public static void TestCreateFromRawSecurityDescriptor(bool isContainer, bool isDS, string rawSecurityDescriptorSddl, string verifierSddl)
{
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(rawSecurityDescriptorSddl);
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, rawSecurityDescriptor);
// verify the result
Assert.True((isContainer == commonSecurityDescriptor.IsContainer) && (isDS == commonSecurityDescriptor.IsDS));
string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.True(String.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public void EnumerateSecurityDescriptor(RawSecurityDescriptor sd)
{
if (sd == null)
{
return;
}
this.sourceMapper.AddSid(sd.Owner);
if (sd.DiscretionaryAcl != null)
{
foreach (GenericAce genericAce in sd.DiscretionaryAcl)
{
KnownAce knownAce = genericAce as KnownAce;
if (knownAce != null)
{
this.sourceMapper.AddSid(knownAce.SecurityIdentifier);
}
}
}
}
// Token: 0x06000144 RID: 324 RVA: 0x00008548 File Offset: 0x00006748
public static bool smethod_1()
{
bool result;
try
{
RawSecurityDescriptor rawSecurityDescriptor = Class26.smethod_3();
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2035707, sid, false, null);
rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
result = Class26.smethod_4(rawSecurityDescriptor);
}
catch (Exception exception_)
{
Class8.smethod_86(exception_, "RestoreAccessControlEntries");
result = false;
}
return(result);
}
/// <summary>
/// 보안 특성 구하기
/// </summary>
/// <returns>보안 특성</returns>
private static SECURITY_ATTRIBUTE GetSecurityAttribute()
{
RawSecurityDescriptor descriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null);
SECURITY_ATTRIBUTE securityAttribute = new SECURITY_ATTRIBUTE();
securityAttribute.Length = (uint)Marshal.SizeOf(typeof(SECURITY_ATTRIBUTE));
securityAttribute.InheritHandle = false;
byte[] byteArray = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(byteArray, 0);
securityAttribute.SecurityDescriptor = Marshal.AllocHGlobal(byteArray.Length);
Marshal.Copy(byteArray, 0, securityAttribute.SecurityDescriptor, byteArray.Length);
return(securityAttribute);
}
private static RawSecurityDescriptor UpdateMailboxSecurityDescriptor(SecurityIdentifier userSid, ADUser userToConnect, MapiAdministrationSession mapiAdministrationSession, MailboxDatabase database, Guid deletedMailboxGuid, string parameterSetName, Task.TaskVerboseLoggingDelegate verboseLogger)
{
RawSecurityDescriptor rawSecurityDescriptor = null;
try
{
rawSecurityDescriptor = mapiAdministrationSession.GetMailboxSecurityDescriptor(new MailboxId(MapiTaskHelper.ConvertDatabaseADObjectToDatabaseId(database), deletedMailboxGuid));
}
catch (Microsoft.Exchange.Data.Mapi.Common.MailboxNotFoundException)
{
rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclDefaulted | ControlFlags.SystemAclDefaulted | ControlFlags.SelfRelative, WindowsIdentity.GetCurrent().User, WindowsIdentity.GetCurrent().User, null, null);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, true, 0);
byte[] binaryForm = new byte[discretionaryAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(binaryForm, 0);
rawSecurityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
}
bool flag = false;
foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
{
KnownAce knownAce = (KnownAce)genericAce;
if (knownAce.SecurityIdentifier.IsWellKnown(WellKnownSidType.SelfSid))
{
flag = true;
break;
}
}
if (!flag)
{
CommonAce ace = new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 131073, new SecurityIdentifier(WellKnownSidType.SelfSid, null), false, null);
rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
}
rawSecurityDescriptor.SetFlags(rawSecurityDescriptor.ControlFlags | ControlFlags.SelfRelative);
if ("Linked" == parameterSetName || "Shared" == parameterSetName || "Room" == parameterSetName || "Equipment" == parameterSetName)
{
RawSecurityDescriptor sd = userToConnect.ReadSecurityDescriptor();
MailboxTaskHelper.GrantPermissionToLinkedUserAccount(userToConnect.MasterAccountSid, ref rawSecurityDescriptor, ref sd);
verboseLogger(Strings.VerboseSaveADSecurityDescriptor(userToConnect.Id.ToString()));
userToConnect.SaveSecurityDescriptor(sd);
}
mapiAdministrationSession.Administration.PurgeCachedMailboxObject(deletedMailboxGuid);
return(rawSecurityDescriptor);
}
public static void SetServicePermissions(string serviceName)
{
Logger.Info("{0} {1}", (object)MethodBase.GetCurrentMethod().Name, (object)serviceName);
using (ServiceController serviceController = new ServiceController(serviceName, "."))
