public void GetBinaryForm ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual (20, csd.BinaryLength);
byte[] binaryForm = new byte[csd.BinaryLength];
csd.GetBinaryForm (binaryForm, 0);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative,
csd.ControlFlags);
// The default 'Allow Everyone Full Access' serializes as NOT having a
// DiscretionaryAcl, as the above demonstrates (byte 3 is 0 not 4).
Assert.AreEqual (new byte[20] {
1, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
}, binaryForm);
// Changing SystemAcl protection does nothing special.
csd.SetSystemAclProtection (true, true);
Assert.AreEqual (20, csd.BinaryLength);
// Modifying the DiscretionaryAcl (even effective no-ops like this) causes serialization.
csd.SetDiscretionaryAclProtection (false, true);
Assert.AreEqual (48, csd.BinaryLength);
}
public byte[] GetSecurityDescriptorBinaryForm()
{
ReadLock();
try {
byte[] binaryForm = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(binaryForm, 0);
return(binaryForm);
} finally {
ReadUnlock();
}
}
public override byte[] GetAllowAllNodeAcl(string repositoryName, Guid domainId, Guid rootMapId)
{
// Return an empty Windows node ACL.
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return itemAcl;
}
public static byte[] ComputeHash(CommonSecurityDescriptor securityDescriptor)
{
if(securityDescriptor == null)
{
return null;
}
// Convert to binary form
byte[] binaryForm = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(binaryForm, 0);
using(var md5 = MD5CryptoServiceProvider.Create())
{
return md5.ComputeHash(binaryForm);
}
}
/// <summary>
/// 根据指定的二进制数据设置此 ObjectSecurity 对象的安全说明符。
/// </summary>
/// <returns></returns>
public byte[] GetSecurityDescriptorBinaryForm()
{
ReadLock();
try
{
byte[] result = new byte[_securityDescriptor.BinaryLength];
_securityDescriptor.GetBinaryForm(result, 0);
return(result);
}
finally
{
ReadUnlock();
}
}
internal static IpcPort Create(String portName, CommonSecurityDescriptor securityDescriptor, bool exclusive)
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT) {
throw new NotSupportedException(CoreChannel.GetResourceString("Remoting_Ipc_Win9x"));
}
PipeHandle handle = null;
// Add the prefix to the portName
string pipeName = prefix + portName;
SECURITY_ATTRIBUTES attr = new SECURITY_ATTRIBUTES();
attr.nLength = (int)Marshal.SizeOf(attr);
byte[] sd = null;
// If no securityDescriptor was set by the user use the default
if (securityDescriptor == null)
{
securityDescriptor = s_securityDescriptor;
}
sd = new byte[securityDescriptor.BinaryLength];
// Get the binary form of the descriptor
securityDescriptor.GetBinaryForm(sd, 0);
GCHandle pinningHandle = GCHandle.Alloc(sd, GCHandleType.Pinned);
// get the address of the security descriptor
attr.lpSecurityDescriptor = Marshal.UnsafeAddrOfPinnedArrayElement(sd, 0);
// Create the named pipe with the appropriate name
handle = NativePipe.CreateNamedPipe(pipeName,
NativePipe.PIPE_ACCESS_DUPLEX | NativePipe.FILE_FLAG_OVERLAPPED
| (exclusive ? NativePipe.FILE_FLAG_FIRST_PIPE_INSTANCE : 0x0), // Or exclusive flag
NativePipe.PIPE_TYPE_BYTE | NativePipe.PIPE_READMODE_BYTE | NativePipe.PIPE_WAIT,
NativePipe.PIPE_UNLIMITED_INSTANCES,
8192,
8192,
NativePipe.NMPWAIT_WAIT_FOREVER,
attr);
pinningHandle.Free();
if (handle.Handle.ToInt32() == NativePipe.INVALID_HANDLE_VALUE){
int error = Marshal.GetLastWin32Error();
throw new RemotingException(String.Format(CultureInfo.CurrentCulture, CoreChannel.GetResourceString("Remoting_Ipc_CreateIpcFailed"), GetMessage(error)));
}
return new IpcPort(portName, handle);
