Windows support: Explicitly deny access to remote callers in exposed named pipes endpoints #3236
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ints Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
…ints Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
amartinezfayo
requested review from
evan2645,
azdagron,
MarcosDY and
rturner3
as code owners
MarcosDY
reviewed
Jul 12, 2022
| _, err = util.GRPCDialContext(ctx, targetAsRemote, grpc.WithBlock(), grpc.FailOnNonTempDialError(true)) | ||
|
|
||
| // Remote calls must be denied | ||
| require.True(t, errors.Is(err, windows.ERROR_ACCESS_DENIED)) |
There was a problem hiding this comment.
maybe you can use require.ErrorIs() here
| _, err = util.GRPCDialContext(ctx, targetAsRemote, grpc.WithBlock(), grpc.FailOnNonTempDialError(true)) | ||
|
|
||
| // Remote calls must be denied | ||
| require.True(t, errors.Is(err, windows.ERROR_ACCESS_DENIED)) |
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
…named pipes endpoints (spiffe#3236) * Explicitly deny access to remote callers in exposed named pipes endpoints Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Our named pipes endpoints are designed to be accessed locally only, and shouldn't be exposed to remote callers.
We are currently relying on the implementation of
winio.ListenPipeto deny access to remote callers of the exposed named pipes endpoints. This is done through the FILE_PIPE_REJECT_REMOTE_CLIENTS option when calling the NtCreateNamedPipeFile function.Ideally, we shouldn't rely on the behavior of an external library to have this security property. Microsoft recommends to deny access to NT AUTHORITY\NETWORK if the pipe is intended to be accessed only locally.
This changes updates the security descriptors used to establish the security properties of the named pipes to explicitly deny access to
NT AUTHORITY\NETWORK. This is a group identifier added to the token of a process when it was logged on across a network.Additional testing was added to make sure that if the endpoints are exposed to remote callers, we catch that through our tests.