{
int status = (int)serviceController.Status;
byte[] numArray1 = new byte[0];
uint bufSizeNeeded;
bool flag = ServiceManager.QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray1, 0U, out bufSizeNeeded);
if (!flag)
{
int lastWin32Error = Marshal.GetLastWin32Error();
switch (lastWin32Error)
{
case 0:
case 122:
numArray1 = new byte[(int)bufSizeNeeded];
flag = ServiceManager.QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray1, bufSizeNeeded, out bufSizeNeeded);
break;
default:
throw new Exception("error calling QueryServiceObjectSecurity() to get DACL : error code=" + lastWin32Error.ToString());
}
}
if (!flag)
{
throw new Exception("error calling QueryServiceObjectSecurity(2) to get DACL : error code=" + Marshal.GetLastWin32Error().ToString());
}
RawSecurityDescriptor securityDescriptor = new RawSecurityDescriptor(numArray1, 0);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, securityDescriptor.DiscretionaryAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.InteractiveSid, (SecurityIdentifier)null), 983551, InheritanceFlags.None, PropagationFlags.None);
byte[] binaryForm = new byte[discretionaryAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(binaryForm, 0);
securityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
byte[] numArray2 = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(numArray2, 0);
if (!ServiceManager.SetServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray2))
{
throw new Exception("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error().ToString());
}
}
}
public SystemMandatoryLabel(CommonObjectSecurity sec)
{
Policy = SystemMandatoryLabelPolicy.None;
Level = SystemMandatoryLabelLevel.None;
try
{
var sd = new RawSecurityDescriptor(sec.GetSecurityDescriptorBinaryForm(), 0);
if (sd.SystemAcl != null)
{
foreach (var ace in sd.SystemAcl)
{
if ((int)ace.AceType == 0x11)
{
byte[] aceBytes = new byte[ace.BinaryLength];
ace.GetBinaryForm(aceBytes, 0);
//_policy = new IntegrityPolicy(aceBytes, 4);
//_level = new IntegrityLevel(aceBytes, 8);
}
}
}
}
catch { }
/*byte[] saclBinaryForm = new byte[sd.SystemAcl.BinaryLength];
* sd.SystemAcl.GetBinaryForm(saclBinaryForm, 0);
* GenericAce ace = null;
* if (null != saclBinaryForm)
* {
* RawAcl aclRaw = new RawAcl(saclBinaryForm, 0);
* if (0 >= aclRaw.Count) throw new ArgumentException("No ACEs in ACL", "saclBinaryForm");
* ace = aclRaw[0];
* if (Win32.SYSTEM_MANDATORY_LABEL_ACE_TYPE != (int)ace.AceType)
* throw new ArgumentException("No Mandatory Integrity Label in ACL", "saclBinaryForm");
* byte[] aceBytes = new byte[ace.BinaryLength];
* ace.GetBinaryForm(aceBytes, 0);
* _policy = new IntegrityPolicy(aceBytes, 4);
* _level = new IntegrityLevel(aceBytes, 8);
* return;
* }
* throw new ArgumentNullException("saclBinaryForm");*/
}
public static ServiceAccessRights GetEffectiveAccessRights([NotNull] this ServiceController thisValue, [NotNull] SecurityIdentifier sid)
{
Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, null, 0u, out uint len);
int errCode = Marshal.GetLastWin32Error();
if (errCode != ResultWin32.ERROR_INSUFFICIENT_BUFFER)
{
return(errCode == 0
? (ServiceAccessRights)0
: throw new Win32Exception(errCode));
}
byte[] buffer = new byte[len];
if (!Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, len, out len))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
RawSecurityDescriptor rsd = new RawSecurityDescriptor(buffer, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
byte[] daclBuffer = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(daclBuffer, 0);
byte[] sidBuffer = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBuffer, 0);
TRUSTEE trustee = new TRUSTEE();
Win32.BuildTrusteeWithSid(ref trustee, sidBuffer);
uint access = 0u;
int hr = (int)Win32.GetEffectiveRightsFromAcl(daclBuffer, ref trustee, ref access);
Marshal.Release(trustee.ptstrName);
if (hr != ResultWin32.ERROR_SUCCESS)
{
throw Marshal.GetExceptionForHR(hr);
}
return((ServiceAccessRights)access);
}
private static bool FindAces(ADObjectId id, RawSecurityDescriptor rsd, params ActiveDirectoryAccessRule[] aces)
{
if (rsd == null)
{
throw new SecurityDescriptorAccessDeniedException(id.DistinguishedName);
}
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
byte[] array = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(array, 0);