}
private static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = (allowedSids == null) ? 3 : (2 + allowedSids.Count);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
discretionaryAcl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), 0x10000000, InheritanceFlags.None, PropagationFlags.None);
int accessMask = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), accessMask, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier sid = allowedSids[i];
discretionaryAcl.AddAccess(AccessControlType.Allow, sid, accessMask, InheritanceFlags.None, PropagationFlags.None);
}
}
discretionaryAcl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, discretionaryAcl);
byte[] binaryForm = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(binaryForm, 0);
return binaryForm;
}
private SafeFileHandle CreateNamedPipe(string pipeName)
{
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, "D:(A;;GA;;;LS)(A;;GA;;;BA)(A;;GA;;;IU)");
byte[] sdBytes = new byte[sd.BinaryLength];
sd.GetBinaryForm(sdBytes, 0);
GCHandle gcHandle = GCHandle.Alloc(sdBytes, GCHandleType.Pinned);
Native.SECURITY_ATTRIBUTES securityAttributes = new Native.SECURITY_ATTRIBUTES();
securityAttributes.nLength = Marshal.SizeOf(securityAttributes);
securityAttributes.bInheritHandle = 0;
securityAttributes.lpSecurityDescriptor = Marshal.UnsafeAddrOfPinnedArrayElement(sdBytes, 0);
IntPtr handle = Native.CreateNamedPipe(
pipeName,
Native.PIPE_ACCESS_DUPLEX | Native.FILE_FLAG_OVERLAPPED | Native.FILE_FLAG_FIRST_PIPE_INSTANCE,
Native.PIPE_TYPE_BYTE | Native.PIPE_READMODE_BYTE | Native.PIPE_WAIT,
1,
2048,
2048,
Native.NMPWAIT_USE_DEFAULT_WAIT,
securityAttributes);
gcHandle.Free();
return new SafeFileHandle(handle, true);
}
protected byte[] GetNodeAclWorker(string mapDatabaseName, string repositoryName, Guid domainId, Guid rootMapId, bool isCacheEnabled)
{
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
// Deny access to all users.
SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
securityDescriptor.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, everyoneSid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
// Grant access to specified users.
securityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, farmAccountSid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
List<SpUserDetail> allowedUsers = GetAllowedUsers(mapDatabaseName, repositoryName, domainId, rootMapId);
List<string> addedSids = new List<string>();
foreach (SpUserDetail user in allowedUsers)
{
SecurityIdentifier userSid = null;
if (!string.IsNullOrEmpty(user.Sid))
{
userSid = new SecurityIdentifier(user.Sid);
}
else
{
userSid = GetSidFromClaim(user.LoginName);
}
if (userSid != null && !addedSids.Contains(userSid.Value))
{
securityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, userSid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
addedSids.Add(userSid.Value);
}
}
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return itemAcl;
}
private static void EditKernelObjectSecurity(SafeCloseHandle kernelObject, List<SecurityIdentifier> accounts, SecurityIdentifier account, int right, bool add)
{
int num;
if (!ListenerUnsafeNativeMethods.GetKernelObjectSecurity(kernelObject, 4, null, 0, out num))
{
int error = Marshal.GetLastWin32Error();
if (error != 0x7a)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(error));
}
}
byte[] pSecurityDescriptor = new byte[num];
if (!ListenerUnsafeNativeMethods.GetKernelObjectSecurity(kernelObject, 4, pSecurityDescriptor, pSecurityDescriptor.Length, out num))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception());
