Example #1
0
        internal static int SetSecurityInfo(
            ResourceType type,
            string name,
            SafeHandle handle,
            SecurityInfos securityInformation,
            SecurityIdentifier owner,
            SecurityIdentifier group,
            GenericAcl sacl,
            GenericAcl dacl)
        {
            int errorCode;
            int Length;

            byte[]    OwnerBinary       = null, GroupBinary = null, SaclBinary = null, DaclBinary = null;
            Privilege securityPrivilege = null;

            //
            // Demand unmanaged code permission
            // The integrator layer is free to assert this permission
            // and, in turn, demand another permission of its caller
            //

            new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Demand();

            if (owner != null)
            {
                Length      = owner.BinaryLength;
                OwnerBinary = new byte[Length];
                owner.GetBinaryForm(OwnerBinary, 0);
            }

            if (@group != null)
            {
                Length      = @group.BinaryLength;
                GroupBinary = new byte[Length];
                @group.GetBinaryForm(GroupBinary, 0);
            }

            if (dacl != null)
            {
                Length     = dacl.BinaryLength;
                DaclBinary = new byte[Length];
                dacl.GetBinaryForm(DaclBinary, 0);
            }

            if (sacl != null)
            {
                Length     = sacl.BinaryLength;
                SaclBinary = new byte[Length];
                sacl.GetBinaryForm(SaclBinary, 0);
            }

            if ((securityInformation & SecurityInfos.SystemAcl) != 0)
            {
                //
                // Enable security privilege if trying to set a SACL.
                // Note: even setting it by handle needs this privilege enabled!
                //

                securityPrivilege = new Privilege(Privilege.Security);
            }

            // Ensure that the finally block will execute
            RuntimeHelpers.PrepareConstrainedRegions();

            try
            {
                if (securityPrivilege != null)
                {
                    try
                    {
                        securityPrivilege.Enable();
                    }
                    catch (PrivilegeNotHeldException)
                    {
                        // we will ignore this exception and press on just in case this is a remote resource
                    }
                }

                if (name != null)
                {
                    errorCode = (int)NativeMethods.SetSecurityInfoByName(name, (uint)type, (uint)securityInformation, OwnerBinary, GroupBinary, DaclBinary, SaclBinary);
                }
                else if (handle != null)
                {
                    if (handle.IsInvalid)
                    {
                        throw new ArgumentException("Invalid safe handle");
                    }
                    else
                    {
                        errorCode = (int)NativeMethods.SetSecurityInfoByHandle(handle, (uint)type, (uint)securityInformation, OwnerBinary, GroupBinary, DaclBinary, SaclBinary);
                    }
                }
                else
                {
                    // both are null, shouldn't happen
                    throw new InvalidProgramException();
                }

                if (errorCode == NativeMethods.ERROR_NOT_ALL_ASSIGNED ||
                    errorCode == NativeMethods.ERROR_PRIVILEGE_NOT_HELD)
                {
                    throw new PrivilegeNotHeldException(Privilege.Security);
                }
                else if (errorCode == NativeMethods.ERROR_ACCESS_DENIED ||
                         errorCode == NativeMethods.ERROR_CANT_OPEN_ANONYMOUS)
                {
                    throw new UnauthorizedAccessException();
                }
                else if (errorCode != NativeMethods.ERROR_SUCCESS)
                {
                    goto Error;
                }
            }
            catch
            {
                // protection against exception filter-based luring attacks
                if (securityPrivilege != null)
                {
                    securityPrivilege.Revert();
                }
                throw;
            }
            finally
            {
                if (securityPrivilege != null)
                {
                    securityPrivilege.Revert();
                }
            }

            return(0);

Error:

            if (errorCode == NativeMethods.ERROR_NOT_ENOUGH_MEMORY)
            {
                throw new OutOfMemoryException();
            }

            return(errorCode);
        }
Example #2
0
        public static void RunWithPrivilege( string privilege, bool enabled, PrivilegedCallback callback, object state )
        {
            if ( callback == null )
            {
                throw new ArgumentNullException( "callback" );
            }

            Privilege p = new Privilege( privilege );