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array);
foreach (ActiveDirectoryAccessRule ace in aces)
{
if (DirectoryCommon.FindAce(ace, activeDirectorySecurity) == null)
{
return(false);
}
}
return(true);
}
// Token: 0x06001A7D RID: 6781 RVA: 0x0006EDC8 File Offset: 0x0006CFC8
public virtual Result <TEntry> ReadSecurityDescriptor(ProxyAddress proxyAddress)
{
if (proxyAddress == null)
{
throw new ArgumentNullException("proxyAddress");
}
Result <TEntry> result = this.FindAndCacheRecipient(proxyAddress);
if (result.Data != null)
{
IDirectorySession adsession = this.ADSession;
TEntry data = result.Data;
RawSecurityDescriptor rawSecurityDescriptor = adsession.ReadSecurityDescriptor(data.Id);
lock (result.Data)
{
result.Data.propertyBag.SetField(ADObjectSchema.NTSecurityDescriptor, SecurityDescriptor.FromRawSecurityDescriptor(rawSecurityDescriptor));
}
}
return(result);
}
/// <summary>Initializes the dialog with a custom provider.</summary>
/// <param name="displayName">The object name.</param>
/// <param name="fullObjectName">Full name of the object.</param>
/// <param name="isContainer">Set to <c>true</c> if object is a container.</param>
/// <param name="customProvider">The custom provider.</param>
/// <param name="sd">The binary Security Descriptor.</param>
/// <param name="targetServer">The target server.</param>
public void Initialize(string displayName, string fullObjectName, bool isContainer, IAccessControlEditorDialogProvider customProvider, byte[] sd, string targetServer = null)
{
if (isContainer)
{
ObjectIsContainer = true;
}
iSecInfo = new SecurityInfoImpl(flags, displayName, fullObjectName, targetServer);
ResourceType = ResourceType.Unknown;
if (sd != null)
{
Result = new RawSecurityDescriptor(sd, 0);
iSecInfo.SecurityDescriptor = sd;
}
else
{
Result = new RawSecurityDescriptor("");
iSecInfo.SecurityDescriptor = new byte[20];
}
iSecInfo.SetProvider(customProvider);
}
public void AclInheritance()
{
NtfsFileSystem ntfs = FileSystemSource.NtfsFileSystem();
RawSecurityDescriptor sd = new RawSecurityDescriptor("O:BAG:BAD:(A;OICINP;GA;;;BA)");
ntfs.CreateDirectory("dir");
ntfs.SetSecurity("dir", sd);
ntfs.CreateDirectory(@"dir\subdir");
RawSecurityDescriptor inheritedSd = ntfs.GetSecurity(@"dir\subdir");
Assert.NotNull(inheritedSd);
Assert.Equal("O:BAG:BAD:(A;ID;GA;;;BA)", inheritedSd.GetSddlForm(AccessControlSections.All));
using (ntfs.OpenFile(@"dir\subdir\file", FileMode.Create, FileAccess.ReadWrite)) { }
inheritedSd = ntfs.GetSecurity(@"dir\subdir\file");
Assert.NotNull(inheritedSd);
Assert.Equal("O:BAG:BAD:", inheritedSd.GetSddlForm(AccessControlSections.All));
}
public HttpConfigUrlAclEntry(string uriPrefix, string securityDescriptor)
{
this.uriPrefix = uriPrefix;
this.securityDescriptor = new RawSecurityDescriptor(securityDescriptor);
if (uriPrefix.StartsWith("http://+:") || uriPrefix.StartsWith("https://+:"))
{
this.host = "+";
this.uri = new Uri(uriPrefix.Replace("://+:", "://__STRONG_WILDCARD:"));
}
else if (uriPrefix.StartsWith("http://*:") || uriPrefix.StartsWith("https://*:"))
{
this.host = "*";
this.uri = new Uri(uriPrefix.Replace("://*:", "://__WEAK_WILDCARD:"));
}
else
{
this.uri = new Uri(uriPrefix);
this.host = this.uri.Host;
}
}
/// <summary>[AlphaFS] Checks if the directory has permission inheritance enabled.</summary>
/// <returns><see langword="true"/> if permission inheritance is enabled, <see langword="false"/> if permission inheritance is disabled.</returns>
/// <param name="path">The full path to the directory to check.</param>
/// <param name="pathFormat">Indicates the format of the path parameter(s).</param>
public static bool HasInheritedPermissions(string path, PathFormat pathFormat)
{
if (Utils.IsNullOrWhiteSpace(path))
{
throw new ArgumentNullException("path");
}
var acl = File.GetAccessControlCore <DirectorySecurity>(true, path, AccessControlSections.Access | AccessControlSections.Group | AccessControlSections.Owner, pathFormat);
var rawBytes = acl.GetSecurityDescriptorBinaryForm();
var rsd = new RawSecurityDescriptor(rawBytes, 0);
// "Include inheritable permissions from this object's parent" is unchecked
var inheritanceDisabled = (rsd.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.DiscretionaryAclProtected;
return(!inheritanceDisabled);
}
public void GetSddlForm()
