This problem was actually brought up in the breakout chats a

Question

This problem was actually brought up in the breakout chats at Querycon last year

Tao Jiang · Answer

Nice to know Was there any suggestion on this

Mike Myers · Answer

It wasn t clear to us at the time if it was a Thrift problem or our problem and I guess nobody acted on it I think we could look at it now Is there an issue to track it

Mike Myers · Answer

I can t find one so I ll make one

Mike Myers · Answer

theopolis · Answer

Interesting this is pretty serious as by design the API would allow anyone to stop osquery or alter its data

Grant · Answer

Hello guys is there a workaround or process on this issue Thanks

theopolis · Answer

I don t think there is but I think a first step is to update the Thrift version we use and check if the Windows pipe integration applies the intended permissions

Mike Myers · Answer

It doesn t look like the Thrift API object used by osquery TPipe is able to specify access controls on the pipe <https github com osquery osquery blob 224423fb7581b9e7c4d60e084065238a8601e246 osquery extensions impl thrift cpp L49>

Mike Myers · Answer

Mike Myers · Answer

Perhaps because of the use of CreateFileA here <https github com apache thrift blob 86352b4821085d63861deab59c46ef1042fbfe81 lib cpp src thrift transport TPipe cpp L277>

Mike Myers · Answer

Maybe it ought to be using CreateNamedPipe as described here <https docs microsoft com en us windows win32 ipc named pipe security and access rights>

Mike Myers · Answer

But I ll have to step through it in a debugger to confirm

Grant · Answer

Latest thrift added a constructor that takes security descriptor on server side

Grant · Answer

Mike Myers · Answer

Nice good find I ll see if I can build with a newer Thrift