Thank you for the patch. I ran unit-tests with and without this patch, and observed that no new tests are failing. The ones that are failing “1007 2319 2385 2386 2387 2388 2389 2390” are not dependent on this patch. I have started a separate thread to resolve the unit tests that are failing with Alin.
Acked-by: Anand Kumar <[email protected]> Thanks, Anand Kumar On 8/23/17, 7:50 AM, "[email protected] on behalf of Alin Balutoiu" <[email protected] on behalf of [email protected]> wrote: Bump the security around named pipes to be more restrictive: disable network access and allow only administrators and above to access the named pipes. Signed-off-by: Alin Balutoiu <[email protected]> --- python/ovs/winutils.py | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/python/ovs/winutils.py b/python/ovs/winutils.py index 89e28e1..8f3151a 100644 --- a/python/ovs/winutils.py +++ b/python/ovs/winutils.py @@ -17,6 +17,7 @@ import sys if sys.platform != 'win32': raise Exception("Intended to use only on Windows") else: + import ntsecuritycon import pywintypes import win32con import win32event @@ -139,7 +140,65 @@ def create_named_pipe(pipename, openMode=None, pipeMode=None, if saAttr == -1: # saAttr can be None saAttr = win32security.SECURITY_ATTRIBUTES() + + # The identifier authority. + sia = ntsecuritycon.SECURITY_NT_AUTHORITY + + # Initialize the SID. + remoteAccessSid = win32security.SID() + remoteAccessSid.Initialize( + sia, # The identifier authority. + 1) # The number of sub authorities to allocate. + # Disable access over network. + remoteAccessSid.SetSubAuthority( + 0, # The index of the sub authority to set + ntsecuritycon.SECURITY_NETWORK_RID) + + allowedPsids = [] + # Allow Windows Services to access the Named Pipe. + allowedPsid_0 = win32security.SID() + allowedPsid_0.Initialize( + sia, # The identifier authority. + 1) # The number of sub authorities to allocate. + allowedPsid_0.SetSubAuthority( + 0, # The index of the sub authority to set + ntsecuritycon.SECURITY_LOCAL_SYSTEM_RID) + # Allow Administrators to access the Named Pipe. + allowedPsid_1 = win32security.SID() + allowedPsid_1.Initialize( + sia, # The identifier authority. + 2) # The number of sub authorities to allocate. + allowedPsid_1.SetSubAuthority( + 0, # The index of the sub authority to set + ntsecuritycon.SECURITY_BUILTIN_DOMAIN_RID) + allowedPsid_1.SetSubAuthority( + 1, # The index of the sub authority to set + ntsecuritycon.DOMAIN_ALIAS_RID_ADMINS) + + allowedPsids.append(allowedPsid_0) + allowedPsids.append(allowedPsid_1) + + # Initialize an ACL. + acl = win32security.ACL() + acl.Initialize() + # Add denied ACL. + acl.AddAccessDeniedAce(win32security.ACL_REVISION, + ntsecuritycon.GENERIC_ALL, + remoteAccessSid) + # Add allowed ACLs. + for allowedPsid in allowedPsids: + acl.AddAccessAllowedAce(win32security.ACL_REVISION, + ntsecuritycon.GENERIC_ALL, + allowedPsid) + + # Initialize an SD. + sd = win32security.SECURITY_DESCRIPTOR() + sd.Initialize() + # Set DACL. + sd.SetSecurityDescriptorDacl(True, acl, False) + saAttr.bInheritHandle = 1 + saAttr.SECURITY_DESCRIPTOR = sd try: npipe = win32pipe.CreateNamedPipe(pipename, -- 2.10.0.windows.1 _______________________________________________ dev mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=Q5z9tBe-nAOpE7LIHSPV8uy5-437agMXvkeHHMkR8Us&m=cS16528rZtTdJ_pKOiRjBU3NQSWfVIzkBN8q-G9BX2A&s=9MudtpbRVcvRW5o6px07mxCCmjtVGi1qhhCwjTQuLmw&e= _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