{
RawSecurityDescriptor sd = new RawSecurityDescriptor("");
Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.All));
// Ask for part of SD that isn't represented
sd.Owner = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
sd.Group = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.Access));
// Empty ACL form
sd.DiscretionaryAcl = new RawAcl(2, 0);
sd.SystemAcl = new RawAcl(1, 0);
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
Assert.AreEqual("O:BUG:BAD:S:", sd.GetSddlForm(AccessControlSections.All));
// Add an ACE to the DACL
SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm(AccessControlSections.All));
// Add second ACE to the DACL
SecurityIdentifier randomUser = new SecurityIdentifier("S-1-5-21-324-23423-234-334");
ace = new CommonAce(AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm(AccessControlSections.Owner | AccessControlSections.Access));
// DACL & SACL flags
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited);
sd.DiscretionaryAcl = new RawAcl(1, 0);
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
sd.SetFlags(sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted);
Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
}
public void SetTeamMailboxUserPermissions(IList <ADObjectId> usersToAdd, IList <ADObjectId> usersToRemove, SecurityIdentifier[] additionalSids, bool save = true)
{
ADUser aduser = (ADUser)this.TeamMailbox.DataObject;
RawSecurityDescriptor exchangeSecurityDescriptor = aduser.ExchangeSecurityDescriptor;
ActiveDirectorySecurity activeDirectorySecurity = SecurityDescriptorConverter.ConvertToActiveDirectorySecurity(exchangeSecurityDescriptor);
if (usersToAdd != null)
{
foreach (ADObjectId userId in usersToAdd)
{
SecurityIdentifier userSid = this.GetUserSid(userId);
if (userSid != null)
{
activeDirectorySecurity.AddAccessRule(new ActiveDirectoryAccessRule(userSid, ActiveDirectoryRights.CreateChild, AccessControlType.Allow, Guid.Empty, ActiveDirectorySecurityInheritance.All, Guid.Empty));
}
}
}
if (usersToRemove != null)
{
foreach (ADObjectId userId2 in usersToRemove)
{
SecurityIdentifier userSid2 = this.GetUserSid(userId2);
if (userSid2 != null)
{
activeDirectorySecurity.RemoveAccessRule(new ActiveDirectoryAccessRule(userSid2, ActiveDirectoryRights.CreateChild, AccessControlType.Allow, Guid.Empty, ActiveDirectorySecurityInheritance.All, Guid.Empty));
}
}
}
if (additionalSids != null)
{
foreach (SecurityIdentifier identity in additionalSids)
{
activeDirectorySecurity.AddAccessRule(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.CreateChild, AccessControlType.Allow, Guid.Empty, ActiveDirectorySecurityInheritance.All, Guid.Empty));
}
}
aduser.ExchangeSecurityDescriptor = new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0);
if (save)
{
this.DataSession.Save(aduser);
}
}
protected override object InternalTryGetValue(PropertyBag.BasicPropertyStore propertyBag)
{
byte[] array = propertyBag.GetValue(this.propertyDefinition) as byte[];
if (array == null)
{
SecurityDescriptorProperty.Tracer.TraceError((long)this.GetHashCode(), "SecurityDescriptorProperty::InternalTryGetValue. Security descriptor is missing.");
return(null);
}
if (array.Length <= 8)
{
SecurityDescriptorProperty.Tracer.TraceError <int>((long)this.GetHashCode(), "SecurityDescriptorProperty::InternalTryGetValue. Security descriptor has invalid length: {0}.", array.Length);
return(null);
}
int num = (int)BitConverter.ToUInt16(array, 2);
if (num != 3)
{
SecurityDescriptorProperty.Tracer.TraceError <int, ArrayTracer <byte> >((long)this.GetHashCode(), "SecurityDescriptorProperty::InternalTryGetValue. Security descriptor has unknown version: {0}. Bytes={1}.", num, new ArrayTracer <byte>(array));
return(null);
}
int num2 = (int)BitConverter.ToUInt16(array, 0);
if (num2 < 8)
{
SecurityDescriptorProperty.Tracer.TraceError <int, ArrayTracer <byte> >((long)this.GetHashCode(), "SecurityDescriptorProperty::InternalTryGetValue. Security descriptor offset is less than 8 bytes: {0}. Bytes={1}.", num2, new ArrayTracer <byte>(array));
return(null);
}
object result;
try
{
result = new RawSecurityDescriptor(array, num2);
}
catch (ArgumentException arg)
{
SecurityDescriptorProperty.Tracer.TraceError <ArrayTracer <byte>, ArgumentException>((long)this.GetHashCode(), "SecurityDescriptorProperty::InternalTryGetValue. Byte array for the RawSecurityDescritor is not valid. Bytes={0}. Exception = {1}.", new ArrayTracer <byte>(array), arg);
