[ovs-dev] [PATCH] windows, python: Add restrictions to named pipes

Anand Kumar kumaranand at vmware.com
Thu Sep 7 23:10:21 UTC 2017


Thank you for the patch.

I ran unit-tests with and without this patch, and observed that no new tests are failing. 
The ones that are failing “1007 2319 2385 2386 2387 2388 2389 2390” are not dependent on this patch. I have started a separate thread to resolve the unit tests  that are failing with Alin.

Acked-by: Anand Kumar <kumaranand at vmware.com>

Thanks,
Anand Kumar

On 8/23/17, 7:50 AM, "ovs-dev-bounces at openvswitch.org on behalf of Alin Balutoiu" <ovs-dev-bounces at openvswitch.org on behalf of abalutoiu at cloudbasesolutions.com> wrote:

    Bump the security around named pipes to be more restrictive: disable network
    access and allow only administrators and above to access the named pipes.
    
    Signed-off-by: Alin Balutoiu <abalutoiu at cloudbasesolutions.com>
    ---
     python/ovs/winutils.py | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
     1 file changed, 59 insertions(+)
    
    diff --git a/python/ovs/winutils.py b/python/ovs/winutils.py
    index 89e28e1..8f3151a 100644
    --- a/python/ovs/winutils.py
    +++ b/python/ovs/winutils.py
    @@ -17,6 +17,7 @@ import sys
     if sys.platform != 'win32':
         raise Exception("Intended to use only on Windows")
     else:
    +    import ntsecuritycon
         import pywintypes
         import win32con
         import win32event
    @@ -139,7 +140,65 @@ def create_named_pipe(pipename, openMode=None, pipeMode=None,
         if saAttr == -1:
             # saAttr can be None
             saAttr = win32security.SECURITY_ATTRIBUTES()
    +
    +        # The identifier authority.
    +        sia = ntsecuritycon.SECURITY_NT_AUTHORITY
    +
    +        # Initialize the SID.
    +        remoteAccessSid = win32security.SID()
    +        remoteAccessSid.Initialize(
    +            sia,  # The identifier authority.
    +            1)  # The number of sub authorities to allocate.
    +        # Disable access over network.
    +        remoteAccessSid.SetSubAuthority(
    +            0,  # The index of the sub authority to set
    +            ntsecuritycon.SECURITY_NETWORK_RID)
    +
    +        allowedPsids = []
    +        # Allow Windows Services to access the Named Pipe.
    +        allowedPsid_0 = win32security.SID()
    +        allowedPsid_0.Initialize(
    +            sia,  # The identifier authority.
    +            1)  # The number of sub authorities to allocate.
    +        allowedPsid_0.SetSubAuthority(
    +            0,  # The index of the sub authority to set
    +            ntsecuritycon.SECURITY_LOCAL_SYSTEM_RID)
    +        # Allow Administrators to access the Named Pipe.
    +        allowedPsid_1 = win32security.SID()
    +        allowedPsid_1.Initialize(
    +            sia,  # The identifier authority.
    +            2)  # The number of sub authorities to allocate.
    +        allowedPsid_1.SetSubAuthority(
    +            0,  # The index of the sub authority to set
    +            ntsecuritycon.SECURITY_BUILTIN_DOMAIN_RID)
    +        allowedPsid_1.SetSubAuthority(
    +            1,  # The index of the sub authority to set
    +            ntsecuritycon.DOMAIN_ALIAS_RID_ADMINS)
    +
    +        allowedPsids.append(allowedPsid_0)
    +        allowedPsids.append(allowedPsid_1)
    +
    +        # Initialize an ACL.
    +        acl = win32security.ACL()
    +        acl.Initialize()
    +        # Add denied ACL.
    +        acl.AddAccessDeniedAce(win32security.ACL_REVISION,
    +                               ntsecuritycon.GENERIC_ALL,
    +                               remoteAccessSid)
    +        # Add allowed ACLs.
    +        for allowedPsid in allowedPsids:
    +            acl.AddAccessAllowedAce(win32security.ACL_REVISION,
    +                                    ntsecuritycon.GENERIC_ALL,
    +                                    allowedPsid)
    +
    +        # Initialize an SD.
    +        sd = win32security.SECURITY_DESCRIPTOR()
    +        sd.Initialize()
    +        # Set DACL.
    +        sd.SetSecurityDescriptorDacl(True, acl, False)
    +
             saAttr.bInheritHandle = 1
    +        saAttr.SECURITY_DESCRIPTOR = sd
     
         try:
             npipe = win32pipe.CreateNamedPipe(pipename,
    -- 
    2.10.0.windows.1
    _______________________________________________
    dev mailing list
    dev at openvswitch.org
    https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=Q5z9tBe-nAOpE7LIHSPV8uy5-437agMXvkeHHMkR8Us&m=cS16528rZtTdJ_pKOiRjBU3NQSWfVIzkBN8q-G9BX2A&s=9MudtpbRVcvRW5o6px07mxCCmjtVGi1qhhCwjTQuLmw&e= 
    













More information about the dev mailing list