private static byte[] FromSecurityIdentifiersFull(List <SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = (allowedSids == null) ? 3 : (2 + allowedSids.Count);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
discretionaryAcl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), 0x10000000, InheritanceFlags.None, PropagationFlags.None);
int accessMask = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), accessMask, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier sid = allowedSids[i];
discretionaryAcl.AddAccess(AccessControlType.Allow, sid, accessMask, InheritanceFlags.None, PropagationFlags.None);
}
}
discretionaryAcl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, discretionaryAcl);
byte[] binaryForm = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(binaryForm, 0);
return(binaryForm);
}
public void AddAccessObjectAceAndCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, true, 0);
dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty);
dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(2, dacl.Count);
CommonAce cace = (CommonAce)dacl [0];
Assert.AreEqual(1, cace.AccessMask);
Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value);
Assert.IsFalse(cace.IsCallback);
Assert.IsFalse(cace.IsInherited);
ObjectAce oace = (ObjectAce)dacl [1];
Assert.AreEqual(1, oace.AccessMask);
Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value);
Assert.IsFalse(oace.IsCallback);
Assert.IsFalse(oace.IsInherited);
dacl.AddAccess(AccessControlType.Allow, sid, 2, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(2, dacl.Count);
CommonAce cace2 = (CommonAce)dacl [0];
Assert.AreEqual(3, cace2.AccessMask);
}
static IpcStore()
{
var dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
}
public static void SetServicePermissions(string service, string username)
{
System.ServiceProcess.ServiceController sc = new System.ServiceProcess.ServiceController(service);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + username + ": error code=" + err);
}
}
if (!ok)
{
throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + username + ": error code=" + Marshal.GetLastWin32Error());
}
// get security descriptor via raw into DACL form so ACE
// ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
// Add start/stop/read access
NTAccount acct = new NTAccount(username);
SecurityIdentifier sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier));
dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_START, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_STOP, InheritanceFlags.None, PropagationFlags.None);
// convert discretionary ACL back to raw form; looks like via byte[] is only way
byte[] rawdacl = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(rawdacl, 0);
rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);
// set raw security descriptor on service again
byte[] rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
ok = ServiceAccountHelper.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
if (!ok)
{
throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
}
}
public static IChannel PublishLocalProxy(ExecutionServiceProxy proxy)
{
//We want the object to be available for as long as possible so we choose one year
LifetimeServices.LeaseTime = TimeSpan.FromDays(365);
RemotingConfiguration.CustomErrorsMode = CustomErrorsModes.Off;
BinaryServerFormatterSinkProvider provider = new BinaryServerFormatterSinkProvider();
provider.TypeFilterLevel = TypeFilterLevel.Full; //need full deserialization
//create a server channel and make the object available remotely
Hashtable channelSettings = new Hashtable();
channelSettings["portName"] = ExecutionService.LocalPortName;
//Grant access to everyone (need to get the name from the well known SID to support localized builds)
SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount everyoneAccount = (NTAccount)everyoneSid.Translate(typeof(NTAccount));
channelSettings["authorizedGroup"] = everyoneAccount.Value;
//Because use use ExecutionService to update itself we have to disallow exclusive access
//to the port, otherwise updating ExecutionService fails.
channelSettings["exclusiveAddressUse"] = false;
// Workaround for Remoting breaking change. This custom security descriptor is needed
// to allow Medium IL processes to use IPC to talk to elevated UAC processes.
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// This is the well-known sid for network security ID
string networkSidSddlForm = @"S-1-5-2";
// This is the well-known sid for all users on this machine
string everyoneSidSddlForm = @"S-1-1-0";
// Deny all access to NetworkSid
dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(networkSidSddlForm), -1, InheritanceFlags.None, PropagationFlags.None);
// Add access to the current user creating the pipe
dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
// Add access to the all users on the machine
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(everyoneSidSddlForm), -1, InheritanceFlags.None, PropagationFlags.None);
// Initialize and return the CommonSecurityDescriptor
CommonSecurityDescriptor allowMediumILSecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent, null, null, null, dacl);
IpcServerChannel publishedChannel = new IpcServerChannel(channelSettings, provider, allowMediumILSecurityDescriptor);
ChannelServices.RegisterChannel(publishedChannel, false);
RemotingServices.Marshal(proxy, ExecutionService.ProxyName, typeof(IExecutionService));
return(publishedChannel);
}
/// <summary>
/// The main entry point for the application.
