ACLs on Sockets


A friend from Foundstone sent me an email asking how to set ACLs on sockets in Windows. He’d heard that we’d added the capability recently. Yup, it’s true, ACL support for sockets was added to Windows Server 2003 SP1, and is in current builds of Windows Vista too.


Here’s how you do it (I could explain it, but I guess code is best :)


    SOCKET listen_socket = WSASocket(AF_INET, DEFAULT_PROTO, 0, NULL, 0, 0);
    if (listen_socket == INVALID_SOCKET){
        printf(“socket() failed with error %d\n”,WSAGetLastError());
        WSACleanup();
    }


    PSECURITY_DESCRIPTOR psD = NULL;
    if (!ConvertStringSecurityDescriptorToSecurityDescriptor (
        “D:(A;;GA;;;LS)(A;;GA;;;BA)”, // Only local admins and local service can bind
        SECURITY_DESCRIPTOR_REVISION,
        &psD,
        NULL
        ) )
        printf(“Convert Failed \n”);


    if (!SetKernelObjectSecurity (
        (HANDLE)listen_socket,
        DACL_SECURITY_INFORMATION,
        psD))
            printf (“SetKernelObjectSecurity failed %d”,GetLastError());


If another application attempts to bind to the socket, and the process is not running as an admin or local service account, it’ll get the dreaded Err=5 :)


In Windows Vista we also added SACL support, so you can audit who attempts to bind, you


just need to create an SDDL ACL that looks like this:


D:(A;;GA;;;LS)(A;;GA;;;BA)S:(AU;SAFA;GA;;;WD)


See how the SACL (S:) follows the DACL (D:)


If you setting a SACL you will need to assert the SeSecurityPrivilege privilege first.


PS: Yes, we’ll update the text for SetKernelObjectSecurity on MSDN to reflect sockets are ACL-able!

Comments (4)

  1. Adam says:

    So I don’t understand why you’d write that code. Could you explain what the motivation is to create a socket, and then set an ACL on it? It seems like once you’ve bound, then you listen, and no one else can listen anyway. If no one else can listen anyway, what’s the point of the ACL?

  2. André Gil says:

    Great stuff ACL and SACL on sockets :)

    Is there plans to add it to WinXP and 2000 as those are the biggest codebase available?

    Thanks

    André Gil

  3. alex says:

    clasic car insurance<A HREF="http://mega-fon.sbn.bz"&gt; clasic car insurance.http://mega-fon.sbn.bz/ </A>clasic car insurance

  4. Oleg says:

    Hello!

    Thnk

    At least my dreams come true.