result = null;
}
return(result);
}
private static bool CallerHasFullPermission(ClientSecurityContext clientSecurityContext, FreeBusyQuery freeBusyQuery)
{
SecurityIdentifier sid = freeBusyQuery.RecipientData.Sid;
SecurityIdentifier masterAccountSid = freeBusyQuery.RecipientData.MasterAccountSid;
bool flag = (sid != null && sid.Equals(clientSecurityContext.UserSid)) || (masterAccountSid != null && masterAccountSid.Equals(clientSecurityContext.UserSid));
if (flag)
{
FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Caller {1} is owner of mailbox {2}, mailbox user SID {3}, master account SID {4}.", new object[]
{
TraceContext.Get(),
clientSecurityContext,
freeBusyQuery.Email,
sid,
masterAccountSid
});
return(true);
}
RawSecurityDescriptor exchangeSecurityDescriptor = freeBusyQuery.RecipientData.ExchangeSecurityDescriptor;
if (exchangeSecurityDescriptor != null)
{
if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace))
{
string sddlForm = exchangeSecurityDescriptor.GetSddlForm(AccessControlSections.All);
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of mailbox security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm);
}
if (clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.CreateChild) == 1 || clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.List) == 4)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email);
return(true);
}
}
else
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: User does not have an ExchangeSecurityDescriptor.", TraceContext.Get(), freeBusyQuery.Email);
}
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does NOT have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email);
return(false);
}
static void Main(string[] args)
{
VirtualStorageType storageType = new VirtualStorageType();
storageType.DeviceId = VirtualStorageDeviceTypes.Vhdx;
storageType.VendorId = VirtualStorageType.VendorIdMicrosoft;
VirtualDiskSafeHandle diskHandle = new VirtualDiskSafeHandle();
string filename = @"C:\temp\test.vhdx";
OpenVirtualDiskParameters readParameters = new OpenVirtualDiskParameters();
readParameters.Version = OpenVirtualDiskVersions.Version2;
readParameters.Version2 = new OpenVirtualDiskParametersVersion2()
{
GetInfoOnly = false,
ReadOnly = false,
ResiliencyGuid = Guid.Empty,
};
uint result = VirtualDiskApi.OpenVirtualDisk(storageType,
filename,
VirtualDiskAccessMasks.None,
OpenVirtualDiskFlags.None,
readParameters,
diskHandle);
RawSecurityDescriptor descriptor = new RawSecurityDescriptor("O:BAG:BAD:(A;;GA;;;WD)");
AttachVirtualDiskParameters parameters = new AttachVirtualDiskParameters();
parameters.Version = AttachVirtualDiskVersions.Version1;
result = VirtualDiskApi.AttachVirtualDisk(diskHandle, descriptor, AttachVirtualDiskFlags.PermanentLifetime, 0, parameters, null);
diskHandle.Close();
diskHandle = null;
}
private static void SetAces(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, IDirectorySession session, ADObjectId id, bool remove, params ActiveDirectoryAccessRule[] aces)
{
if (verboseLogger != null)
{
verboseLogger(Strings.InfoSetAces(id.DistinguishedName));
}
if (session == null)
{
throw new ArgumentNullException("session");
}
if (id == null)
{
throw new ArgumentNullException("id");
}
RawSecurityDescriptor rawSecurityDescriptor = session.ReadSecurityDescriptor(id);
rawSecurityDescriptor = DirectoryCommon.ApplyAcesOnSd(verboseLogger, warningLogger, errorLogger, id, rawSecurityDescriptor, remove, aces);
if (rawSecurityDescriptor != null)
{
session.SaveSecurityDescriptor(id, rawSecurityDescriptor);
}
}
private static void SetServiceSecurity(SafeHandle service)
{
byte[] buf = Array.Empty <byte>();
if (!QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, null, 0, out var bufSize))
{
if (Marshal.GetLastWin32Error() != Errors.InsufficientBuffer)
{
throw new Exception("Could not query service object security size.", new Win32Exception());
}
buf = new byte[bufSize];
if (!QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, buf, bufSize, out bufSize))
{
throw new Exception("Could not query service object security.", new Win32Exception());
}
}
var securityDescriptor = new RawSecurityDescriptor(buf, 0);