/// </summary>
static void Main()
{
RemotingConfiguration.Configure("Server.exe.config", false /*ensureSecurity*/);
IDictionary props = new Hashtable();
props["portName"] = "test";
// This is the wellknown sid for network sid
string networkSidSddlForm = @"S-1-5-2";
// Local administrators sid
SecurityIdentifier localAdminSid = new SecurityIdentifier(
WellKnownSidType.BuiltinAdministratorsSid, null);
// Local Power users sid
SecurityIdentifier powerUsersSid = new SecurityIdentifier(
WellKnownSidType.BuiltinPowerUsersSid, null);
// Network sid
SecurityIdentifier networkSid = new SecurityIdentifier(networkSidSddlForm);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// Disallow access from off machine
dacl.AddAccess(AccessControlType.Deny, networkSid, -1,
InheritanceFlags.None, PropagationFlags.None);
// Allow acces only from local administrators and power users
dacl.AddAccess(AccessControlType.Allow, localAdminSid, -1,
InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, powerUsersSid, -1,
InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor securityDescriptor =
new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null, dacl);
IpcServerChannel channel = new IpcServerChannel(
props,
null,
securityDescriptor);
ChannelServices.RegisterChannel(channel, false /*ensureSecurity*/);
foreach (IChannel chan in ChannelServices.RegisteredChannels)
{
Console.WriteLine(chan.ChannelName);
}
Console.WriteLine("Waiting for connections...");
Console.WriteLine("Press enter to exit.");
Console.ReadLine();
}
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid)
{
SecurityIdentifier sid = new SecurityIdentifier("S-1-5-2");
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, 1);
discretionaryAcl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None);
if (userSid != null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None);
}
discretionaryAcl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
return(new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent | ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted, null, null, null, discretionaryAcl));
}
public static void SetAclOnAlternateProperty(ADObject obj, GenericAce[] aces, PropertyDefinition sdProperty, SecurityIdentifier owner, SecurityIdentifier group)
{
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, true, aces.Length);
foreach (GenericAce genericAce in aces)
{
AccessControlType accessType;
if (genericAce.AceType == AceType.AccessAllowed || genericAce.AceType == AceType.AccessAllowedObject)
{
accessType = AccessControlType.Allow;
}
else
{
if (genericAce.AceType != AceType.AccessDenied && genericAce.AceType != AceType.AccessDeniedObject)
{
throw new AceTypeHasUnsupportedValueException(genericAce.AceType.ToString());
}
accessType = AccessControlType.Deny;
}
if (genericAce is CommonAce)
{
CommonAce commonAce = genericAce as CommonAce;
discretionaryAcl.AddAccess(accessType, commonAce.SecurityIdentifier, commonAce.AccessMask, commonAce.InheritanceFlags, commonAce.PropagationFlags);
}
else
{
if (!(genericAce is ObjectAce))
{
throw new AceIsUnsupportedTypeException(genericAce.GetType().ToString());
}
ObjectAce objectAce = genericAce as ObjectAce;
discretionaryAcl.AddAccess(accessType, objectAce.SecurityIdentifier, objectAce.AccessMask, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.ObjectAceFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType);
}
}
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, owner, group, null, discretionaryAcl);
byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(binaryForm, 0);
obj.SetProperties(new PropertyDefinition[]
{
sdProperty
}, new object[]
{
rawSecurityDescriptor
});
}
private static DiscretionaryAcl GetDacl(SecurityIdentifier securityIdentifiers)
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 16);
dacl.AddAccess(AccessControlType.Allow, securityIdentifiers, GenericExecute, InheritanceFlags.None, PropagationFlags.None);
return(dacl);
}
private bool IsMatch(string trustee, string requestor, string domainName, AccessControlType aceType = AccessControlType.Allow)
{
var user = directory.GetUser(requestor);
var p = directory.GetPrincipal(trustee);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(aceType, p.Sid, (int)AccessMask.Jit, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl);
string serverName;
if (domainName == null)
{
serverName = discoveryServices.GetDomainController(discoveryServices.GetDomainNameDns(p.Sid));
}
else
{
serverName = discoveryServices.GetDomainController(domainName);
}
using AuthorizationContext c = new AuthorizationContext(user.Sid, serverName);
return(c.AccessCheck(sd, (int)AccessMask.Jit));
}
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid)
{
SecurityIdentifier sid = new SecurityIdentifier(networkSidSddlForm);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// Deny all access to NetworkSid
dacl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None);
if (userSid != null)
{
dacl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None);
}
// Add access to the current user creating the pipe
dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
