I'm trying to have a duplex named pipe in Windows using Golang and https://pkg.go.dev/github.com/Microsoft/go-winio package.
The client runs as a regular process but the server runs elevated (the client starts the server via ShellExecute and "runas" verb) both must be able to read and write to the pipe.
The client is able to read (when tested just using os.Open) but it receives error golang.org/x/sys/windows.ERROR_ACCESS_DENIED (5) when doing read/write.
The server code is:
// ...
_ = os.Remove(pipePath)
pc := &winio.PipeConfig{
InputBufferSize: 512,
OutputBufferSize: 512,
}
l, err := winio.ListenPipe(pipePath, pc)
if err != nil {
fmt.Println("Error creating pipe: ", err)
os.Exit(255)
}
defer func(l net.Listener) {
_ = l.Close()
}(l)
for {
conn, err := l.Accept()
if err != nil {
fmt.Println("Error accepting connection: ", err)
continue
}
// ...
}
// ...
I've tested many different SecurityDescriptor in winio.PipeConfig to no avail.
and the client code is:
// ...
conn, err := winio.DialPipe(pipePath, nil)
// ...
Thanks in advance.
Found the answer to my question, using SecurityDescriptor D:P(A;;GA;;;AU) with the interesting part being A;;GA;;;AU Allow Generic All (read/write) to all Authenticated Users. I further restricted the descriptor by substituting the AU part for the current user SID so only the current authenticated user has access.