Title
#general
Mike Myers

Mike Myers

12/08/2020, 9:33 PM
This problem was actually brought up in the breakout chats at Querycon last year
t

Tao Jiang

12/08/2020, 10:23 PM
Nice to know. Was there any suggestion on this?
Mike Myers

Mike Myers

12/08/2020, 11:05 PM
It wasn't clear to us at the time if it was a Thrift problem or our problem, and I guess nobody acted on it. I think we could look at it now. Is there an issue to track it?
11:07 PM
I can't find one, so I'll make one
theopolis

theopolis

12/09/2020, 12:26 AM
Interesting, this is pretty serious as by design the API would allow anyone to stop osquery or alter its data.
Grant

Grant

12/17/2020, 12:12 AM
Hello guys, is there a workaround or process on this issue? Thanks!
theopolis

theopolis

12/17/2020, 3:23 AM
I don't think there is, but I think a first step is to update the Thrift version we use and check if the Windows pipe integration applies the intended permissions.
Mike Myers

Mike Myers

12/17/2020, 4:38 PM
It doesn't look like the Thrift API object used by osquery, TPipe, is able to specify access controls on the pipe. https://github.com/osquery/osquery/blob/224423fb7581b9e7c4d60e084065238a8601e246/osquery/extensions/impl_thrift.cpp#L49
4:39 PM
Maybe it ought to be using CreateNamedPipe as described here https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights
4:39 PM
But I'll have to step through it in a debugger to confirm
Grant

Grant

12/17/2020, 8:08 PM
Latest thrift added a constructor that takes security descriptor on server side
Mike Myers

Mike Myers

12/17/2020, 11:47 PM
Nice, good find. I'll see if I can build with a newer Thrift