TL;DR
No, a low integrity process generally cannot directly modify the System Access Control List (SACL) or Discretionary Access Control List (DACL) of a named pipe. Windows security prevents this to maintain system integrity.
Solution Guide: Named Pipe Permissions and Integrity Levels
This guide explains why a low-integrity process can’t change the permissions on a named pipe, even if it has access to it. We’ll cover the concepts and demonstrate with examples.
Understanding Integrity Levels
Windows uses integrity levels to control what processes can do. Here are some common levels:
- High Integrity: Trusted system processes, administrators.
- Medium Integrity: Most user applications.
- Low Integrity: Processes running with reduced privileges (e.g., sandboxed apps).
Higher integrity levels can access lower levels, but not the other way around for sensitive operations like permission changes.
Why a Low-Integrity Process Can’t Modify Pipe Permissions
- SACL/DACL Protection: The SACL (System ACL) and DACL (Discretionary ACL) define who can access the pipe and what actions they can perform, as well as audit logging. These are considered critical security settings.
- Mandatory Integrity Policy: Windows enforces a Mandatory Integrity Policy that prevents lower-level processes from altering security descriptors of higher-level objects (like named pipes created by higher integrity processes). This is to prevent privilege escalation attacks.
- Access Token Restrictions: A low-integrity process has an access token with limited privileges. It won’t have the necessary permissions (e.g.,
WRITE_DAC) to modify the DACL or SACL of a pipe created by a higher integrity process.
Demonstration: Attempting Permission Modification
We’ll show how an attempt to change the security descriptor fails.
Step 1: Create a Named Pipe (High Integrity)
Create a named pipe using a process running as administrator or with high integrity. This example uses PowerShell:
New-Item -ItemType NamedPipe -Name .mypipe -Force | Set-Acl -Access $(Get-Acl).AccessStep 2: Run a Low Integrity Process
Launch a process with low integrity. You can do this using tools like Sandboxie or by configuring the process manifest to specify a lower integrity level.
Step 3: Attempt to Modify Permissions (Low Integrity)
Within the low-integrity process, try to modify the DACL of the named pipe. Again, PowerShell is used for demonstration:
Get-Acl .mypipe | Set-Acl -Access $(Get-Acl .mypipe).AccessStep 4: Observe the Error
The attempt to modify permissions will fail with an access denied error. Common errors include:
- “Access is denied.”
- Error code
0x5(ERROR_ACCESS_DENIED)
What a Low-Integrity Process *Can* Do
- Read/Write Data: A low-integrity process can typically read from and write data to the named pipe if it has been granted appropriate access permissions in the DACL.
- Connect/Disconnect: It can connect to and disconnect from the pipe, assuming the DACL allows it.
Important Considerations
- Pipe Creation Integrity Level: The integrity level of the process that creates the named pipe is crucial. Permissions are inherited based on this initial level.
- Token Impersonation (Advanced): In very specific scenarios, a low-integrity process might be able to impersonate a higher-integrity token if it has been explicitly granted permission to do so. However, this requires careful configuration and is not the default behavior.