diff options
-rw-r--r-- | Documentation/ref/ovsdb.7.rst | 3 | ||||
-rw-r--r-- | lib/stream-windows.c | 33 |
2 files changed, 34 insertions, 2 deletions
diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst index b1f3f5d49..da4dbedd2 100644 --- a/Documentation/ref/ovsdb.7.rst +++ b/Documentation/ref/ovsdb.7.rst @@ -422,7 +422,8 @@ punix:<file> named <file>. On Windows, listens on a local named pipe, creating a named pipe - <file> to mimic the behavior of a Unix domain socket. + <file> to mimic the behavior of a Unix domain socket. The ACLs of the named + pipe include LocalSystem, Administrators, and Creator Owner. All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive diff --git a/lib/stream-windows.c b/lib/stream-windows.c index 34bc610b6..5c4c55e5d 100644 --- a/lib/stream-windows.c +++ b/lib/stream-windows.c @@ -41,7 +41,7 @@ static void maybe_unlink_and_free(char *path); #define LOCAL_PREFIX "\\\\.\\pipe\\" /* Size of the allowed PSIDs for securing Named Pipe. */ -#define ALLOWED_PSIDS_SIZE 2 +#define ALLOWED_PSIDS_SIZE 3 /* This function has the purpose to remove all the slashes received in s. */ static char * @@ -412,6 +412,9 @@ create_pnpipe(char *name) PACL acl = NULL; PSECURITY_DESCRIPTOR psd = NULL; HANDLE npipe; + HANDLE hToken = NULL; + DWORD dwBufSize = 0; + PTOKEN_USER pTokenUsr = NULL; /* Disable access over network. */ if (!AllocateAndInitializeSid(&sia, 1, SECURITY_NETWORK_RID, @@ -438,6 +441,32 @@ create_pnpipe(char *name) goto handle_error; } + /* Open the access token of calling process */ + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { + VLOG_ERR_RL(&rl, "Error opening access token of calling process."); + goto handle_error; + } + + /* get the buffer size buffer needed for SID */ + GetTokenInformation(hToken, TokenUser, NULL, 0, &dwBufSize); + + pTokenUsr = xmalloc(dwBufSize); + memset(pTokenUsr, 0, dwBufSize); + + /* Retrieve the token information in a TOKEN_USER structure. */ + if (!GetTokenInformation(hToken, TokenUser, pTokenUsr, dwBufSize, + &dwBufSize)) { + VLOG_ERR_RL(&rl, "Error retrieving token information."); + goto handle_error; + } + CloseHandle(hToken); + + if (!IsValidSid(pTokenUsr->User.Sid)) { + VLOG_ERR_RL(&rl, "Invalid SID."); + goto handle_error; + } + allowedPsid[2] = pTokenUsr->User.Sid; + for (int i = 0; i < ALLOWED_PSIDS_SIZE; i++) { aclSize += sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(allowedPsid[i]) - @@ -490,11 +519,13 @@ create_pnpipe(char *name) npipe = CreateNamedPipe(name, PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, PIPE_TYPE_MESSAGE | PIPE_READMODE_BYTE | PIPE_WAIT, 64, BUFSIZE, BUFSIZE, 0, &sa); + free(pTokenUsr); free(acl); free(psd); return npipe; handle_error: + free(pTokenUsr); free(acl); free(psd); return INVALID_HANDLE_VALUE; |