I was looking to implement a named pipe for service/client communication in .NET and came across this code that, while initializing server side of the pipe had to set up a security descriptor for the pipe. They did it this way:
PipeSecurity pipeSecurity = new PipeSecurity();
// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Authenticated Users",
PipeAccessRights.ReadWrite, AccessControlType.Allow));
// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Administrators",
PipeAccessRights.FullControl, AccessControlType.Allow));
But I'm looking at it, and I'm concerned about specifying SIDs as strings, or Authenticated Users
and Administrators
parts. What is the guarantee that they will be called that, say, in Chinese or some other language?
(Extracted from OP's original question)
I came up with this alternative:
PipeSecurity pipeSecurity = new PipeSecurity();
// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
"Authenticated Users",
new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
PipeAccessRights.ReadWrite, AccessControlType.Allow));
// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule(
"Administrators",
new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
PipeAccessRights.FullControl, AccessControlType.Allow));
You can use WellKnownSidType enum to get sid and translate into IdentityReference:
var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
var everyone = sid.Translate(typeof(NTAccount));
security.AddAccessRule(new PipeAccessRule(everyone, PipeAccessRights.ReadWrite, AccessControlType.Allow));