Security Attributes on ObjectsLast reviewed: November 2, 1995Article ID: Q102798 |
The information in this article applies to:
SUMMARYEarly betas of Windows NT did not require security attributes on objects such as pipes. For example, it was valid at that time to enter NULL for the last parameter of the Win32-based application programming interface (API) CreateNamedPipe(). This is no longer the case.
MORE INFORMATIONWindows NT 3.1 and later require security attributes. Please note that setting the security attributes parameter to NULL does not indicate that you want a NULL security descriptor (SD), rather it indicates that you want to inherit the security descriptor of the current access token. For example, this means that any client wanting to connect to your pipe server must have the same security attributes as the user that started the server. If the user who started the server was the administrator of the machine, then any client who wants to connect must also be an administrator for that machine. Below is an code sample that demonstrates creating a named pipe with a NULL security descriptor.
HANDLE hPipe; // Pipe handle. SECURITY_ATTRIBUTES sa; // Security attributes. PSECURITY_DESCRIPTOR pSD; // Pointer to SD. // Allocate memory for the security descriptor. pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); // Initialize the new security descriptor. InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); // Add a NULL descriptor ACL to the security descriptor. SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE); sa.nLength = sizeof(sa); sa.lpSecurityDescriptor = pSD; sa.bInheritHandle = TRUE; // Create a local named pipe with a NULL security descriptor. hPipe = CreateNamedPipe( "\\\\.\\PIPE\\test", // Pipe name = 'test'. PIPE_ACCESS_DUPLEX // 2-way pipe. | FILE_FLAG_OVERLAPPED, // Use overlapped structure. PIPE_WAIT // Wait on messages. | PIPE_READMODE_MESSAGE // Specify message mode pipe. | PIPE_TYPE_MESSAGE, MAX_PIPE_INSTANCES, // Maximum instance limit. OUT_BUF_SIZE, // Buffer sizes. IN_BUF_SIZE, TIME_OUT, // Specify time out. &sa); // Security attributes.It is important to note that by specifying TRUE for the fDaclPresent parameter and NULL for pAcl parameter of the SetSecurityDescriptorDacl() API, a NULL access control list (ACL) is being explicitly specified.
|
Additional reference words: 3.10 3.50
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |