or buy a better Mac.

Update: You cannot create a Mac OS X Client virtual machine for OS X 10.6 and earlier. Apple does not allow these Client OSes to be virtualized. With Mac OS X 10.7 (Lion) onwards, Apple has changed its licensing agreement in regards to virtualization. Source: VMWare KnowledgeBase

Windows – How to you find out which process is listening on a TCP or UDP port on Windows

New answer, powershell

TCP

Get-Process -Id (Get-NetTCPConnection -LocalPort YourPortNumberHere).OwningProcess

UDP

Get-Process -Id (Get-NetUDPEndpoint -LocalPort YourPortNumberHere).OwningProcess

Old answer, cmd

 C:\> netstat -a -b

(Add -n to stop it trying to resolve hostnames, which will make it a lot faster.)

Note Dane's recommendation for TCPView. It looks very useful!

-a Displays all connections and listening ports.

-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

-n Displays addresses and port numbers in numerical form.

-o Displays the owning process ID associated with each connection.