Problem: I created a service, which is supposed to run under elevated privileges. Now I have an application accessible to users. The application wants to speak to the service via a named pipe. The named pipe is created by the service.
However I cannot open the pipe, because ERROR_ACCESS_DENIED. Question: how I can setup the pipe in the service in order the application would be able to write-open it ?
I read this however it doesn't help at all. I'd be happy to see hints or code sample(s).
Background: I need to change settings of an Audio Device what can be done via IPropertyStore inteface gotten via IMMDevice::OpenPropertyStore call. However the documentation clearly says that I cannot do this if I don't have administrative privileges. Obviously I don't want to annoy user with UAC each time he is going to rotate a knob. so for this I created the aforementioned service. But no luck again.
for control access to Securable Object we need set appropriate a security descriptor. of course system always by default set some security descriptor on new created object based on caller token ( The default DACL that the system uses when the user creates a securable object without specifying a security descriptor) (we can change this DACL with TokenDefaultDacl if want )
the most simply solution for enable very wide access for object set NULL (not empty !! empty DACL dissable access for all) DACL in security descriptor. this allow access almost for everyone too object (except Low Integrity thread/process (for this need set Low Mandatory Label is SACL)
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, 0, FALSE);
SetSecurityDescriptorControl(&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
SECURITY_ATTRIBUTES sa = { sizeof(sa), &sd, FALSE};
and then we you pointer to SECURITY_ATTRIBUTES in create object api (almost all this api take pointer to SECURITY_ATTRIBUTES as parameter. if use native api - pointer to Security Descriptor was inside OBJECT_ATTRIBUTES structure)
another possible choice - use not NULL but another DACL, here most hard point decide what concrete must be in this DACL. not implementation, but conceptual choice.