| public AddAccess ( System accessType, System sid, System rule ) : void | ||
| accessType | System | |
| sid | System | |
| rule | System | |
| return | void | |
internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer)
{
DiscretionaryAcl acl = new DiscretionaryAcl(isContainer, isDS, 1);
acl.AddAccess(AccessControlType.Allow, _sidEveryone, -1, isContainer ? (InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit) : InheritanceFlags.None, PropagationFlags.None);
acl.everyOneFullAccessForNullDacl = true;
return acl;
}
static IpcStore()
{
var dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
}
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid)
{
SecurityIdentifier sid = new SecurityIdentifier(networkSidSddlForm);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// Deny all access to NetworkSid
dacl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None);
if (userSid != null)
dacl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None);
// Add access to the current user creating the pipe
dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
// Initialize and return the CommonSecurityDescriptor
return new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);;
}
public void AddAccessObjectAceNonDSFailsEvenIfObjectAceFlagsNoneImplyingCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
}
// Token: 0x06001EF7 RID: 7927 RVA: 0x0006D054 File Offset: 0x0006B254
internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer)
{
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, 1);
discretionaryAcl.AddAccess(AccessControlType.Allow, DiscretionaryAcl._sidEveryone, -1, isContainer ? (InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit) : InheritanceFlags.None, PropagationFlags.None);
discretionaryAcl.everyOneFullAccessForNullDacl = true;
return(discretionaryAcl);
}
private static void EditDacl(DiscretionaryAcl dacl, SecurityIdentifier account, int right, bool add)
{
if (add)
{
dacl.AddAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None);
}
else
{
dacl.RemoveAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None);
}
}
public void AddAccessCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
CommonAce ace = (CommonAce)dacl[0];
Assert.AreEqual (1, ace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse (ace.IsInherited);
}
public void AddAccessFailsOnNonCanonical ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null));
acl.InsertAce (1, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsFalse (dacl.IsCanonical);
Assert.AreEqual (2, dacl.Count);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
}
private static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = (allowedSids == null) ? 3 : (2 + allowedSids.Count);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
discretionaryAcl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), 0x10000000, InheritanceFlags.None, PropagationFlags.None);
int accessMask = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), accessMask, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier sid = allowedSids[i];
discretionaryAcl.AddAccess(AccessControlType.Allow, sid, accessMask, InheritanceFlags.None, PropagationFlags.None);
}
}
discretionaryAcl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, discretionaryAcl);
byte[] binaryForm = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(binaryForm, 0);
return binaryForm;
}
internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer)
{
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, 1);
int num1 = 0;
SecurityIdentifier sid = DiscretionaryAcl._sidEveryone;
int accessMask = -1;
int num2 = isContainer ? 3 : 0;
int num3 = 0;
discretionaryAcl.AddAccess((AccessControlType)num1, sid, accessMask, (InheritanceFlags)num2, (PropagationFlags)num3);
int num4 = 1;
discretionaryAcl.everyOneFullAccessForNullDacl = num4 != 0;
return(discretionaryAcl);
}
internal static void EnsureServiceAclsCorrect()
{
var psd = new byte[0];
uint bufSizeNeeded;
var ok = Advapi32.QueryServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok) {
int err = Marshal.GetLastWin32Error();
if (err == 122) {
// ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = Advapi32.QueryServiceObjectSecurity(
Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
} else {
throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for Service: error code=" + err);
}
}
if (!ok) {
throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for Service: error code=" + Marshal.GetLastWin32Error());
}
// get security descriptor via raw into DACL form so ACE
// ordering checks are done for us.
