Can't set named pipe security descriptor

Found a bug in "Everything"? report it here
Post Reply
k1m
Posts: 2
Joined: Mon Oct 12, 2020 11:44 pm

Can't set named pipe security descriptor

Post by k1m » Tue Oct 13, 2020 12:00 am

Hi,

I'm trying to use the "-svc-security-descriptor" option in order to use a restricted security descriptor for the service pipe, however this seems to have no effect at all.

I've looked into this, and maybe I'm missing something here, but from reading the disassembly it appears to me that SetSecurityDescriptorDacl is only ever called with NULL for pDacl when setting up the security descriptor, making it an "allow all" descriptor. Is this functionality implemented at all?

Everything v1.4.1.992 x64

void
Site Admin
Posts: 5732
Joined: Fri Oct 16, 2009 11:31 pm

Re: Can't set named pipe security descriptor

Post by void » Tue Oct 13, 2020 1:11 am

Thanks for your post.

-svc-security-descriptor support was dropped in earlier versions in favor of allowing all local connections and rejecting all remote connections.

I've added support for -svc-security-descriptor in the latest nightly build.

You will need to manually set this command line option.
  • From the Start menu, run regedit
  • In the Registry Editor, navigate to the following key:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Everything
  • Change the ImagePath to:
    "C:\Program Files\Everything\Everything.exe" -svc -svc-security-descriptor <my security descriptor>
Allowing all local connections and rejecting all remote connections will still be the default, unless you specify a security descriptor with -svc-security-descriptor command line option.

A typical descriptor might be:
D:(A;OICI;GRGW;;;AU)
-allow read write for all authenticated users.

Are you looking to connect remotely? -Currently, remote connections will always be rejected on Vista+.

k1m
Posts: 2
Joined: Mon Oct 12, 2020 11:44 pm

Re: Can't set named pipe security descriptor

Post by k1m » Tue Oct 13, 2020 2:19 am

Thanks so much for the quick response. Using a custom security descriptor works using the nightly build.

I'm connecting locally, just want to avoid having to run applications with administrative privileges as best as I can, and using the service + client works nicely for that. However, since I have restricted accounts for other people on my machine, allowing anyone to connect to the service pipe would allow non-privileged users to bypass ACLs and list the contents of the entire file system, so I'm looking to lock down access to the service to trustworthy accounts.

Post Reply