var rawAcl = securityDescriptor.DiscretionaryAcl;
var acl = new DiscretionaryAcl(false, false, rawAcl);
var userSid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
const ServiceAccess accessMask = ServiceAccess.GenericRead | ServiceAccess.GenericExecute;
acl.SetAccess(AccessControlType.Allow, userSid, (int)accessMask, InheritanceFlags.None,
PropagationFlags.None);
buf = new byte[acl.BinaryLength];
acl.GetBinaryForm(buf, 0);
securityDescriptor.DiscretionaryAcl = new RawAcl(buf, 0);
buf = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(buf, 0);
if (!SetServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, buf))
{
throw new Exception("Could not set object security.", new Win32Exception());
}
}
public static FreeBusyPermissionLevel AccessCheck(RawSecurityDescriptor securityDescriptor, ClientSecurityContext clientContext)
{
int grantedAccess = clientContext.GetGrantedAccess(securityDescriptor, AccessMask.MaximumAllowed);
FreeBusyPermissionLevel freeBusyPermissionLevel = FreeBusyPermissionLevel.None;
if ((grantedAccess & 2) != 0)
{
freeBusyPermissionLevel = FreeBusyPermissionLevel.Detail;
}
else if ((grantedAccess & 1) != 0)
{
freeBusyPermissionLevel = FreeBusyPermissionLevel.Simple;
}
FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Access check for {1} resulted in granted access {2}, permission level {3}", new object[]
{
TraceContext.Get(),
clientContext,
grantedAccess,
freeBusyPermissionLevel
});
return(freeBusyPermissionLevel);
}
public RawSecurityDescriptor GetSecurityDescriptor()
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentException("Path cannot be null or whitespace.", "path");
}
FileSystemSecurity security;
if (!TryGetFileSecurity(path, AccessSectionsNeeded, out security))
{
if (!TryGetDirectorySecurity(path, AccessSectionsNeeded, out security))
{
throw new ArgumentException("The path must be an existing file or directory.", path);
}
}
var descriptorBinaryForm = security.GetSecurityDescriptorBinaryForm();
var descriptor = new RawSecurityDescriptor(descriptorBinaryForm, 0);
return(descriptor);
}
public static void TakeOwnership(ADObjectId id, RawSecurityDescriptor sd, IConfigurationSession session)
{
if (id == null)
{
throw new ArgumentNullException("id");
}
if (session == null)
{
throw new ArgumentNullException("session");
}
if (sd == null)
{
using (WindowsIdentity current = WindowsIdentity.GetCurrent())
{
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, current.User, current.User, null, null);
byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
sd = new RawSecurityDescriptor(binaryForm, 0);
}
}
session.SaveSecurityDescriptor(id, sd, true);
}
public EffectiveAccess(string path,
string targetMachine,
RawSecurityDescriptor shareSD,
SecurityIdentifier userSid,
SecurityIdentifier deviceSid,
ClaimValueDictionary userClaims,
ClaimValueDictionary deviceClaims,
GroupsCollection userGroups,
GroupsCollection deviceGroups)
{
if (string.IsNullOrEmpty(targetMachine) && shareSD != null)
{
throw new ArgumentException("targetMachine must be value when shareSD is not-empty", "targetMachine");
}
handle = NativeMethods.CreateFile(path,
NativeMethods.FileAccess.GenericRead,
NativeMethods.FileShare.Read
| NativeMethods.FileShare.Write
| NativeMethods.FileShare.Delete,
IntPtr.Zero,
NativeMethods.FileMode.OpenExisting,
NativeMethods.FileFlagAttrib.BackupSemantics,
IntPtr.Zero);
if (handle.IsInvalid)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
this.targetMachine = targetMachine;
this.shareSD = shareSD;
this.userSid = userSid;
this.deviceSid = deviceSid;
this.userClaims = userClaims;
this.deviceClaims = deviceClaims;
this.userGroups = userGroups;
this.deviceGroups = deviceGroups;
}
public static bool SDHasAC(string sddl)
{
if (String.IsNullOrWhiteSpace(sddl))
{
return(false);
}
RawSecurityDescriptor sd = new RawSecurityDescriptor(sddl);
foreach (var ace in sd.DiscretionaryAcl)
{
CommonAce common_ace = ace as CommonAce;
if (common_ace != null)
{
if (common_ace.AceType == AceType.AccessAllowed &&
common_ace.SecurityIdentifier.Value.StartsWith("S-1-15-"))
{
return(true);
}
}
}
return(false);
}
public static IntPtr SddlToSid(string sddl)
{
// convert the sddl and set the owner and group
var rawSd = new RawSecurityDescriptor(sddl);
using (var identity = WindowsIdentity.GetCurrent())
{
rawSd.Owner = identity.User;
