Reputation: 395
Inter-process communication - C# and C++. Access to the path is denied
I have a C# client application that connects to a C++ server application using Pipes. When I try to connect I get the error: System.UnauthorizedAccessException: Access to the path is denied.
After looking this up, I saw that I can fix it by creating a PipeSecurity object and adding a PipeAccessRule. But this only works if the server is also a C# application.
Any idea how I can fix this access problem if I have the server as C++ application?
I searched already but can't find a solution.
C#:
int timeOut = 500;
NamedPipeClientStream pipeStream = new NamedPipeClientStream(".", pipeName, PipeDirection.Out, PipeOptions.Asynchronous);
pipeStream.Connect(timeOut);
byte[] buffer = Encoding.UTF8.GetBytes(sendStr);
pipeStream.BeginWrite(buffer, 0, buffer.Length, new AsyncCallback(AsyncSend), pipeStream);
C++:
_hPipe = ::CreateNamedPipe(configurePipeName(getPipeName()).c_str(),
PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED,
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS,
1,
bufferSize,
bufferSize,
NMPWAIT_USE_DEFAULT_WAIT,
NULL);
if (_hPipe == INVALID_HANDLE_VALUE)
{
logStream << "CreateNamedPipe failed for " << sys::OperatingSystem::getLastErrorMessage() << blog::over;
return;
}
HANDLE ioEvent = ::CreateEvent(NULL, FALSE, FALSE, NULL);
overlapped.hEvent = ioEvent;
assert(overlapped.hEvent);
if (ioEvent == INVALID_HANDLE_VALUE)
{
logStream << "CreateEvent failed for " << sys::OperatingSystem::getLastErrorMessage() << blog::over;
return;
}
while (!terminating())
{
BOOL connected = false;
DWORD waitMessage;
DWORD timeOut = 700;
if (!::ConnectNamedPipe(_hPipe, &overlapped))
{
switch (::GetLastError())
{
case ERROR_PIPE_CONNECTED:
connected = true;
break;
case ERROR_IO_PENDING:
waitMessage = ::WaitForSingleObject(overlapped.hEvent, timeOut);
if (waitMessage == WAIT_OBJECT_0)
{
DWORD dwIgnore;
BOOL conn = (::GetOverlappedResult(_hPipe, &overlapped, &dwIgnore, TRUE));
if (conn)
connected = true;
else
logStream << "ConnectedNamedPipe reported an error: " << sys::OperatingSystem::getLastErrorMessage() << blog::over;
}
else
::CancelIo(_hPipe);
break;
default:
logStream << "ConnectedNamedPipe reported an error: " << sys::OperatingSystem::getLastErrorMessage() << blog::over;
}
}
if(connected)
{
if (::ReadFile(_hPipe, buffer, sizeof(buffer) - 1, &size, NULL))
{
buffer[size] = '\0';
std::string receivedMessage(buffer);
// if message is received from client, setdirty to call detectDisplay.
if (clientUniqueMessage.compare(receivedMessage) == 0)
setDirty();
else
logStream << "Incoming message from client does not match with the expected message." << blog::over;
}
else
logStream << "ReadFile failed. " << sys::OperatingSystem::getLastErrorMessage() << blog::over;
}
::DisconnectNamedPipe(_hPipe);
}
}
Upvotes: 5
Views: 1997
Answers (1)
Reputation: 921
The last parameter of the [CreateNamedPipe function] specifies:
lpSecurityAttributes [in, optional]A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new named pipe and determines whether child processes can inherit the returned handle. If lpSecurityAttributes is NULL, the named pipe gets a default security descriptor and the handle cannot be inherited. The ACLs in the default security descriptor for a named pipe grant full control to the LocalSystem account, administrators, and the creator owner. They also grant read access to members of the Everyone group and the anonymous account.
The C++ named pipe server application has Administrator privilege since it is running as a Windows service under the LocalSystem account. The C# client application running as a Standard user does not have Administrator privilege. By default (lpSecurityAttributes is NULL), the C# client application has only read access to the named pipe created by the C++ server running as a service.
As a quick test, if you run the C# client application as Administrator, it should be able to communicate with the C++ server application successfully.
