Set secure flags when opening a named pipe on Windows

[pitdicker]

Fixes #42036, see also the previous attempt in #44556.

Whether this is correct depends on if it is somehow possible to create a symlink to a named pipe, outside the named pipe filesystem (NPFS). But as far as I can tell that should be impossible.

Also fixes that security_qos_flags(SECURITY_ANONYMOUS) does not set the SECURITY_SQOS_PRESENT flag, and the incorrect documentation about the default value of security_qos_flags.

[rust-highfive]

r? @Kimundi

(rust_highfive has picked a reviewer for you, use r? to override)

[pitdicker]

cc @DemiMarie @retep998?

[DemiMarie]

@pitdicker There are other potential paths through which a named pipe could be found. Specifically, I know that \??\;LanManRedirector\server\pipe is (mostly) an alias to \??\server\pipe and is similarly vulnerable, as are paths beginning with \??\.

I strongly believe that we should pass these flags unconditionally. They are only unwanted in rare cases, and purely path-based blacklisting is likely insufficient, due to symbolic links and other cases.

[pitdicker]

I half remember CreateFileW can't open files in the NT namespace (starting with \??\). Something to double-check though.

I understand your concern. If a path-based solution is not watertight it is of not much use. But if it works, it is the nicest solution because it doesn't make flags in OpenOptions behave really different from CreateFileW.

Microsoft made it difficult here by reusing the same bits for different things. I think setting the flags unconditionally is also not great, because we would then need to offer some way to un-set them. And what happens if another duplicate flag is added in the future?

[retep998]

Paths that start with \??\ or \\?\ are usually sent as is to NT with only the minimal transformation of turning \\?\ into \??\. Those paths can refer to files or pipes or a variety of other devices. And yes CreateFileW does actually work with such paths, so good luck handling those paths!

[pitdicker]

Just tested it just to make sure, and you are both right about CreateFileW being able to open NT namespace paths. That is a hole I don't want to know about. Definitely a path-based solution is not going to work.

Now I am not sure what is the best way to proceed. Shall I just include the fix for SECURITY_IDENTIFICATION which is not always being set and forget about #42036?

Or fix #42036 by setting the flags unconditionally (although I don't feel completely confident about that). @DemiMarie do you want to defend that choice if I change the commit?

[samlh]

Useful reference: https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html?m=1

[pitdicker]

Removed the commit that attempted to set secure defaults. I think it is best to let further discussion for that take place in the #42036.

This PR is now a basic bug and documentation fix.

[pitdicker]

ping @Kimundi, or does someone else want to review?

[retep998]

cc @alexcrichton

[alexcrichton]

@bors: r+

Sorry for the delay, thanks @pitdicker!

[bors]

📌 Commit 9295f49 has been approved by alexcrichton

[Centril]

Failed in #58666 (comment), @bors r-

[retep998]

Use a raw string for this.

[pitdicker]

@alexcrichton can you please r+ again?

[alexcrichton]

@bors: r+

[bors]

📌 Commit 089524c has been approved by alexcrichton

[bors]

⌛ Testing commit 089524c with merge fab272e...

[bors]

☀️ Test successful - checks-travis, status-appveyor
Approved by: alexcrichton
Pushing fab272e to master...