Login/Register
Localization for security identity in .NET
Asked Answered
Solved c#.netwindowssecuritysid
H

2

11

I was looking to implement a named pipe for service/client communication in .NET and came across this code that, while initializing server side of the pipe had to set up a security descriptor for the pipe. They did it this way:

PipeSecurity pipeSecurity = new PipeSecurity();

// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Authenticated Users",
    PipeAccessRights.ReadWrite, AccessControlType.Allow));

// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Administrators",
    PipeAccessRights.FullControl, AccessControlType.Allow));

But I'm looking at it, and I'm concerned about specifying SIDs as strings, or Authenticated Users and Administrators parts. What is the guarantee that they will be called that, say, in Chinese or some other language?

Hagy answered 8/4, 2013 at 23:32 Comment(4)
OK. I confirmed it myself. It seems to work.Hagy
You should consider splitting this up into a proper question/answer pair.Dollar
Yes, you are allowed to answer your own question.Ap
Answer extracted. Will delete upon OP's post or on demand.Ventilation
V
2

(Extracted from OP's original question)

I came up with this alternative:

PipeSecurity pipeSecurity = new PipeSecurity();

// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
    "Authenticated Users",
    new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),   
    PipeAccessRights.ReadWrite, AccessControlType.Allow));

// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
    "Administrators",
    new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),   
    PipeAccessRights.FullControl, AccessControlType.Allow));
Ventilation answered 20/4, 2015 at 2:26 Comment(1)
That doesn't work for me, there is no overload that takes the string and the SecurityIdentifier, see here. Remove the string literals "Authenticated Users" and "Administrators".Pedestal
B
5

You can use WellKnownSidType enum to get sid and translate into IdentityReference:

        var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
        var everyone = sid.Translate(typeof(NTAccount));
        security.AddAccessRule(new PipeAccessRule(everyone, PipeAccessRights.ReadWrite, AccessControlType.Allow));
Butch answered 29/6, 2016 at 13:45 Comment(3)
"Everyone" is not a great idea. You probably want at least WellKnownSidType.AuthenticatedUserSid. Is there a particular reason you use WorldSid (Everyone) other than paranoia that it might not work?Pedestal
Exactly! Changed.Butch
Everyone is a good idea when you running into unknown security problems, using it allows you to pass a sanity test to ensure you code is working after which you can narrow down what level of security is really needed.Flagellum
V
2

(Extracted from OP's original question)

I came up with this alternative:

PipeSecurity pipeSecurity = new PipeSecurity();

// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
    "Authenticated Users",
    new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),   
    PipeAccessRights.ReadWrite, AccessControlType.Allow));

// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
    "Administrators",
    new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),   
    PipeAccessRights.FullControl, AccessControlType.Allow));
Ventilation answered 20/4, 2015 at 2:26 Comment(1)
That doesn't work for me, there is no overload that takes the string and the SecurityIdentifier, see here. Remove the string literals "Authenticated Users" and "Administrators".Pedestal

© 2022 - 2024 — McMap. All rights reserved.