}
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, pSecurityDescriptor, 0);
DiscretionaryAcl discretionaryAcl = descriptor.DiscretionaryAcl;
if (account != null)
{
EditDacl(discretionaryAcl, account, right, add);
}
else if (accounts != null)
{
foreach (SecurityIdentifier identifier in accounts)
{
EditDacl(discretionaryAcl, identifier, right, add);
}
}
pSecurityDescriptor = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(pSecurityDescriptor, 0);
if (!ListenerUnsafeNativeMethods.SetKernelObjectSecurity(kernelObject, 4, pSecurityDescriptor))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception());
}
}
public void AefaRoundtrip ()
{
CommonSecurityDescriptor csd;
csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual (20, csd.BinaryLength);
byte[] binaryForm1 = new byte[csd.BinaryLength];
csd.GetBinaryForm (binaryForm1, 0);
csd = new CommonSecurityDescriptor (false, false, new RawSecurityDescriptor (binaryForm1, 0));
byte[] binaryForm2 = new byte[csd.BinaryLength];
csd.GetBinaryForm (binaryForm2, 0);
Assert.AreEqual (binaryForm1, binaryForm2);
}
public void GetBinaryFormOffset ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
csd.GetBinaryForm (new byte[csd.BinaryLength], 1);
}
// Do not use this method unless you understand the consequnces of lack of synchronization
static void EditKernelObjectSecurity(SafeCloseHandle kernelObject, List<SecurityIdentifier> accounts, SecurityIdentifier account, int right, bool add)
{
// take the SECURITY_DESCRIPTOR from the kernelObject
int lpnLengthNeeded;
bool success = ListenerUnsafeNativeMethods.GetKernelObjectSecurity(kernelObject, ListenerUnsafeNativeMethods.DACL_SECURITY_INFORMATION, null, 0, out lpnLengthNeeded);
if (!success)
{
int errorCode = Marshal.GetLastWin32Error();
if (errorCode != ListenerUnsafeNativeMethods.ERROR_INSUFFICIENT_BUFFER)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(errorCode));
}
}
byte[] pSecurityDescriptor = new byte[lpnLengthNeeded];
#pragma warning suppress 56523 // Microsoft, Win32Exception ctor calls Marshal.GetLastWin32Error()
success = ListenerUnsafeNativeMethods.GetKernelObjectSecurity(kernelObject, ListenerUnsafeNativeMethods.DACL_SECURITY_INFORMATION, pSecurityDescriptor, pSecurityDescriptor.Length, out lpnLengthNeeded);
if (!success)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception());
}
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, pSecurityDescriptor, 0);
DiscretionaryAcl dacl = securityDescriptor.DiscretionaryAcl;
// add ACEs to the SECURITY_DESCRIPTOR of the kernelObject
if (account != null)
{
EditDacl(dacl, account, right, add);
}
else if (accounts != null)
{
foreach (SecurityIdentifier accountInList in accounts)
{
EditDacl(dacl, accountInList, right, add);
}
}
lpnLengthNeeded = securityDescriptor.BinaryLength;
pSecurityDescriptor = new byte[lpnLengthNeeded];
securityDescriptor.GetBinaryForm(pSecurityDescriptor, 0);
// set the SECURITY_DESCRIPTOR on the kernelObject
#pragma warning suppress 56523 // Microsoft, Win32Exception ctor calls Marshal.GetLastWin32Error()
success = ListenerUnsafeNativeMethods.SetKernelObjectSecurity(kernelObject, ListenerUnsafeNativeMethods.DACL_SECURITY_INFORMATION, pSecurityDescriptor);
if (!success)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception());
}
}
internal override void AdjustRegKeyPermission()
{
const uint maxSecurityDescriptorSize = 40960;
byte[] binarySecurityDescriptor;
CommonSecurityDescriptor securityDescriptor = null;
int ret;
uint dwSize = 256;
do
{
