Microsoft KB Archive/102798

From BetaArchive Wiki

Security Attributes on Objects

ID: Q102798



The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), included with:
    • Microsoft Windows NT, versions 3.1, 3.5, 3.51




SUMMARY

Early betas of Windows NT did not require security attributes on objects such as pipes. For example, it was valid at that time to enter NULL for the last parameter of the Win32-based application programming interface (API) CreateNamedPipe(). This is no longer the case.


MORE INFORMATION

Windows NT 3.1 and later require security attributes. Please note that setting the security attributes parameter to NULL does not indicate that you want a NULL security descriptor (SD), rather it indicates that you want to inherit the security descriptor of the current access token. For example, this means that any client wanting to connect to your pipe server must have the same security attributes as the user that started the server. If the user who started the server was the administrator of the machine, then any client who wants to connect must also be an administrator for that machine.

Below is an code sample that demonstrates creating a named pipe with a NULL security descriptor.

   HANDLE               hPipe;    // Pipe handle.
   SECURITY_ATTRIBUTES  sa;       // Security attributes.
   PSECURITY_DESCRIPTOR pSD;      // Pointer to SD.

   // Allocate memory for the security descriptor.

   pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
                                SECURITY_DESCRIPTOR_MIN_LENGTH);

   // Initialize the new security descriptor.

   InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);

   // Add a NULL descriptor ACL to the security descriptor.

   SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE);

   sa.nLength = sizeof(sa);
   sa.lpSecurityDescriptor = pSD;
   sa.bInheritHandle = TRUE;

   // Create a local named pipe with a NULL security descriptor.

   hPipe = CreateNamedPipe(
         "\\\\.\\PIPE\\test",    // Pipe name = 'test'.
         PIPE_ACCESS_DUPLEX      // 2-way pipe.
         | FILE_FLAG_OVERLAPPED, // Use overlapped structure.
         PIPE_WAIT               // Wait on messages.
         | PIPE_READMODE_MESSAGE // Specify message mode pipe.
         | PIPE_TYPE_MESSAGE,
         MAX_PIPE_INSTANCES,     // Maximum instance limit.
         OUT_BUF_SIZE,           // Buffer sizes.
         IN_BUF_SIZE,
         TIME_OUT,               // Specify time out.
         &sa);                   // Security attributes. 

It is important to note that by specifying TRUE for the fDaclPresent parameter and NULL for pAcl parameter of the SetSecurityDescriptorDacl() API, a NULL access control list (ACL) is being explicitly specified. Additional query words: 3.10 3.50

Keywords          : 
Version           : winnt:3.1,3.5,3.51
Platform          : winnt 
Issue type        : 

Last Reviewed: October 20, 1999
© 1999 Microsoft Corporation. All rights reserved. Terms of Use.