// Initialize and return the CommonSecurityDescriptor
return(new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl));;
}
public void InheritanceFlagsRequireContainer()
{
SecurityIdentifier sid = new SecurityIdentifier("BU");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
dacl.AddAccess(AccessControlType.Allow, sid, 3, InheritanceFlags.ContainerInherit, PropagationFlags.None);
}
public void PropagationFlagsRequireInheritanceFlagsForAdd()
{
SecurityIdentifier sid = new SecurityIdentifier("BU");
DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, 0);
dacl.AddAccess(AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.InheritOnly);
}
// These two are based on similar utility methods in EasyHook:
private static IpcServerChannel CreateServerChannel(string channelName)
{
Dictionary <string, string> properties = new Dictionary <string, string>();
properties["name"] = channelName;
properties["portName"] = channelName;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(WellKnownSidType.WorldSid, null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor secDesc = new CommonSecurityDescriptor(
false,
false,
ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent,
null,
null,
null,
dacl);
BinaryServerFormatterSinkProvider sinkProv = new BinaryServerFormatterSinkProvider();
sinkProv.TypeFilterLevel = TypeFilterLevel.Full;
return(new IpcServerChannel(properties, sinkProv, secDesc));
}
private static DiscretionaryAcl getDacl(List <SecurityIdentifier> securityIdentifiers)
{
var dacl = new DiscretionaryAcl(false, false, 16);
securityIdentifiers.ForEach(sec => dacl.AddAccess(AccessControlType.Allow, sec, GENERIC_EXECUTE, InheritanceFlags.None, PropagationFlags.None));
return(dacl);
}
public void TestAcl3()
{
var sid = WindowsIdentity.GetCurrent().User;
SecurityIdentifier wks = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, 1);
dacl1.AddAccess(AccessControlType.Allow, sid, 0x200, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor csd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, sid, sid, null, dacl1);
DiscretionaryAcl dacl2 = new DiscretionaryAcl(false, false, 1);
dacl2.AddAccess(AccessControlType.Allow, wks, 0x400, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor csd2 = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, wks, wks, null, dacl2);
List <GenericSecurityDescriptor> list = new List <GenericSecurityDescriptor>();
list.Add(csd);
list.Add(csd2);
using AuthorizationContext c = new AuthorizationContext(WindowsIdentity.GetCurrent().User);
Assert.IsTrue(c.AccessCheck(csd, 0x200));
Assert.IsTrue(c.AccessCheck(list, 0x400));
Assert.IsTrue(c.AccessCheck(list, 0x600));
Assert.IsFalse(c.AccessCheck(csd, 0x800));
Assert.IsFalse(c.AccessCheck(list, 0x800));
}
private static bool TestAddAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
discretionaryAcl.AddAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
if (discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
result = false;
return result;
}
internal static CommonSecurityDescriptor GetServerPipeSecurity()
{
// Built-in Admin SID
SecurityIdentifier adminSID = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
adminSID,
_pipeAccessMaskFullControl,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor(
false, false,
ControlFlags.DiscretionaryAclPresent | ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted,
null, null, null, dacl);
// Conditionally add User SID
bool isAdminElevated = new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator);
if (!isAdminElevated)
{
securityDesc.DiscretionaryAcl.AddAccess(
AccessControlType.Allow,
WindowsIdentity.GetCurrent().User,
_pipeAccessMaskFullControl,
InheritanceFlags.None,
PropagationFlags.None);
}
return(securityDesc);
}
static DiscretionaryAcl BuildAclFromConfig()
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
string authorizationLocation = @"..\..\AuthorizationList.xml";
XPathDocument xpathDoc = new XPathDocument(authorizationLocation);
XPathNavigator xpathNav = xpathDoc.CreateNavigator();
xpathNav = xpathNav.SelectSingleNode("remotingAuthorization");
if (xpathNav.HasChildren)
{
xpathNav.MoveToChild(XPathNodeType.Element);
do
{
AccessControlType accessType = (AccessControlType)Enum.Parse(typeof(AccessControlType), xpathNav.Name);
Console.WriteLine(xpathNav.Name);
xpathNav.MoveToAttribute("users", xpathNav.NamespaceURI);
Console.WriteLine(xpathNav.Name);
Console.WriteLine(xpathNav.Value);
NTAccount account = new NTAccount(xpathNav.Value);
dacl.AddAccess(
accessType,
(SecurityIdentifier)account.Translate(typeof(SecurityIdentifier)),
-1, InheritanceFlags.None,
PropagationFlags.None);
xpathNav.MoveToParent();
} while (xpathNav.MoveToNext(XPathNodeType.Element));
}
return(dacl);
}
public void AddAccessObjectAceNonDSFailsEvenIfObjectAceFlagsNoneImplyingCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
}
public void InvalidAccessControlType()
{
// This is also testing the fact that the AccessControlType is checked before the
// InheritanceFlags are validated -- IsContainer is false here, so if the InheritanceFlags
// were checked first, ArgumentException would be thrown instead.
