Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Named pipes - allow access from anyone

650 views
Skip to first unread message

magenni...@computershare.com.au

unread,
Aug 21, 2000, 10:20:26 PM8/21/00
to
I know this has been discussed before but I can't get it to work.

I have an NT service which is servicing requests from a named pipe
created using the following code:

-----------------------------------------------
SECURITY_DESCRIPTOR sdPublic;
SECURITY_ATTRIBUTES saPublic;

InitializeSecurityDescriptor(&sdPublic, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sdPublic, TRUE, NULL, FALSE);
saPublic.nLength = sizeof(saPublic);
saPublic.lpSecurityDescriptor = &sdPublic;
saPublic.bInheritHandle = TRUE;

// create a named pipe for reporting staus
hNamedPipeLog = CreateNamedPipe(
szPipeName,
PIPE_ACCESS_OUTBOUND,
PIPE_TYPE_BYTE,
1, // max one instance,
1024,
1024,
1,
&saPublic
);
-------------------------------
I have a VB client which attaches to the named pipe and pokes a request
in then reads the respone back. This works really well until I try and
run it from machines which are logged into the network as stand alone
(I can't change this). The VB app uses a call to "CallNamedPipe" which
returns a 1326 - ERROR_LOGON_FAILURE. I was under the impression that
setting up a NULL Security Descriptor would enable anyone to attach. (I
also tried adding my pipe name to the NULLSESSIONPIPES key in the
registry).

Does anyone have any other ideas? Do I have to switch to using sockets
just because they don't have security?

Thanks,

Magennis Weate
Computershare Systems
Sydney, AUSTRALIA

Sent via Deja.com http://www.deja.com/
Before you buy.

Larry Huisingh

unread,
Aug 22, 2000, 3:00:00 AM8/22/00
to
I assume by "standalone" you mean that when you are prompted to log on to
the network you click on the "Cancel" button or press the escape key. With
that definition in mind the way I understand it is that you must be logged
on to the network and can't be standalone to communicate via named pipes.
By setting the security descriptor as you did you just allowed any other
logged on network user to connect to your pipe. That is different than
being standalone (not logged on). I imagine that your attempt to connect to
the pipe is intercepted locally without even going out to the network.
Named pipes are treated similarly to files and you can't connect to another
computer's files without being logged on.

Larry Huisingh

magenni...@computershare.com.au wrote in message
<8nso0r$rl$1...@nnrp1.deja.com>...


>I know this has been discussed before but I can't get it to work.
>
>I have an NT service which is servicing requests from a named pipe
>created using the following code:
>
>-----------------------------------------------

...(snip)...

Tom Saul

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
This is only partly true. I finally got 'universal' access working with
pipes (after wasting a lot of time, and a support call to MS). My program
is pure C(++), so the VB aspects might be different but....

Create the server pipe as you describe. On the server you also have to add
a registry entry to allow full access (see MS knowledgebase article #
124184 - NullSessionPipes section). On the client side you open the pipe
(no special security needed). (Only) If you get the error 1326 you have to
do a second step. You will need to anonymously log into the domain (this is
what the registry hack is for). To do this use something like the following
C code snippet

NETRESOURCE netres;
char ipc_name[256];
sprintf(ipc_name, "\\\\%s\\ipc$", hIpc->MachName);

netres.dwType = RESOURCETYPE_DISK;
netres.lpLocalName = NULL;
netres.lpRemoteName = ipc_name;
netres.lpProvider = NULL;

d_rc = WNetAddConnection2(&netres, "", "", 0);

Don't forget to log out when done with the pipe.

Another way to do this is to use the (net use ipc$ "" "") command before
running your application (no code changes required to do that. This is the
equivalent of doing the WnetAddConnection2() call.


Good luck.


"Larry Huisingh" <lhui...@netscape.net> wrote in message
news:7CD3E724ABFCD31198C700508B959770019DEB4E@PNLMSE0...


> I assume by "standalone" you mean that when you are prompted to log on to
> the network you click on the "Cancel" button or press the escape key.
With
> that definition in mind the way I understand it is that you must be logged
> on to the network and can't be standalone to communicate via named pipes.
> By setting the security descriptor as you did you just allowed any other
> logged on network user to connect to your pipe. That is different than
> being standalone (not logged on). I imagine that your attempt to connect
to
> the pipe is intercepted locally without even going out to the network.
> Named pipes are treated similarly to files and you can't connect to
another
> computer's files without being logged on.
>
> Larry Huisingh
>
> magenni...@computershare.com.au wrote in message
> <8nso0r$rl$1...@nnrp1.deja.com>...

> >I know this has been discussed before but I can't get it to work.
> >
> >I have an NT service which is servicing requests from a named pipe
> >created using the following code:
> >
> >-----------------------------------------------

> ...(snip)...

0 new messages