public void FlagMismatch()
{
// Check setting DACL-present flag on empty SD
RawSecurityDescriptor sd = new RawSecurityDescriptor("");
Assert.AreEqual(20, sd.BinaryLength);
sd.SetFlags(ControlFlags.DiscretionaryAclPresent);
Assert.AreEqual(20, sd.BinaryLength);
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
byte[] sdBinary = new byte[] {
0x01, 0x00, 0x04, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
Assert.AreEqual(sdBinary, buffer);
// Check unsetting DACL-present flag on SD with DACL
sd = new RawSecurityDescriptor("O:BUG:BAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)");
Assert.AreEqual(80, sd.BinaryLength);
sd.SetFlags(sd.ControlFlags & ~ControlFlags.DiscretionaryAclPresent);
Assert.AreEqual(ControlFlags.SelfRelative, sd.ControlFlags);
Assert.AreEqual(52, sd.BinaryLength);
buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00
};
Assert.AreEqual(sdBinary, buffer);
}
public void GetSddlForm()
{
RawSecurityDescriptor sd = new RawSecurityDescriptor("");
Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.All));
// Ask for part of SD that isn't represented
sd.Owner = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
sd.Group = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.Access));
// Empty ACL form
sd.DiscretionaryAcl = new RawAcl(2, 0);
sd.SystemAcl = new RawAcl(1, 0);
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
Assert.AreEqual("O:BUG:BAD:S:", sd.GetSddlForm(AccessControlSections.All));
// Add an ACE to the DACL
SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm(AccessControlSections.All));
// Add second ACE to the DACL
SecurityIdentifier randomUser = new SecurityIdentifier("S-1-5-21-324-23423-234-334");
ace = new CommonAce(AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm(AccessControlSections.Owner | AccessControlSections.Access));
// DACL & SACL flags
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited);
sd.DiscretionaryAcl = new RawAcl(1, 0);
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
sd.SetFlags(sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted);
Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
}
private static void ProcessSecure()
{
try
{
var sd = new RawSecurityDescriptor(ControlFlags.None, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, new RawAcl(2, 0));
sd.SetFlags(ControlFlags.DiscretionaryAclPresent | ControlFlags.DiscretionaryAclDefaulted);
var rawSd = new byte[sd.BinaryLength];
sd.GetBinaryForm(rawSd, 0);
if (!SetKernelObjectSecurity(Process.GetCurrentProcess().Handle, SecurityInfos.DiscretionaryAcl, rawSd))
{
return;
}
}
catch { }
}
public static bool ProtectProcess()
{
try
{
var rsd = new RawSecurityDescriptor(ControlFlags.None, new SecurityIdentifier(
WellKnownSidType.LocalSystemSid, null), null, null, new RawAcl(2, 0));
rsd.SetFlags(ControlFlags.DiscretionaryAclPresent | ControlFlags.DiscretionaryAclDefaulted);
var rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
return(WinAPI.SetKernelObjectSecurity(WinAPI.GetCurrentProcess(), SecurityInfos.DiscretionaryAcl, rawsd) != 0);
}
catch
{
return(false);
}
}
private static RawSecurityDescriptor UpdateMailboxSecurityDescriptor(SecurityIdentifier userSid, ADUser userToConnect, MapiAdministrationSession mapiAdministrationSession, MailboxDatabase database, Guid deletedMailboxGuid, string parameterSetName, Task.TaskVerboseLoggingDelegate verboseLogger)
{
RawSecurityDescriptor rawSecurityDescriptor = null;
try
{
rawSecurityDescriptor = mapiAdministrationSession.GetMailboxSecurityDescriptor(new MailboxId(MapiTaskHelper.ConvertDatabaseADObjectToDatabaseId(database), deletedMailboxGuid));
}
catch (Microsoft.Exchange.Data.Mapi.Common.MailboxNotFoundException)
{
rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclDefaulted | ControlFlags.SystemAclDefaulted | ControlFlags.SelfRelative, WindowsIdentity.GetCurrent().User, WindowsIdentity.GetCurrent().User, null, null);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, true, 0);
byte[] binaryForm = new byte[discretionaryAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(binaryForm, 0);
rawSecurityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
}
bool flag = false;
foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
{
KnownAce knownAce = (KnownAce)genericAce;
if (knownAce.SecurityIdentifier.IsWellKnown(WellKnownSidType.SelfSid))
{
flag = true;
break;
}
}
if (!flag)
{
CommonAce ace = new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 131073, new SecurityIdentifier(WellKnownSidType.SelfSid, null), false, null);
rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
}
rawSecurityDescriptor.SetFlags(rawSecurityDescriptor.ControlFlags | ControlFlags.SelfRelative);
if ("Linked" == parameterSetName || "Shared" == parameterSetName || "Room" == parameterSetName || "Equipment" == parameterSetName)
{
RawSecurityDescriptor sd = userToConnect.ReadSecurityDescriptor();
MailboxTaskHelper.GrantPermissionToLinkedUserAccount(userToConnect.MasterAccountSid, ref rawSecurityDescriptor, ref sd);
verboseLogger(Strings.VerboseSaveADSecurityDescriptor(userToConnect.Id.ToString()));
userToConnect.SaveSecurityDescriptor(sd);
}
mapiAdministrationSession.Administration.PurgeCachedMailboxObject(deletedMailboxGuid);
return(rawSecurityDescriptor);
}
public void GetBinaryForm()
{
RawSecurityDescriptor sd = new RawSecurityDescriptor("");
sd.Owner = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
sd.Group = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
sd.DiscretionaryAcl = new RawAcl(1, 0);
sd.SystemAcl = new RawAcl(1, 0);
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
// Empty ACL form
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
byte[] sdBinary = new byte[] {
0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00
};
Assert.AreEqual(sdBinary, buffer);
// Add an ACE to the DACL
SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00
};
Assert.AreEqual(sdBinary, buffer);
// This time with an Object ACE
ObjectAce objectAce = new ObjectAce(AceFlags.Inherited, AceQualifier.AccessAllowed, 0x12345678, builtInAdmins, ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent, new Guid("189c0dc7-b849-4dea-93a5-6d4cb8857a5c"), new Guid("53b4a3d4-fe39-468b-bc60-b4fcba772fa5"), false, null);
sd.DiscretionaryAcl = new RawAcl(2, 0);
sd.DiscretionaryAcl.InsertAce(0, objectAce);
buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x44, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x10,
0x3C, 0x00, 0x78, 0x56, 0x34, 0x12, 0x03, 0x00, 0x00, 0x00,
0xC7, 0x0D, 0x9C, 0x18, 0x49, 0xB8, 0xEA, 0x4D, 0x93, 0xA5,
0x6D, 0x4C, 0xB8, 0x85, 0x7A, 0x5C, 0xD4, 0xA3, 0xB4, 0x53,
0x39, 0xFE, 0x8B, 0x46, 0xBC, 0x60, 0xB4, 0xFC, 0xBA, 0x77,
0x2F, 0xA5, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00
};
Assert.AreEqual(sdBinary, buffer);
}