binarySecurityDescriptor = new byte[dwSize];
ret = SafeNativeMethods.ClusterRegGetKeySecurity(hKey, SecurityInfos.DiscretionaryAcl, binarySecurityDescriptor, ref dwSize);
if (ret == SafeNativeMethods.ERROR_SUCCESS)
{
break;
}
else if (ret == SafeNativeMethods.ERROR_INSUFFICIENT_BUFFER)
{
dwSize *= 2;
}
else
{
throw registryExceptionHelper.CreateRegistryWriteException(null);
}
} while (dwSize <= maxSecurityDescriptorSize);
if (dwSize > maxSecurityDescriptorSize)
{
throw registryExceptionHelper.CreateRegistryWriteException(null);
}
try
{
securityDescriptor = new CommonSecurityDescriptor(false, false, binarySecurityDescriptor, 0);
DiscretionaryAcl dacl = securityDescriptor.DiscretionaryAcl;
if (dacl.Count == 1)
{
CommonAce ace = dacl[0] as CommonAce;
if (ace != null && ace.AceType == AceType.AccessAllowed && ace.SecurityIdentifier.IsWellKnown(WellKnownSidType.WorldSid))
{
// This is the Allowed for everyone full access ACE that's automatically added by
// CommonSecurityDescriptor ctor; we should remove it
dacl.Purge(new SecurityIdentifier(WellKnownSidType.WorldSid, null));
}
}
// Add Read access for Authenticated Users account and Network Service account
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
unchecked((int)0x80000000), InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
unchecked((int)0x80000000), InheritanceFlags.None, PropagationFlags.None);
}
#pragma warning suppress 56500
catch (Exception e)
{
// MSDN does not have a spec of possible exceptions for the APIs used above.
// To be safe, we should be a bit more generic in catching exceptions
if (Utilities.IsCriticalException(e))
{
throw;
}
throw registryExceptionHelper.CreateRegistryWriteException(e);
}
int dsNewSecDescSize = securityDescriptor.BinaryLength;
byte[] newBinarySecurityDescriptor = new byte[dsNewSecDescSize];
securityDescriptor.GetBinaryForm(newBinarySecurityDescriptor, 0);
ret = SafeNativeMethods.ClusterRegSetKeySecurity(hKey, SecurityInfos.DiscretionaryAcl, newBinarySecurityDescriptor);
if (ret != SafeNativeMethods.ERROR_SUCCESS)
{
throw registryExceptionHelper.CreateRegistryWriteException(null);
}
}
/// <summary>
/// Helper method to create a PowerShell transport named pipe via native API, along
/// with a returned .Net NamedPipeServerStream object wrapping the named pipe.
/// </summary>
/// <param name="serverName">Named pipe server name.</param>
/// <param name="namespaceName">Named pipe namespace name.</param>
/// <param name="coreName">Named pipe core name.</param>
/// <param name="securityDesc"></param>
/// <returns>NamedPipeServerStream</returns>
private NamedPipeServerStream CreateNamedPipe(
string serverName,
string namespaceName,
string coreName,
CommonSecurityDescriptor securityDesc)
{
if (serverName == null) { throw new PSArgumentNullException("serverName"); }
if (namespaceName == null) { throw new PSArgumentNullException("namespaceName"); }
if (coreName == null) { throw new PSArgumentNullException("coreName"); }
string fullPipeName = @"\\" + serverName + @"\" + namespaceName + @"\" + coreName;
// Create optional security attributes based on provided PipeSecurity.
NamedPipeNative.SECURITY_ATTRIBUTES securityAttributes = null;
GCHandle? securityDescHandle = null;
if (securityDesc != null)
{
byte[] securityDescBuffer = new byte[securityDesc.BinaryLength];
securityDesc.GetBinaryForm(securityDescBuffer, 0);
securityDescHandle = GCHandle.Alloc(securityDescBuffer, GCHandleType.Pinned);
securityAttributes = NamedPipeNative.GetSecurityAttributes(securityDescHandle.Value);
}
// Create named pipe.
