/// <summary>
/// Set ACL for control.
/// </summary>
/// <param name="acl">The ACL to view.</param>
/// <param name="access_type">The enum type for the view.</param>
/// <param name="mapping">Generic mapping for the type.</param>
/// <param name="valid_access">The valid bit mask for access for this type.</param>
/// <param name="is_container">True to indicate this object is a container.</param>
/// <param name="sdk_names">Show the ACEs using SDK style names.</param>
public void SetAcl(Acl acl, Type access_type, GenericMapping mapping, AccessMask valid_access, bool is_container, bool sdk_names)
{
_acl = acl;
_access_type = access_type;
_mapping = mapping;
_valid_access = valid_access;
_is_container = is_container;
_sdk_names = sdk_names;
showSDKNamesToolStripMenuItem.Checked = sdk_names;
bool has_conditional_ace = false;
bool has_inherited_object_ace = false;
bool has_object_ace = false;
List <string> flags = new List <string>();
if (acl.Defaulted)
{
flags.Add("Defaulted");
}
if (acl.Protected)
{
flags.Add("Protected");
}
if (acl.AutoInherited)
{
flags.Add("AutoInherited");
}
if (acl.AutoInheritReq)
{
flags.Add("AutoInheritReq");
}
if (flags.Count > 0)
{
lblFlags.Text = $"Flags: {string.Join(", ", flags)}";
}
else
{
lblFlags.Text = "Flags: None";
}
if (acl.NullAcl)
{
lblFlags.Text += Environment.NewLine + "NULL ACL";
listViewAcl.Visible = false;
listViewAccess.Visible = false;
groupBoxAclEntries.Visible = false;
groupBoxAccess.Visible = false;
return;
}
listViewAcl.Items.Clear();
listViewAcl.Visible = true;
listViewAccess.Visible = true;
listViewAccess.Items.Clear();
_current_access_type = null;
groupBoxAclEntries.Visible = true;
groupBoxAccess.Visible = true;
foreach (var ace in acl)
{
if (ace.IsConditionalAce)
{
has_conditional_ace = true;
}
if (ace.IsObjectAce)
{
if (ace.ObjectType.HasValue)
{
has_object_ace = true;
}
if (ace.InheritedObjectType.HasValue)
{
has_inherited_object_ace = true;
}
}
}
if (!has_conditional_ace)
{
listViewAcl.Columns.Remove(columnHeaderCondition);
copyConditionToolStripMenuItem.Visible = false;
}
if (!has_object_ace)
{
listViewAcl.Columns.Remove(columnHeaderObject);
}
if (!has_inherited_object_ace)
{
listViewAcl.Columns.Remove(columnHeaderInheritedObject);
}
foreach (var ace in acl)
{
var item = listViewAcl.Items.Add(sdk_names ? NtSecurity.AceTypeToSDKName(ace.Type) : ace.Type.ToString());
item.SubItems.Add(ace.Sid.Name);
string access;
if (ace.Type == AceType.MandatoryLabel)
{
access = NtSecurity.AccessMaskToString(ace.Mask.ToMandatoryLabelPolicy(), sdk_names);
}
else if (ace.Flags.HasFlag(AceFlags.InheritOnly))
{
access = NtSecurity.AccessMaskToString(ace.Mask.ToSpecificAccess(access_type), sdk_names);
}
else
{
AccessMask mapped_mask = mapping.MapMask(ace.Mask);
mapped_mask = mapping.UnmapMask(mapped_mask);
access = NtSecurity.AccessMaskToString(mapped_mask.ToSpecificAccess(access_type), sdk_names);
}
item.SubItems.Add(access);
item.SubItems.Add(sdk_names ? NtSecurity.AceFlagsToSDKName(ace.Flags) : ace.Flags.ToString());
if (has_conditional_ace)
{
item.SubItems.Add(ace.Condition);
}
if (has_object_ace)
{
item.SubItems.Add(ace.ObjectType?.ToString() ?? string.Empty);
}
if (has_inherited_object_ace)
{
item.SubItems.Add(ace.InheritedObjectType?.ToString() ?? string.Empty);
}
item.Tag = ace;
switch (ace.Type)
{
case AceType.Allowed:
case AceType.AllowedCallback:
case AceType.AllowedCallbackObject:
case AceType.AllowedObject:
item.BackColor = Color.LightGreen;
break;
case AceType.Denied:
case AceType.DeniedCallback:
case AceType.DeniedCallbackObject:
case AceType.DeniedObject:
item.BackColor = Color.LightSalmon;
break;
case AceType.ProcessTrustLabel:
item.BackColor = Color.LightSkyBlue;
break;
case AceType.MandatoryLabel:
item.BackColor = Color.LightGoldenrodYellow;
break;
case AceType.Audit:
case AceType.AuditCallback:
case AceType.AuditCallbackObject:
case AceType.AuditObject:
item.BackColor = Color.LightCoral;
break;
}
}
listViewAcl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewAcl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
if (CheckScmAccess)
{
SecurityDescriptor sd = ServiceUtils.GetScmSecurityDescriptor();
GenericMapping scm_mapping = ServiceUtils.GetScmGenericMapping();
AccessMask access_rights = scm_mapping.MapMask(ScmAccess);
foreach (TokenEntry token in tokens)
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, scm_mapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteAccessCheckResult("SCM", "SCM", granted_access, scm_mapping, sd,
typeof(ServiceControlManagerAccessRights), false, token.Information);
}
}
}
else
{
IEnumerable <Win32Service> services = GetServices();
InternalGetAccessibleFileCmdlet file_cmdlet = null;
HashSet <string> checked_files = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
if (CheckFiles)
{
file_cmdlet = new InternalGetAccessibleFileCmdlet(this)
{
FormatWin32Path = true,
Access = FileAccessRights.WriteData | FileAccessRights.WriteDac | FileAccessRights.WriteOwner | FileAccessRights.AppendData | FileAccessRights.Delete,
DirectoryAccess = FileDirectoryAccessRights.AddFile | FileDirectoryAccessRights.WriteDac | FileDirectoryAccessRights.WriteOwner,
AllowPartialAccess = true
};
}
GenericMapping service_mapping = ServiceUtils.GetServiceGenericMapping();
AccessMask access_rights = service_mapping.MapMask(Access);
foreach (var service in services.Where(s => s?.SecurityDescriptor != null))
{
foreach (TokenEntry token in tokens)
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(service.SecurityDescriptor,
token.Token, service_mapping);
ServiceAccessRights trigger_access = GetTriggerAccess(service, token.Token);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new ServiceAccessCheckResult(service.Name, granted_access | trigger_access,
service.SecurityDescriptor, token.Information, trigger_access,
granted_access.ToSpecificAccess <ServiceAccessRights>(), service));
}
}
if (CheckFiles)
{
if (!string.IsNullOrWhiteSpace(service.ImagePath) &&
File.Exists(service.ImagePath) &&
checked_files.Add(service.ImagePath))
{
file_cmdlet.RunAccessCheckPathInternal(tokens, service.ImagePath);
file_cmdlet.RunAccessCheckPathInternal(tokens, Path.GetDirectoryName(service.ImagePath));
}
if (!string.IsNullOrWhiteSpace(service.ServiceDll) &&
File.Exists(service.ServiceDll) &&
checked_files.Add(service.ServiceDll))
{
file_cmdlet.RunAccessCheckPathInternal(tokens, service.ServiceDll);
file_cmdlet.RunAccessCheckPathInternal(tokens, Path.GetDirectoryName(service.ServiceDll));
}
}
}
}
}