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
dacl.AddAccess((AccessControlType)43210, sid, 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
}
private static void EditDacl(DiscretionaryAcl dacl, SecurityIdentifier account, int right, bool add)
{
if (add)
{
dacl.AddAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None);
}
else
{
dacl.RemoveAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None);
}
}
private static DiscretionaryAcl getDacl(List <SecurityIdentifier> securityIdentifiers)
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 16);
foreach (SecurityIdentifier sec in securityIdentifiers)
{
dacl.AddAccess(AccessControlType.Allow, sec, GENERIC_EXECUTE, InheritanceFlags.None, PropagationFlags.None);
}
return(dacl);
}
public static IpcServerChannel CreateIpcServer <IService, TService>(
TService service,
string channelName = null,
string portName = null,
WellKnownSidType aclSid = WellKnownSidType.WorldSid)
where IService : class
where TService : MarshalByRefObject, IService
{
if (channelName == null)
{
channelName = GenerateIpcServerChannelName();
}
System.Collections.IDictionary properties = new System.Collections.Hashtable
{
{ "name", channelName },
{ "portName", portName ?? channelName }
};
// Setup ACL : allow access from all users. Channel is protected by a random name.
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(
aclSid,
null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor secDescr = new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null,
dacl);
// Formatter sink
// TODO: Custom sink
BinaryServerFormatterSinkProvider binaryProv = new BinaryServerFormatterSinkProvider {
TypeFilterLevel = TypeFilterLevel.Full
};
// Create server
var ipcServer = new IpcServerChannel(properties, binaryProv, secDescr);
ChannelServices.RegisterChannel(ipcServer, false);
// Initialize with SMA interface
RemotingServices.Marshal(service, channelName, typeof(IService));
return(ipcServer);
}
internal static void EnsureServiceAclsCorrect()
{
var psd = new byte[0];
uint bufSizeNeeded;
var ok = Advapi32.QueryServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122)
{
// ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = Advapi32.QueryServiceObjectSecurity(
Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for Service: error code=" + err);
}
}
if (!ok)
{
throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for Service: error code=" + Marshal.GetLastWin32Error());
}
// get security descriptor via raw into DACL form so ACE
// ordering checks are done for us.
var rsd = new RawSecurityDescriptor(psd, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)ServiceAccess.ServiceCoapp, InheritanceFlags.None, PropagationFlags.None);
// convert discretionary ACL back to raw form; looks like via byte[] is only way
var rawdacl = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(rawdacl, 0);
rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);
// set raw security descriptor on service again
var rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
ok = Advapi32.SetServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
if (!ok)
{
throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
}
}
public void AddAccessCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
CommonAce ace = (CommonAce)dacl[0];
Assert.AreEqual(1, ace.AccessMask);
Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse(ace.IsInherited);
}
/// <summary>
/// Returns a default <see cref="CommonSecurityDescriptor"/> based on the given collection of <see cref="WellKnownSidType"/>.