SafePipeHandle pipeHandle = NamedPipeNative.CreateNamedPipe(
fullPipeName,
NamedPipeNative.PIPE_ACCESS_DUPLEX | NamedPipeNative.FILE_FLAG_FIRST_PIPE_INSTANCE | NamedPipeNative.FILE_FLAG_OVERLAPPED,
NamedPipeNative.PIPE_TYPE_MESSAGE | NamedPipeNative.PIPE_READMODE_MESSAGE,
1,
_namedPipeBufferSizeForRemoting,
_namedPipeBufferSizeForRemoting,
0,
securityAttributes);
int lastError = Marshal.GetLastWin32Error();
if (securityDescHandle != null)
{
securityDescHandle.Value.Free();
}
if (pipeHandle.IsInvalid)
{
throw new PSInvalidOperationException(
StringUtil.Format(RemotingErrorIdStrings.CannotCreateNamedPipe, lastError));
}
// Create the .Net NamedPipeServerStream wrapper.
try
{
return new NamedPipeServerStream(
PipeDirection.InOut,
true, // IsAsync
false, // IsConnected
pipeHandle);
}
catch (Exception e)
{
CommandProcessorBase.CheckForSevereException(e);
pipeHandle.Dispose();
throw;
}
}
static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = allowedSids == null ? 3 : 2 + allowedSids.Count;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, capacity);
// add deny ACE first so that we don't get short circuited
dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null),
UnsafeNativeMethods.GENERIC_ALL, InheritanceFlags.None, PropagationFlags.None);
// clients get different rights, since they shouldn't be able to listen
int clientAccessRights = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null),
clientAccessRights, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier allowedSid = allowedSids[i];
dacl.AddAccess(AccessControlType.Allow, allowedSid,
clientAccessRights, InheritanceFlags.None, PropagationFlags.None);
}
}
dacl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
if (AppContainerInfo.IsRunningInAppContainer)
{
// NamedPipeBinding requires dacl with current AppContainer SID
// to setup multiple NamedPipes in the BeginAccept loop.
dacl.AddAccess(
AccessControlType.Allow,
AppContainerInfo.GetCurrentAppContainerSid(),
accessRights,
InheritanceFlags.None,
PropagationFlags.None);
}
CommonSecurityDescriptor securityDescriptor =
new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, dacl);
byte[] binarySecurityDescriptor = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(binarySecurityDescriptor, 0);
return binarySecurityDescriptor;
}
public void GetBinaryFormNull ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
csd.GetBinaryForm (null, 0);
}
internal static IpcPort Create(string portName, CommonSecurityDescriptor securityDescriptor, bool exclusive)
{
SECURITY_ATTRIBUTES security_attributes;
if (Environment.OSVersion.Platform != PlatformID.Win32NT)
{
throw new NotSupportedException(CoreChannel.GetResourceString("Remoting_Ipc_Win9x"));
}
PipeHandle handle = null;
string lpName = @"\\.\pipe\" + portName;
security_attributes = new SECURITY_ATTRIBUTES {
nLength = Marshal.SizeOf(security_attributes)
};
byte[] binaryForm = null;
if (securityDescriptor == null)
{
securityDescriptor = s_securityDescriptor;
}
binaryForm = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(binaryForm, 0);
GCHandle handle2 = GCHandle.Alloc(binaryForm, GCHandleType.Pinned);
security_attributes.lpSecurityDescriptor = Marshal.UnsafeAddrOfPinnedArrayElement(binaryForm, 0);
handle = NativePipe.CreateNamedPipe(lpName, (uint) (0x40000003 | (exclusive ? 0x80000 : 0)), 0, 0xff, 0x2000, 0x2000, uint.MaxValue, security_attributes);
handle2.Free();
if (handle.Handle.ToInt32() == -1)
{
int errorCode = Marshal.GetLastWin32Error();
throw new RemotingException(string.Format(CultureInfo.CurrentCulture, CoreChannel.GetResourceString("Remoting_Ipc_CreateIpcFailed"), new object[] { GetMessage(errorCode) }));
}
return new IpcPort(portName, handle);
}