rawSd.Group = (SecurityIdentifier)identity.Groups[0].Translate(typeof(SecurityIdentifier));
}
// convert the managed sd into local heap buffer
var buffer = new byte[rawSd.BinaryLength];
rawSd.GetBinaryForm(buffer, 0);
var newSd = Win32.LocalAlloc(Win32.LMEM_FIXED, buffer.Length);
if (newSd == IntPtr.Zero)
{
throw new Win32Exception();
}
Marshal.Copy(buffer, 0, newSd, buffer.Length);
return(newSd);
}
public static byte[] BuildAclTableBlob(StoreSession session, RawSecurityDescriptor securityDescriptor, RawSecurityDescriptor freeBusySecurityDescriptor)
{
IRecipientSession adrecipientSession = session.GetADRecipientSession(true, ConsistencyMode.IgnoreInvalid);
ExternalUserCollection externalUserCollectionToDispose = null;
bool flag;
string canonicalErrorInformation;
List <AclTableEntry> source;
try
{
source = AclModifyTable.BuildAclTableFromSecurityDescriptor(securityDescriptor, freeBusySecurityDescriptor, new LazilyInitialized <ExternalUserCollection>(delegate()
{
MailboxSession mailboxSession = session as MailboxSession;
externalUserCollectionToDispose = ((mailboxSession != null) ? mailboxSession.GetExternalUsers() : null);
return(externalUserCollectionToDispose);
}), adrecipientSession, new AclTableIdMap(), out flag, out canonicalErrorInformation);
}
finally
{
Util.DisposeIfPresent(externalUserCollectionToDispose);
}
if (!flag)
{
ExTraceGlobals.StorageTracer.TraceError(0L, "Cannot build blob ACL table blob with non-canonical SD");
throw new NonCanonicalACLException(canonicalErrorInformation);
}
FolderSecurity.AclTableAndSecurityDescriptorProperty aclTableAndSD = new FolderSecurity.AclTableAndSecurityDescriptorProperty(new ArraySegment <byte>(AclModifyTable.SerializeTableEntries(source)), source.ToDictionary((AclTableEntry tableEntry) => tableEntry.SecurityIdentifier, delegate(AclTableEntry tableEntry)
{
if (!tableEntry.IsGroup)
{
return(FolderSecurity.SecurityIdentifierType.User);
}
return(FolderSecurity.SecurityIdentifierType.Group);
}), SecurityDescriptor.FromRawSecurityDescriptor(securityDescriptor), SecurityDescriptor.FromRawSecurityDescriptor(freeBusySecurityDescriptor));
return(AclModifyTable.SerializeAclTableAndSecurityDecscriptor(aclTableAndSD));
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
if (base.IsInherited)
{
return;
}
if ("Owner" == base.ParameterSetName)
{
IConfigurationSession writableSession = base.GetWritableSession(this.DataObject.Id);
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(this.DataObject, writableSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
SecurityIdentifier sid = this.owner;
activeDirectorySecurity.SetOwner(sid);
RawSecurityDescriptor sd = new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0);
writableSession.SaveSecurityDescriptor(this.DataObject.Id, sd, true);
string friendlyUserName = SecurityPrincipalIdParameter.GetFriendlyUserName(sid, new Task.TaskVerboseLoggingDelegate(base.WriteVerbose));
base.WriteObject(new OwnerPresentationObject(this.DataObject.Id, friendlyUserName));
}
else
{
base.InternalProcessRecord();
}
TaskLogger.LogExit();
}
/// <summary>
/// Creates pipe with full access rights for everyone.
/// </summary>
/// <exception cref="System.InvalidOperationException">Pipe is already open.</exception>
/// <exception cref="System.IO.IOException">Cannot create named pipe.</exception>
public void CreateWithFullAccess()
{
if (this.SafeHandle != null)
{
throw new InvalidOperationException("Pipe is already open.");
}
var sec = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null);
var sa = new NativeMethods.SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(typeof(NativeMethods.SECURITY_ATTRIBUTES));
sa.bInheritHandle = true;
byte[] secBinary = new byte[sec.BinaryLength];
sec.GetBinaryForm(secBinary, 0);
sa.lpSecurityDescriptor = Marshal.AllocHGlobal(secBinary.Length);
Marshal.Copy(secBinary, 0, sa.lpSecurityDescriptor, secBinary.Length);
this.SafeHandle = NativeMethods.CreateNamedPipe(this.FullPipeName, NativeMethods.PIPE_ACCESS_DUPLEX, NativeMethods.PIPE_TYPE_BYTE | NativeMethods.PIPE_READMODE_BYTE | NativeMethods.PIPE_WAIT, NativeMethods.PIPE_UNLIMITED_INSTANCES, 4096, 4096, NativeMethods.NMPWAIT_USE_DEFAULT_WAIT, ref sa);
if (this.SafeHandle.IsInvalid)
{
throw new IOException("Cannot create named pipe.", new Win32Exception());
}
}
