[ovs-dev] [PATCH] lib: Grant Access Privilege of OVS Named Pipe to LocalService

Taher Barodawala tbarodawala at vmware.com
Tue Jan 7 07:55:09 UTC 2020


Ning,
I am not in favor of allowing access to all services that run with LocalService privileges.
We need to add a custom group SID to the named pipe ACL so that we can control the services we want to allow access to without making those services run with very high privileges.

Regards,

Taher Barodawala | Security Engineer - vSECR | Phone : +91-80-676 42977



From: Ning Wu <nwu at vmware.com>
Date: Tuesday, January 7, 2020 at 1:13 PM
To: "dev at openvswitch.org" <dev at openvswitch.org>
Cc: Roy Luo <luoroy at vmware.com>, Lina Li <linali at vmware.com>, Taher Barodawala <tbarodawala at vmware.com>
Subject: [PATCH] lib: Grant Access Privilege of OVS Named Pipe to LocalService

Current implementation of ovs on windows only allows LocalSystem and
Administrators to access the named pipe created with API of ovs.
Thus any service that needs to invoke the API to create named pipe
has to run as System account to interactive with ovs. It causes the
system more vulnerable if any of those services was break into.
The patch adds LocalService account to allowed ACLs.

Signed-off-by: Ning Wu <nwu at vmware.com>
---
lib/stream-windows.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/stream-windows.c b/lib/stream-windows.c
index 34bc610..109857c 100644
--- a/lib/stream-windows.c
+++ b/lib/stream-windows.c
@@ -41,7 +41,7 @@ static void maybe_unlink_and_free(char *path);
#define LOCAL_PREFIX "\\\\.\\pipe\\"

/* Size of the allowed PSIDs for securing Named Pipe. */
-#define ALLOWED_PSIDS_SIZE 2
+#define ALLOWED_PSIDS_SIZE 3

/* This function has the purpose to remove all the slashes received in s. */
static char *
@@ -438,6 +438,13 @@ create_pnpipe(char *name)
         goto handle_error;
     }

+    /* Allow Local Service to access the named pipe. */
+    if (!AllocateAndInitializeSid(&sia, 1, SECURITY_LOCAL_SERVICE_RID,
+                                  0, 0, 0, 0, 0, 0, 0, &allowedPsid[2])) {
+        VLOG_ERR_RL(&rl, "Error creating Services SID.");
+        goto handle_error;
+    }
+
     for (int i = 0; i < ALLOWED_PSIDS_SIZE; i++) {
         aclSize += sizeof(ACCESS_ALLOWED_ACE) +
                    GetLengthSid(allowedPsid[i]) -
--
2.6.2



More information about the dev mailing list