Following problem occurs in Microsoft Windows 7 Implementation of Qt 4.8.1:
A QLocalServer (named pipe) is waiting for clients to connect, and it is running as an server application that runs with administrative privileges (system service for example).
How is it possible to allow an non privileged QLocalSocket client to connect to that server? Connection attempts are always denied with error code 3 (QLocalSocket::SocketAccessError). Is there a solution?
Edit: As I found out, the solution is to change pipe security by allowing full access to "Everyone" Sid. The only problem here is, that a call to SetSecurityInfo always fails with "access denied" error.
First we have to obtain a pipe handle. Since the pipe is already created by Qt, we will open it with CreateNamedPipe.
HANDLE hPipe = CreateNamedPipe(
(const wchar_t *)_Server->fullServerName().utf16(), // pipe name
PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, // read/write access
PIPE_TYPE_BYTE | // byte type pipe
PIPE_READMODE_BYTE | // byte-read mode
PIPE_WAIT, // blocking mode
PIPE_UNLIMITED_INSTANCES, // max. instances
0, // output buffer size
0, // input buffer size
3000, // client time-out
0 // Default Security
);
// Same call to open/create pipe as in qlocalserver_win.cpp
// Code here to add/change ACEs
if (SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
0, 0, NewAcl, 0) == ERROR_SUCCESS) {
// Success
}
Even if NewAcl is set to NULL the call fails. So what could cause that "access denied" error?
I found a solution for the Qt problem. Since one can not use the handle created by CreateNamedPipe after calling QLocalServer::listen(), we can call CreateNamedPipe before Qt is doing it. If we call it with WRITE_DAC | FILE_FLAG_FIRST_PIPE_INSTANCE we can change anything.
Then we can change security settings as stated by Chris Dickson.