public static Byte[] GetDefaultSecurity()
{
//https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/
//https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/
byte[] FileSecurity;
/*
* O:BAG:BAD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;WD)
* O:BA Owner is Administrators
* G:BA Group is Administrators
* D:P DACL is protected
* (A;;FA;;;SY) Allow full file access to LocalSystem
* (A;;FA;;;BA) Allow full file access to Administrators
* (A;;FA;;;WD) Allow full file access to Everyone
*/
String RootSddl = "O:BAG:BAD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;WD)";
RawSecurityDescriptor RootSecurityDescriptor = new RawSecurityDescriptor(RootSddl);
FileSecurity = new Byte[RootSecurityDescriptor.BinaryLength];
RootSecurityDescriptor.GetBinaryForm(FileSecurity, 0);
return(FileSecurity);
}
public CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor);
public static void TestRemoveAce(string sddl)
{
RawSecurityDescriptor rawSecurityDescriptor = null;
RawAcl rawAcl = null;
RawAcl rawAclVerifier = null;
GenericAce ace = null;
rawSecurityDescriptor = new RawSecurityDescriptor(sddl);
rawAclVerifier = rawSecurityDescriptor.DiscretionaryAcl;
rawAcl = Utils.CopyRawACL(rawAclVerifier);
Assert.True(null != rawAcl && null != rawAclVerifier);
int index = 0;
int count = 0;
//save current count
count = rawAcl.Count;
//test remove at -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
index = -1;
rawAcl.RemoveAce(index);
});
//test remove at 0, only need to catch ArgumentOutOfRangeException if Count = 0
index = 0;
try
{
//save a copy of the ace
ace = rawAcl[index];
rawAcl.RemoveAce(index);
Assert.False(0 == count);
//verify the count number decrease one
Assert.False(rawAcl.Count != count - 1);
//verify the rawAcl.BinaryLength is updated correctly
Assert.False(rawAcl.BinaryLength != rawAclVerifier.BinaryLength - ace.BinaryLength);
//verify the removed ace is equal to the originial ace
Assert.False(!Utils.IsAceEqual(ace, rawAclVerifier[index]));
//verify right side aces are equal
Assert.False(!Utils.AclPartialEqual(rawAcl, rawAclVerifier, index, rawAcl.Count - 1, index + 1, count - 1));
}
catch (ArgumentOutOfRangeException)
{
Assert.True(0 == count);
//it is expected, do nothing
}
//now insert that ace back
if (ace != null)
rawAcl.InsertAce(index, ace);
//test remove at Count/2, do not need to catch ArgumentOutOfRangeException
index = count / 2;
//when count/2 = 0 it is reduandent
if (0 != index)
{
//save a copy of the ace
ace = rawAcl[index];
rawAcl.RemoveAce(index);
//verify the count number decrease one
Assert.False(rawAcl.Count != count - 1);
//verify the rawAcl.BinaryLength is updated correctly
Assert.False(rawAcl.BinaryLength != rawAclVerifier.BinaryLength - ace.BinaryLength);
//verify the removed ace is equal to the originial ace
Assert.False(!Utils.IsAceEqual(ace, rawAclVerifier[index]));
//verify the left and right side aces are equal
Assert.False(!Utils.AclPartialEqual(rawAcl, rawAclVerifier, 0, index - 1, 0, index - 1) || !Utils.AclPartialEqual(rawAcl, rawAclVerifier, index, rawAcl.Count - 1, index + 1, count - 1));
//now insert that removed ace
rawAcl.InsertAce(index, ace);
}
//test remove at Count - 1, do not need to catch ArgumentOutOfRangeException
index = count - 1;
//when count -1 = -1, 0, or count/2, it is reduandent
if (-1 != index && 0 != index && count / 2 != index)
{
//save a copy of the ace
ace = rawAcl[index];
rawAcl.RemoveAce(index);
//verify the count number decrease one
Assert.False(rawAcl.Count != count - 1);
//verify the rawAcl.BinaryLength is updated correctly
Assert.False(rawAcl.BinaryLength != rawAclVerifier.BinaryLength - ace.BinaryLength);
//verify the removed ace is equal to the originial ace
Assert.False(!Utils.IsAceEqual(ace, rawAclVerifier[index]));
//verify the left and right side aces are equal
Assert.False(!Utils.AclPartialEqual(rawAcl, rawAclVerifier, 0, index - 1, 0, index - 1) || !Utils.AclPartialEqual(rawAcl, rawAclVerifier, index, rawAcl.Count - 1, index + 1, count - 1));
//now insert that inserted ace
rawAcl.InsertAce(index, ace);
}
//test remove at Count
index = count;
//when count = 0, or count/2, it is reduandent
if (0 != index && count / 2 != index)
{
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
ace = rawAcl[index];
rawAcl.RemoveAce(index);
});
}
}
