windows,python: Add restrictions to named pipes

Bump the security around named pipes to be more restrictive: disable network access and allow only administrators and above to access the named pipes. Acked-by: Anand Kumar <kumaranand@vmware.com> Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
2025-08-31 14:25:26 +00:00 · 2017-08-23 14:50:49 +00:00
parent 694140924e
commit 29e34ce1c5
1 changed files with 59 additions and 0 deletions
--- a/python/ovs/winutils.py
+++ b/python/ovs/winutils.py
@@ -17,6 +17,7 @@ import sys
 if sys.platform != 'win32':
    raise Exception("Intended to use only on Windows")
 else:
+    import ntsecuritycon
    import pywintypes
    import win32con
    import win32event
@@ -139,7 +140,65 @@ def create_named_pipe(pipename, openMode=None, pipeMode=None,
    if saAttr == -1:
        # saAttr can be None
        saAttr = win32security.SECURITY_ATTRIBUTES()
+
+        # The identifier authority.
+        sia = ntsecuritycon.SECURITY_NT_AUTHORITY
+
+        # Initialize the SID.
+        remoteAccessSid = win32security.SID()
+        remoteAccessSid.Initialize(
+            sia,  # The identifier authority.
+            1)  # The number of sub authorities to allocate.
+        # Disable access over network.
+        remoteAccessSid.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_NETWORK_RID)
+
+        allowedPsids = []
+        # Allow Windows Services to access the Named Pipe.
+        allowedPsid_0 = win32security.SID()
+        allowedPsid_0.Initialize(
+            sia,  # The identifier authority.
+            1)  # The number of sub authorities to allocate.
+        allowedPsid_0.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_LOCAL_SYSTEM_RID)
+        # Allow Administrators to access the Named Pipe.
+        allowedPsid_1 = win32security.SID()
+        allowedPsid_1.Initialize(
+            sia,  # The identifier authority.
+            2)  # The number of sub authorities to allocate.
+        allowedPsid_1.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_BUILTIN_DOMAIN_RID)
+        allowedPsid_1.SetSubAuthority(
+            1,  # The index of the sub authority to set
+            ntsecuritycon.DOMAIN_ALIAS_RID_ADMINS)
+
+        allowedPsids.append(allowedPsid_0)
+        allowedPsids.append(allowedPsid_1)
+
+        # Initialize an ACL.
+        acl = win32security.ACL()
+        acl.Initialize()
+        # Add denied ACL.
+        acl.AddAccessDeniedAce(win32security.ACL_REVISION,
+                               ntsecuritycon.GENERIC_ALL,
+                               remoteAccessSid)
+        # Add allowed ACLs.
+        for allowedPsid in allowedPsids:
+            acl.AddAccessAllowedAce(win32security.ACL_REVISION,
+                                    ntsecuritycon.GENERIC_ALL,
+                                    allowedPsid)
+
+        # Initialize an SD.
+        sd = win32security.SECURITY_DESCRIPTOR()
+        sd.Initialize()
+        # Set DACL.
+        sd.SetSecurityDescriptorDacl(True, acl, False)
+
        saAttr.bInheritHandle = 1
+        saAttr.SECURITY_DESCRIPTOR = sd

    try:
        npipe = win32pipe.CreateNamedPipe(pipename,