To fix the problem, the C++ server application needs to create a security descriptor for the named pipe object and grant write access to it for Everyone. Please see MSDN example for creating a security descriptor.
I wrote a class NamedPipeServerStream before for my C++ server application running as a service. Here is the part of the code related to creating the named pipe for your reference.
NamedPipeServerStream::NamedPipeServerStream(const std::string & pipeName, const unsigned pipeBufferSize /*= PIPE_BUFFER_SIZE*/)
: m_hPipe(INVALID_HANDLE_VALUE)
, m_pipeName(PIPE_NAME_ROOT + pipeName)
, m_bConnected(false)
{
PSID pEveryoneSID = NULL;
PSID pAdminSID = NULL;
PACL pACL = NULL;
EXPLICIT_ACCESS ea[2];
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
SECURITY_ATTRIBUTES sa;
SCOPE_GUARD{
if (pEveryoneSID) { FreeSid(pEveryoneSID); }
if (pAdminSID) { FreeSid(pAdminSID); }
if (pACL) { LocalFree(pACL); }
};
// Create a well-known SID for the Everyone group.
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID))
{
throw std::runtime_error("AllocateAndInitializeSid failed, GLE=" + std::to_string(GetLastError()));
}
// Initialize an EXPLICIT_ACCESS structure for an ACE.
SecureZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS));
// The ACE will allow Everyone full access to the key.
ea[0].grfAccessPermissions = FILE_ALL_ACCESS | GENERIC_WRITE | GENERIC_READ;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR)pEveryoneSID;
// Create a SID for the BUILTIN\Administrators group.
if (!AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSID))
{
throw std::runtime_error("AllocateAndInitializeSid failed, GLE=" + std::to_string(GetLastError()));
}
// The ACE will allow the Administrators group full access to the key.
ea[1].grfAccessPermissions = FILE_ALL_ACCESS | GENERIC_WRITE | GENERIC_READ;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance = NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR)pAdminSID;
// Create a new ACL that contains the new ACEs.
DWORD dwRes = SetEntriesInAclW(2, ea, NULL, &pACL);
if (ERROR_SUCCESS != dwRes)
{
throw std::runtime_error("SetEntriesInAcl failed, GLE=" + std::to_string(GetLastError()));
}
// Initialize a security descriptor.
auto secDesc = std::vector<unsigned char>(SECURITY_DESCRIPTOR_MIN_LENGTH);
PSECURITY_DESCRIPTOR pSD = (PSECURITY_DESCRIPTOR)(&secDesc[0]);
if (nullptr == pSD)
{
throw std::runtime_error("LocalAlloc failed, GLE=" + std::to_string(GetLastError()));
}
if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
throw std::runtime_error("InitializeSecurityDescriptor failed, GLE=" + std::to_string(GetLastError()));
}
// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pSD, TRUE, pACL, FALSE)) // not a default DACL
{
throw std::runtime_error("SetSecurityDescriptorDacl failed, GLE=" + std::to_string(GetLastError()));
}
// Initialize a security attributes structure.
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;
// Finally to create the pipe.
m_hPipe = CreateNamedPipeA(
m_pipeName.c_str(), // pipe name
PIPE_ACCESS_DUPLEX, // read/write access
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | // Byte Stream type pipe
PIPE_WAIT, // blocking mode
PIPE_UNLIMITED_INSTANCES, // max. instances
pipeBufferSize, // output buffer size
pipeBufferSize, // input buffer size
0, // client time-out
&sa); // default security attribute
if (!IsPipeCreated())
{
throw std::runtime_error("CreateNamedPipe failed, GLE=" + std::to_string(GetLastError()));
}
}
bool NamedPipeServerStream::IsPipeCreated() const
{
return (INVALID_HANDLE_VALUE != m_hPipe);
}
Upvotes: 1
Related Questions
- Named Pipes communication failure between a c# and C program
- Interprocess communication between C# and C++
- How to communicate C and C# programs using named pipes
- C++ and C# Communication using Named Pipe
- Named Pipe C# client can't connect to C++ server
- communication between c++ and c# through pipe
- Having trouble connecting to named pipe from a C++ win32 program
- Interprocess Communication Between C# application and unmanaged C++ application
- IPC between a C# application and other applications in C++ and VB.Net
- Two way C++ to C# communication using named pipes