[ovs-dev] windows,python: Add restrictions to named pipes

Message ID	1503499816-2116-1-git-send-email-abalutoiu@cloudbasesolutions.com
State	Accepted
Headers	show Return-Path: <ovs-dev-bounces@openvswitch.org> From: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> To: "dev@openvswitch.org" <dev@openvswitch.org> Thread-Topic: [PATCH] windows,python: Add restrictions to named pipes Thread-Index: AQHTHB81MBZ+b6y+dUOvxPZznnAhIg== Date: Wed, 23 Aug 2017 14:50:49 +0000 Message-ID: <1503499816-2116-1-git-send-email-abalutoiu@cloudbasesolutions.com> Accept-Language: en-US, it-IT Content-Language: en-US MIME-Version: 1.0 Subject: [ovs-dev] [PATCH] windows,python: Add restrictions to named pipes Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org

Message ID

1503499816-2116-1-git-send-email-abalutoiu@cloudbasesolutions.com

State

Accepted

Headers

From: Alin Balutoiu <abalutoiu@cloudbasesolutions.com>
To: "dev@openvswitch.org" <dev@openvswitch.org>
Thread-Topic: [PATCH] windows,python: Add restrictions to named pipes
Thread-Index: AQHTHB81MBZ+b6y+dUOvxPZznnAhIg==
Date: Wed, 23 Aug 2017 14:50:49 +0000
Message-ID: <1503499816-2116-1-git-send-email-abalutoiu@cloudbasesolutions.com>
Accept-Language: en-US, it-IT
Content-Language: en-US
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH] windows,python: Add restrictions to named pipes
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Commit Message

Alin Balutoiu Aug. 23, 2017, 2:50 p.m. UTC

Bump the security around named pipes to be more restrictive: disable network
access and allow only administrators and above to access the named pipes.

Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com>
---
 python/ovs/winutils.py | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

Comments

Alin-Gabriel Serdean Sept. 12, 2017, 9:04 p.m. UTC | #1

Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>

> -----Original Message-----
> From: ovs-dev-bounces@openvswitch.org [mailto:ovs-dev-
> bounces@openvswitch.org] On Behalf Of Alin Balutoiu
> Sent: Wednesday, August 23, 2017 5:51 PM
> To: dev@openvswitch.org
> Subject: [ovs-dev] [PATCH] windows,python: Add restrictions to named
> pipes
> 
> Bump the security around named pipes to be more restrictive: disable
> network access and allow only administrators and above to access the named
> pipes.
> 
> Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com>
> ---

diff --git a/python/ovs/winutils.py b/python/ovs/winutils.py
index 89e28e1..8f3151a 100644
--- a/python/ovs/winutils.py
+++ b/python/ovs/winutils.py
@@ -17,6 +17,7 @@  import sys
 if sys.platform != 'win32':
     raise Exception("Intended to use only on Windows")
 else:
+    import ntsecuritycon
     import pywintypes
     import win32con
     import win32event
@@ -139,7 +140,65 @@  def create_named_pipe(pipename, openMode=None, pipeMode=None,
     if saAttr == -1:
         # saAttr can be None
         saAttr = win32security.SECURITY_ATTRIBUTES()
+
+        # The identifier authority.
+        sia = ntsecuritycon.SECURITY_NT_AUTHORITY
+
+        # Initialize the SID.
+        remoteAccessSid = win32security.SID()
+        remoteAccessSid.Initialize(
+            sia,  # The identifier authority.
+            1)  # The number of sub authorities to allocate.
+        # Disable access over network.
+        remoteAccessSid.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_NETWORK_RID)
+
+        allowedPsids = []
+        # Allow Windows Services to access the Named Pipe.
+        allowedPsid_0 = win32security.SID()
+        allowedPsid_0.Initialize(
+            sia,  # The identifier authority.
+            1)  # The number of sub authorities to allocate.
+        allowedPsid_0.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_LOCAL_SYSTEM_RID)
+        # Allow Administrators to access the Named Pipe.
+        allowedPsid_1 = win32security.SID()
+        allowedPsid_1.Initialize(
+            sia,  # The identifier authority.
+            2)  # The number of sub authorities to allocate.
+        allowedPsid_1.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_BUILTIN_DOMAIN_RID)
+        allowedPsid_1.SetSubAuthority(
+            1,  # The index of the sub authority to set
+            ntsecuritycon.DOMAIN_ALIAS_RID_ADMINS)
+
+        allowedPsids.append(allowedPsid_0)
+        allowedPsids.append(allowedPsid_1)
+
+        # Initialize an ACL.
+        acl = win32security.ACL()
+        acl.Initialize()
+        # Add denied ACL.
+        acl.AddAccessDeniedAce(win32security.ACL_REVISION,
+                               ntsecuritycon.GENERIC_ALL,
+                               remoteAccessSid)
+        # Add allowed ACLs.
+        for allowedPsid in allowedPsids:
+            acl.AddAccessAllowedAce(win32security.ACL_REVISION,
+                                    ntsecuritycon.GENERIC_ALL,
+                                    allowedPsid)
+
+        # Initialize an SD.
+        sd = win32security.SECURITY_DESCRIPTOR()
+        sd.Initialize()
+        # Set DACL.
+        sd.SetSecurityDescriptorDacl(True, acl, False)
+
         saAttr.bInheritHandle = 1
+        saAttr.SECURITY_DESCRIPTOR = sd
 
     try:
         npipe = win32pipe.CreateNamedPipe(pipename,

[ovs-dev] windows,python: Add restrictions to named pipes

Commit Message

Comments

Patch