Kestrel named pipes

Rick-Anderson · Rick-Anderson · commit 0e000ed35077 · 2025-02-04T13:29:10.000-10:00
diff --git a/aspnetcore/fundamentals/servers/kestrel/endpoints/samples/KestrelNamedEP/Program.cs b/aspnetcore/fundamentals/servers/kestrel/endpoints/samples/KestrelNamedEP/Program.cs
@@ -1,4 +1,6 @@
 using System.IO.Pipes;
+using System.Security.AccessControl;
+using System.Security.Principal;
 
 var builder = WebApplication.CreateBuilder();
 
@@ -12,10 +14,24 @@
 {
     options.CreateNamedPipeServerStream = (context) =>
     {
-        var pipeSecurity = CreatePipeSecurity(context.NamedPipeEndpoint.PipeName);
+        var pipeSecurity = CreatePipeSecurity(context.NamedPipeEndPoint.PipeName);
 
-        return NamedPipeServerStreamAcl.Create(context.NamedPipeEndPoint.PipeName, PipeDirection.InOut,
+        return NamedPipeServerStreamAcl.Create(context.NamedPipeEndPoint.PipeName,PipeDirection.InOut,
             NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Byte,
-            context.PipeOptions, inBufferSize: 0, outBufferSize: 0, pipeSecurity);
+            PipeOptions.None, inBufferSize: 0, outBufferSize: 0, pipeSecurity);
     };
 });
+
+static PipeSecurity CreatePipeSecurity(string pipeName)
+{
+    var pipeSecurity = new PipeSecurity();
+
+    // Get the current process identity.
+    var currentIdentity = WindowsIdentity.GetCurrent();
+    var processUser = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, currentIdentity.User.AccountDomainSid);
+
+    // Allow only the current process read and write access to the pipe.
+    pipeSecurity.AddAccessRule(new PipeAccessRule(processUser, PipeAccessRights.ReadWrite, AccessControlType.Allow));
+
+    return pipeSecurity;
+}
