Anonymous Pipe Security and Access Rights
Windows security enables you to control access to anonymous pipes. For more information about security, see Access-Control Model.
You can specify a security descriptor for a pipe when you call the CreatePipe function. The security descriptor controls access to both the read and write ends of the pipe. If you specify NULL, the pipe gets a default security descriptor. The ACLs in the default security descriptor for a pipe come from the primary or impersonation token of the creator.
The CreatePipe function returns two handles to the anonymous pipe: a read handle with GENERIC_READ and SYNCHRONIZE access; and a write handle with GENERIC_WRITE and SYNCHRONIZE access. GENERIC_READ and GENERIC_WRITE access use the same access rights mapping as for named pipes.
GENERIC_READ access for an anonymous pipe combines the rights to read data from the pipe, read pipe attributes, read extended attributes, and read the pipe's DACL.
GENERIC_WRITE access for an anonymous pipe combines the rights to write data to the pipe, append data to it, write pipe attributes, write extended attributes, and read the pipe's DACL.
Build date: 11/16/2013