            RuntimeHelpers.PrepareConstrainedRegions();

            try
            {
                if (enabled)
                {
                    p.Enable();
                }
                else
                {
                    p.Disable();
                }

                callback(state);
            }
            catch
            {
                p.Revert();
                throw;
            }
            finally
            {
                p.Revert();
            }
        }
Example #3
0
        public static Int32 SetSecurityInfo(ResourceType type, [NotNull] String name, SecurityInfos securityInformation,
                                            [CanBeNull] SecurityIdentifier owner, [CanBeNull] SecurityIdentifier group, [CanBeNull] GenericAcl sacl, [CanBeNull] GenericAcl dacl)
        {
            name = name.ThrowIfBlank();

            if (!Enum.IsDefined(enumType: typeof(ResourceType), type))
            {
                throw new InvalidEnumArgumentException(argumentName: nameof(type), invalidValue: ( Int32 )type, enumClass: typeof(ResourceType));
            }

            if (!Enum.IsDefined(enumType: typeof(SecurityInfos), securityInformation))
            {
                throw new InvalidEnumArgumentException(argumentName: nameof(securityInformation), invalidValue: ( Int32 )securityInformation,
                                                       enumClass: typeof(SecurityInfos));
            }

            Int32 errorCode;
            Int32 Length;

            Byte[]    OwnerBinary       = null, GroupBinary = null, SaclBinary = null, DaclBinary = null;
            Privilege securityPrivilege = null;

            // Demand unmanaged code permission
            // The integrator layer is free to assert this permission and, in turn, demand another permission of its caller

            new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Demand();

            if (owner != null)
            {
                Length      = owner.BinaryLength;
                OwnerBinary = new Byte[Length];
                owner.GetBinaryForm(OwnerBinary, 0);
            }

            if (group != null)
            {
                Length      = group.BinaryLength;
                GroupBinary = new Byte[Length];
                group.GetBinaryForm(GroupBinary, 0);
            }

            if (dacl != null)
            {
                Length     = dacl.BinaryLength;
                DaclBinary = new Byte[Length];
                dacl.GetBinaryForm(DaclBinary, 0);
            }

            if (sacl != null)
            {
                Length     = sacl.BinaryLength;
                SaclBinary = new Byte[Length];
                sacl.GetBinaryForm(SaclBinary, 0);
            }

            if ((securityInformation & SecurityInfos.SystemAcl) != 0)
            {
                // Enable security privilege if trying to set a SACL.
                // Note: even setting it by handle needs this privilege enabled!

                securityPrivilege = new Privilege(Privilege.Security);
            }

            // Ensure that the finally block will execute
            RuntimeHelpers.PrepareConstrainedRegions();

            try {
                if (securityPrivilege != null)
                {
                    try {
                        securityPrivilege.Enable();
                    }
                    catch (PrivilegeNotHeldException) {
                        // we will ignore this exception and press on just in case this is a remote resource
                    }
                }

                errorCode = ( Int32 )NativeMethods.SetSecurityInfoByName(name, ( UInt32 )type, ( UInt32 )securityInformation, OwnerBinary, GroupBinary, DaclBinary,
                                                                         SaclBinary);

                switch (errorCode)
                {
                case NativeMethods.ERROR_NOT_ALL_ASSIGNED:
                case NativeMethods.ERROR_PRIVILEGE_NOT_HELD:

                    throw new PrivilegeNotHeldException(Privilege.Security);

                case NativeMethods.ERROR_ACCESS_DENIED:
                case NativeMethods.ERROR_CANT_OPEN_ANONYMOUS:

                    throw new UnauthorizedAccessException();
                }

                if (errorCode != NativeMethods.ERROR_SUCCESS)
                {
                    goto Error;
                }
            }
            catch {
                // protection against exception filter-based luring attacks
                securityPrivilege?.Revert();

                throw;
            }
            finally {
                securityPrivilege?.Revert();
            }

            return(0);

Error:

            if (errorCode == NativeMethods.ERROR_NOT_ENOUGH_MEMORY)
            {
                throw new OutOfMemoryException();
            }

            return(errorCode);
        }