var rsd = new RawSecurityDescriptor(psd, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)ServiceAccess.ServiceCoapp, InheritanceFlags.None, PropagationFlags.None);
// convert discretionary ACL back to raw form; looks like via byte[] is only way
var rawdacl = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(rawdacl, 0);
rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);
// set raw security descriptor on service again
var rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
ok = Advapi32.SetServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
if (!ok) {
throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
}
}
internal static CommonSecurityDescriptor GetServerPipeSecurity()
{
// Built-in Admin SID
SecurityIdentifier adminSID = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
adminSID,
_pipeAccessMaskFullControl,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor(
false, false,
ControlFlags.DiscretionaryAclPresent | ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted,
null, null, null, dacl);
// Conditionally add User SID
bool isAdminElevated = new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator);
if (!isAdminElevated)
{
securityDesc.DiscretionaryAcl.AddAccess(
AccessControlType.Allow,
WindowsIdentity.GetCurrent().User,
_pipeAccessMaskFullControl,
InheritanceFlags.None,
PropagationFlags.None);
}
return securityDesc;
}
public void AddAccessObjectAceAndCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, true, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid (), Guid.Empty);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual (2, dacl.Count);
CommonAce cace = (CommonAce)dacl [0];
Assert.AreEqual (1, cace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", cace.SecurityIdentifier.Value);
Assert.IsFalse (cace.IsCallback);
Assert.IsFalse (cace.IsInherited);
ObjectAce oace = (ObjectAce)dacl [1];
Assert.AreEqual (1, oace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", oace.SecurityIdentifier.Value);
Assert.IsFalse (oace.IsCallback);
Assert.IsFalse (oace.IsInherited);
dacl.AddAccess (AccessControlType.Allow, sid, 2, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual (2, dacl.Count);
CommonAce cace2 = (CommonAce)dacl [0];
Assert.AreEqual (3, cace2.AccessMask);
}
void RemoveSpecificBegin (SecurityIdentifier sid, DiscretionaryAcl dacl, InheritanceFlags inheritanceFlags)
{
SecurityIdentifier otherSid = new SecurityIdentifier ("BU");
dacl.AddAccess (AccessControlType.Allow, sid, 3, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
dacl.RemoveAccessSpecific (AccessControlType.Deny, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
dacl.RemoveAccessSpecific (AccessControlType.Allow, otherSid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
dacl.RemoveAccessSpecific (AccessControlType.Allow, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
Assert.AreEqual (3, ((CommonAce)dacl [0]).AccessMask);
dacl.RemoveAccessSpecific (AccessControlType.Allow, sid, 3,
inheritanceFlags ^ InheritanceFlags.ContainerInherit,
PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
}
TestSecurity FactoryCallTest (bool objectAce)
{
SecurityIdentifier sid = new SecurityIdentifier ("WD");
DiscretionaryAcl dacl = new DiscretionaryAcl (true, true, 1);
dacl.AddAccess (AccessControlType.Allow, sid, 1,
InheritanceFlags.None, PropagationFlags.None,
objectAce ? ObjectAceFlags.ObjectAceTypePresent : ObjectAceFlags.None,
Guid.NewGuid (), Guid.Empty);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(true, true, ControlFlags.None, null, null, null, dacl);
TestSecurity security = new TestSecurity (descriptor);
security.GetAccessRules (true, true, typeof (SecurityIdentifier));
return security;
}
public void PropagationFlagsRequireInheritanceFlagsForAdd ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
DiscretionaryAcl dacl = new DiscretionaryAcl (true, false, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.InheritOnly);
}
public void InheritanceFlagsRequireContainer ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 3, InheritanceFlags.ContainerInherit, PropagationFlags.None);
}
private static DiscretionaryAcl GetDacl(SecurityIdentifier securityIdentifiers)
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 16);
dacl.AddAccess(AccessControlType.Allow, securityIdentifiers, GenericExecute, InheritanceFlags.None, PropagationFlags.None);
return dacl;
}
// These two are based on similar utility methods in EasyHook:
private static IpcServerChannel CreateServerChannel(string channelName)
{
Dictionary<string, string> properties = new Dictionary<string, string>();
properties["name"] = channelName;
properties["portName"] = channelName;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(WellKnownSidType.WorldSid, null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor secDesc = new CommonSecurityDescriptor(
false,
false,
ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent,
null,
null,
null,
dacl);
BinaryServerFormatterSinkProvider sinkProv = new BinaryServerFormatterSinkProvider();
sinkProv.TypeFilterLevel = TypeFilterLevel.Full;
return new IpcServerChannel(properties, sinkProv, secDesc);
}
public void InvalidAccessControlType ()
{
// This is also testing the fact that the AccessControlType is checked before the
// InheritanceFlags are validated -- IsContainer is false here, so if the InheritanceFlags
// were checked first, ArgumentException would be thrown instead.