/// </summary>
/// <param name="allowedClients"></param>
/// <returns></returns>
private static CommonSecurityDescriptor CreateSecurityDescriptor(ICollection <WellKnownSidType> allowedClients)
{
var dacl = new DiscretionaryAcl(false, false, allowedClients.Count);
foreach (var sid in allowedClients)
{
var securityId = new SecurityIdentifier(sid, null);
dacl.AddAccess(AccessControlType.Allow, securityId, -1, InheritanceFlags.None, PropagationFlags.None);
}
const ControlFlags controlFlags =
ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent;
var securityDescriptor = new CommonSecurityDescriptor(false, false, controlFlags, null, null, null, dacl);
return(securityDescriptor);
}
public void AddAccessFailsOnNonCanonical()
{
SecurityIdentifier sid = new SecurityIdentifier("BU");
RawAcl acl = new RawAcl(RawAcl.AclRevision, 0);
acl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null));
acl.InsertAce(1, new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, acl);
Assert.IsFalse(dacl.IsCanonical);
Assert.AreEqual(2, dacl.Count);
dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
}
TestSecurity FactoryCallTest(bool objectAce)
{
SecurityIdentifier sid = new SecurityIdentifier("WD");
DiscretionaryAcl dacl = new DiscretionaryAcl(true, true, 1);
dacl.AddAccess(AccessControlType.Allow, sid, 1,
InheritanceFlags.None, PropagationFlags.None,
objectAce ? ObjectAceFlags.ObjectAceTypePresent : ObjectAceFlags.None,
Guid.NewGuid(), Guid.Empty);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(true, true, ControlFlags.None, null, null, null, dacl);
TestSecurity security = new TestSecurity(descriptor);
security.GetAccessRules(true, true, typeof(SecurityIdentifier));
return(security);
}
void RemoveSpecificBegin(SecurityIdentifier sid, DiscretionaryAcl dacl, InheritanceFlags inheritanceFlags)
{
SecurityIdentifier otherSid = new SecurityIdentifier("BU");
dacl.AddAccess(AccessControlType.Allow, sid, 3, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Deny, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Allow, otherSid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
Assert.AreEqual(3, ((CommonAce)dacl [0]).AccessMask);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
inheritanceFlags ^ InheritanceFlags.ContainerInherit,
PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
}
private SecurityDescriptorTarget ConvertToTarget(OUPrincipalMapping entry, HashSet <SecurityIdentifier> admins)
{
this.logger.LogTrace("Creating new target for OU {ou} with the following principals\r\n{admins}", entry.AdsPath, string.Join(", ", admins));
SecurityDescriptorTarget target = new SecurityDescriptorTarget()
{
AuthorizationMode = AuthorizationMode.SecurityDescriptor,
Description = settings.RuleDescription?.Replace("{targetName}", entry.OUName, StringComparison.OrdinalIgnoreCase),
Target = entry.OUName,
Type = TargetType.Container,
Id = Guid.NewGuid().ToString(),
Notifications = settings.Notifications,
Jit = new SecurityDescriptorTargetJitDetails()
{
AuthorizingGroup = settings.JitAuthorizingGroup,
ExpireAfter = settings.JitExpireAfter
},
Laps = new SecurityDescriptorTargetLapsDetails()
{
ExpireAfter = settings.LapsExpireAfter
}
};
AccessMask mask = 0;
mask |= settings.AllowLaps ? AccessMask.LocalAdminPassword : 0;
mask |= settings.AllowJit ? AccessMask.Jit : 0;
mask |= settings.AllowLapsHistory ? AccessMask.LocalAdminPasswordHistory : 0;
mask |= settings.AllowBitLocker ? AccessMask.BitLocker : 0;
DiscretionaryAcl acl = new DiscretionaryAcl(false, false, admins.Count);
foreach (var sid in admins)
{
acl.AddAccess(AccessControlType.Allow, sid, (int)mask, InheritanceFlags.None, PropagationFlags.None);
}
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, acl);
target.SecurityDescriptor = sd.GetSddlForm(AccessControlSections.All);
return(target);
}
//verify the dacl is crafted with one Allow Everyone Everything ACE
public static bool VerifyDaclWithCraftedAce(bool isContainer, bool isDS, DiscretionaryAcl dacl)
{
byte[] craftedBForm;
byte[] binaryForm;
DiscretionaryAcl craftedDacl = new DiscretionaryAcl(isContainer, isDS, 1);
craftedDacl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier("S-1-1-0"),
-1,
isContainer ? InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit : InheritanceFlags.None,
PropagationFlags.None);
craftedBForm = new byte[craftedDacl.BinaryLength];
binaryForm = new byte[dacl.BinaryLength];
Assert.False(craftedBForm == null || binaryForm == null);
craftedDacl.GetBinaryForm(craftedBForm, 0);
dacl.GetBinaryForm(binaryForm, 0);
return Utils.IsBinaryFormEqual(craftedBForm, binaryForm);
}
public static void AddAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 6, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
//add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
//be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
//call the same method to check the meaninglessness, only some sanitory cases are enough.
//bug# 288116
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 0;//InheritanceFlags.None
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 12, add Ace to exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}