Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect to namedpipe server running in a Windows service #7

Open
gplwhite opened this issue Jan 23, 2025 · 1 comment · May be fixed by #8
Open

Unable to connect to namedpipe server running in a Windows service #7

gplwhite opened this issue Jan 23, 2025 · 1 comment · May be fixed by #8

Comments

@gplwhite
Copy link

In the scenario that you want to host a NamedPipe based GRPC service in a windows service, you cannot subsequently connect to the service from a client running under a standard user account. This is because the NamedPipe is created with default security permissions.

The ACLs in the default security descriptor for a named pipe grant full control to the LocalSystem account, administrators, and the creator owner. They also grant read access to members of the Everyone group and the anonymous account.
https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights

While the default ACLs do give read access to Everyone, I think the client also needs Write access to allow it to send GRPC messages to the service.

It seems like a good solution would be to allow the creator of the service to specify the security ACLs to apply to the internally created NamedPipe stream.
@gplwhite gplwhite linked a pull request Jan 23, 2025 that will close this issue
Open
@gplwhite
Copy link
Author

Using the changes I've submitted in PR #8 I can successfully connect to the server when the server is initialised as below:

var pipeSecurity = new PipeSecurity();
pipeSecurity.AddAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), PipeAccessRights.FullControl, AccessControlType.Allow));
pipeSecurity.AddAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), PipeAccessRights.ReadWrite | PipeAccessRights.CreateNewInstance, AccessControlType.Allow));

server.ListenAsync(ConnectionFactory.ListenNamedPipe("MyPipe", pipeSecurity));

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@gplwhite