SecurityIdentifier sid = new SecurityIdentifier ("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
dacl.AddAccess ((AccessControlType)43210, sid, 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
}
private static DiscretionaryAcl getDacl(List<SecurityIdentifier> securityIdentifiers)
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 16);
foreach (SecurityIdentifier sec in securityIdentifiers)
{
dacl.AddAccess(AccessControlType.Allow, sec, GENERIC_EXECUTE, InheritanceFlags.None, PropagationFlags.None);
}
return dacl;
}
static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = allowedSids == null ? 3 : 2 + allowedSids.Count;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, capacity);
// add deny ACE first so that we don't get short circuited
dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null),
UnsafeNativeMethods.GENERIC_ALL, InheritanceFlags.None, PropagationFlags.None);
// clients get different rights, since they shouldn't be able to listen
int clientAccessRights = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null),
clientAccessRights, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier allowedSid = allowedSids[i];
dacl.AddAccess(AccessControlType.Allow, allowedSid,
clientAccessRights, InheritanceFlags.None, PropagationFlags.None);
}
}
dacl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
if (AppContainerInfo.IsRunningInAppContainer)
{
// NamedPipeBinding requires dacl with current AppContainer SID
// to setup multiple NamedPipes in the BeginAccept loop.
dacl.AddAccess(
AccessControlType.Allow,
AppContainerInfo.GetCurrentAppContainerSid(),
accessRights,
InheritanceFlags.None,
PropagationFlags.None);
}
CommonSecurityDescriptor securityDescriptor =
new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, dacl);
byte[] binarySecurityDescriptor = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(binarySecurityDescriptor, 0);
return binarySecurityDescriptor;
}
public void Register(bool useIPC, bool useTCP, bool useHTTP)
{
// データベースの復元
try
{
Database.Instance.Load();
}
catch (Exception)
{
// 最初は必ず失敗する
}
// IPCを使うと、コネクションが残りっぱなしになったときに、不具合が起こる。
// PCをスタンバイさせるとまずいので、IPCは使わない方がいい。
if (useIPC)
{
// IPCを使うときは、サーバ側でACLを設定しないとダメみたい。
// ここのサンプルをコピーして使用。
// http://msdn2.microsoft.com/en-us/library/ms180985(vs.80).aspx
IDictionary props = new Hashtable();
props["portName"] = AppSettings.Instance.ObjectUri;
// This is the wellknown sid for network sid
string networkSidSddlForm = @"S-1-5-2";
// Local administrators sid
SecurityIdentifier localAdminSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
// Local Power users sid
SecurityIdentifier powerUsersSid = new SecurityIdentifier(WellKnownSidType.BuiltinPowerUsersSid, null);
// Network sid
SecurityIdentifier networkSid = new SecurityIdentifier(networkSidSddlForm);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// Disallow access from off machine
dacl.AddAccess(AccessControlType.Deny, networkSid, -1, InheritanceFlags.None, PropagationFlags.None);
// Allow acces only from local administrators and power users
dacl.AddAccess(AccessControlType.Allow, localAdminSid, -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, powerUsersSid, -1, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor securityDescriptor =
new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null, dacl);
// IPC Channelを作成
_ipcChannel = new IpcServerChannel(props, null, securityDescriptor);
ChannelServices.RegisterChannel(_ipcChannel, false);
}
if (useHTTP)
{
// HTTP Channelを作成
_httpChannel = new HttpServerChannel(AppSettings.Instance.HttpPort);
ChannelServices.RegisterChannel(_httpChannel, false);
}
if (useTCP)
{
// TCP Channelを作成
_tcpChannel = new TcpServerChannel(AppSettings.Instance.TcpPort);
ChannelServices.RegisterChannel(_tcpChannel, true);
}
RemotingConfiguration.RegisterWellKnownServiceType(typeof(IRmainteImpl), AppSettings.Instance.ObjectUri, WellKnownObjectMode.Singleton);
}
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid)
{
SecurityIdentifier sid = new SecurityIdentifier("S-1-5-2");
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, 1);
discretionaryAcl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None);
if (userSid != null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None);
}
discretionaryAcl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
return new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent | ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted, null, null, null, discretionaryAcl);
}
