Can I create Windows mutexes globally for those processes that know the mutex password?
I want to create a Windows mutex using WinAPI, CreateMutex()
and OpenMutex()
. But for security reasons, I want the mutex to be opened by those processes that know the "password" or hardcoded magic code. I don't want all processes to access the mutex.
For example, Create a mutex named "Globel \ cd689f00-0462-11e5-b939-0800200c9a66". Thus, only someone who knows the name of the mutex can access that mutex. But this is not a good solution, because you can just use Winobj.exe and you still have a chance to find this mutex. I want this mutex to be protected with something like ACL (Access Control Lists). The problem is, I can't find a way to create my own SID for the ACL.
Here's what I know and what I want: 1. I know that I can make a mutex available to multiple processes by naming it "Global \ MyMutexName". 2. I am also trying to understand the ACL and SID mentioned on MSDN. But I still can't find a way to create my own SID (maybe it doesn't make sense?). 3. I don't want to promote my processes to admin.
source to share
What you are trying to do is not natural to the security model used by Windows. Permissions are always granted based on who runs the executable, not the executable itself. However, depending on your scenario, there may be suitable options.
If all involved processes will be in the context of the same user, you can use IPC (eg named pipes) to identify your "friendly" processes and DuplicateHandle () to pass a handle to an unnamed mutex between processes.
If the processes need to be in different user contexts, one option would be for the system service running in the privileged context to act as a broker. Of course, this requires the system service to be installed with administrator privileges, but this is usually acceptable; this only needs to be done once.
If the application needs to be portable (no installation or cannot be installed without admin access) and needs to cross user boundaries, I think you will need to use IPC to implement your own mutex. Of course, this would be very ineffective.
Keep in mind that in any of these scenarios, an attacker could gain access to the mutex - the best you can do is make it a little more difficult. For example, if you are using an actual mutex, an attacker could enumerate descriptors of one of the processes, identify the mutex, and duplicate the descriptor. (Or, simply injecting malicious code into one of the supposedly "friendly" processes in order to use the handle directly.) Even IPC could be spied on and duplicated.
You should seriously consider whether the ultimate security advantage is worth increasing the complexity significantly. IMO, this is unlikely to be.
(The correct solution, by the way, is that the system service does all the work that requires access to the mutex; the application that the user starts will usually be a thin client that does nothing but provide a GUI.)
source to share
You let Windows create a new SID; don't try to create them yourself. With this SID, you can then create an ACL (Access Control List) that grants access to all processes containing that SID and (implicitly) denies everyone else, which is correct. This ACL can then be applied to the mutex that protects it.
Now, in order to gain access, you need to create an impersonation token for this SID. If I understand MSDN, a process should open a stream token, set TokenUser
through SetTokenInformation
, and then apply the modified token through SetThreadToken
.
This impersonation token is now used when checking the ACL of the mutex.
MSDN is not well understood in the process of creating a valid user SID; it may be necessary to replace "User SID" with "Group SID" in the above process.
source to share