| public PurgeAccessControl ( System.Security.Principal.SecurityIdentifier sid ) : void | ||
| sid | System.Security.Principal.SecurityIdentifier | |
| return | void | |
public virtual void PurgeAccessRules(IdentityReference identity)
{
if (null == identity)
{
throw new ArgumentNullException("identity");
}
WriteLock();
try {
descriptor.PurgeAccessControl(SidFromIR(identity));
} finally {
WriteUnlock();
}
}
public virtual void PurgeAccessRules(IdentityReference identity)
{
if (identity == null)
{
throw new ArgumentNullException(nameof(identity));
}
WriteLock();
try
{
_securityDescriptor.PurgeAccessControl(identity.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier);
_daclModified = true;
}
finally
{
WriteUnlock();
}
}
/// <summary>
/// Builds a session SDDL based on the provided configuration hashtable.
/// Retrieves RequiredGroups information to add conditional group membership restrictions to SDDL.
/// Retrieves RoleDefinitions information to include role user accounts.
/// </summary>
/// <param name="configTable"></param>
/// <param name="accessMode"></param>
/// <param name="error"></param>
/// <returns>SDDL</returns>
internal static string ComputeSDDLFromConfiguration(
Hashtable configTable,
PSSessionConfigurationAccessMode accessMode,
out ErrorRecord error)
{
Dbg.Assert(configTable != null, "configTable input parameter cannot be null.");
string sddl = string.Empty;
error = null;
// RoleDefinitions
if (configTable.ContainsKey(ConfigFileConstants.RoleDefinitions))
{
// Start with known good security descriptor.
if (accessMode == PSSessionConfigurationAccessMode.Local)
{
sddl = PSSessionConfigurationCommandBase.GetLocalSddl();
}
else if (accessMode == PSSessionConfigurationAccessMode.Remote)
{
sddl = PSSessionConfigurationCommandBase.GetRemoteSddl();
}
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, sddl);
// Purge all existing access rules so that only role definition principals are granted access.
List<SecurityIdentifier> sidsToRemove = new List<SecurityIdentifier>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
sidsToRemove.Add(ace.SecurityIdentifier);
}
foreach (var sidToRemove in sidsToRemove)
{
descriptor.PurgeAccessControl(sidToRemove);
}
Hashtable roleNamesHash = configTable[ConfigFileConstants.RoleDefinitions] as Hashtable;
foreach (object roleName in roleNamesHash.Keys)
{
string roleNameValue = roleName.ToString();
try
{
NTAccount ntAccount = new NTAccount(roleNameValue);
SecurityIdentifier accountSid = (SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier));
// AccessMask = 268435456 == 0x10000000 == GR == Generic Read
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, accountSid, 268435456, InheritanceFlags.None, PropagationFlags.None);
}
catch (IdentityNotMappedException e)
{
string message = StringUtil.Format(RemotingErrorIdStrings.CouldNotResolveRoleDefinitionPrincipal, roleNameValue, e.Message);
InvalidOperationException ioe = new InvalidOperationException(message, e);
error = new ErrorRecord(ioe, "CouldNotResolveRoleDefinitionPrincipal", ErrorCategory.ObjectNotFound, roleNameValue);
}
}
if (descriptor.DiscretionaryAcl.Count > 0)
{
sddl = descriptor.GetSddlForm(AccessControlSections.All);
// RequiredGroups
string conditionalGroupACE = CreateConditionalACEFromConfig(configTable);
if (conditionalGroupACE != null)
{
sddl = UpdateSDDLUsersWithGroupConditional(sddl, conditionalGroupACE);
}
}
}
return sddl;
}
public void PurgeDefaultDacl ()
{
SecurityIdentifier userSid = new SecurityIdentifier ("SY");
SecurityIdentifier groupSid = new SecurityIdentifier ("BA");
SecurityIdentifier everyoneSid = new SecurityIdentifier ("WD");
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
DiscretionaryAcl dacl = csd.DiscretionaryAcl;
Assert.AreEqual (1, dacl.Count);
csd.PurgeAccessControl (userSid);
Assert.AreEqual (1, dacl.Count);
csd.PurgeAccessControl (everyoneSid);
Assert.AreEqual (0, dacl.Count);
}
