| public GetSecurityDescriptorBinaryForm ( ) : byte[] | ||
| return | byte[] | |
public NativeSecurityAttributes(ObjectSecurity managedSecurityObject, bool inheritHandle)
{
length = Marshal.SizeOf(typeof(NativeSecurityAttributes));
byte[] binarySecurityDescriptor = managedSecurityObject.GetSecurityDescriptorBinaryForm();
securityDescriptor = Marshal.AllocHGlobal(binarySecurityDescriptor.Length);
Marshal.Copy(binarySecurityDescriptor, 0, securityDescriptor, binarySecurityDescriptor.Length);
this.inheritHandle = inheritHandle;
}
/// <summary>Sort ACEs according to canonical form for this <see cref="ObjectSecurity"/>.</summary>
/// <param name="objectSecurity">The object security whose DiscretionaryAcl will be made canonical.</param>
public static void CanonicalizeAccessRules(this ObjectSecurity objectSecurity)
{
if (objectSecurity == null)
{
throw new ArgumentNullException(nameof(objectSecurity));
}
if (objectSecurity.AreAccessRulesCanonical)
{
return;
}
// Get raw SD from objectSecurity and canonicalize DACL
var sd = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorBinaryForm(), 0);
sd.DiscretionaryAcl.Canonicalize();
// Convert SD back into objectSecurity
objectSecurity.SetSecurityDescriptorBinaryForm(sd.GetBinaryForm());
}
private static SafeGlobalMemoryBufferHandle ToUnmanagedSecurityAttributes(ObjectSecurity securityDescriptor)
{
if (securityDescriptor == null)
return new SafeGlobalMemoryBufferHandle();
byte[] src = securityDescriptor.GetSecurityDescriptorBinaryForm();
var safeBuffer = new SafeGlobalMemoryBufferHandle(src.Length);
try
{
safeBuffer.CopyFrom(src, 0, src.Length);
return safeBuffer;
}
catch
{
safeBuffer.Close();
throw;
}
}
private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections)
{
byte[] securityDescriptorBinaryForm = sd.GetSecurityDescriptorBinaryForm();
if (Directory.Exists(path))
{
DirectorySecurity directorySecurity = new DirectorySecurity();
directorySecurity.SetSecurityDescriptorBinaryForm(securityDescriptorBinaryForm, sections);
Directory.SetAccessControl(path, directorySecurity);
base.WriteSecurityDescriptorObject(directorySecurity, path);
}
else
{
FileSecurity fileSecurity = new FileSecurity();
fileSecurity.SetSecurityDescriptorBinaryForm(securityDescriptorBinaryForm, sections);
File.SetAccessControl(path, fileSecurity);
base.WriteSecurityDescriptorObject(fileSecurity, path);
}
}
internal static void SetAccessControlInternal(string path, SafeHandle handle, ObjectSecurity objectSecurity, AccessControlSections includeSections, PathFormat pathFormat)
{
if (pathFormat == PathFormat.RelativePath)
Path.CheckValidPath(path, true, true);
if (objectSecurity == null)
throw new ArgumentNullException("objectSecurity");
byte[] managedDescriptor = objectSecurity.GetSecurityDescriptorBinaryForm();
using (var safeBuffer = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length))
{
string pathLp = Path.GetExtendedLengthPathInternal(null, path, pathFormat, GetFullPathOptions.RemoveTrailingDirectorySeparator | GetFullPathOptions.CheckInvalidPathChars);
safeBuffer.CopyFrom(managedDescriptor, 0, managedDescriptor.Length);
SecurityDescriptorControl control;
uint revision;
if (!Security.NativeMethods.GetSecurityDescriptorControl(safeBuffer, out control, out revision))
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
PrivilegeEnabler privilegeEnabler = null;
try
{
var securityInfo = SecurityInformation.None;
IntPtr pDacl = IntPtr.Zero;
if ((includeSections & AccessControlSections.Access) != 0)
{
bool daclDefaulted, daclPresent;
if (!Security.NativeMethods.GetSecurityDescriptorDacl(safeBuffer, out daclPresent, out pDacl, out daclDefaulted))
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
if (daclPresent)
{
securityInfo |= SecurityInformation.Dacl;
securityInfo |= (control & SecurityDescriptorControl.DaclProtected) != 0
? SecurityInformation.ProtectedDacl
: SecurityInformation.UnprotectedDacl;
}
}
IntPtr pSacl = IntPtr.Zero;
if ((includeSections & AccessControlSections.Audit) != 0)
{
bool saclDefaulted, saclPresent;
if (!Security.NativeMethods.GetSecurityDescriptorSacl(safeBuffer, out saclPresent, out pSacl, out saclDefaulted))
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
if (saclPresent)
{
securityInfo |= SecurityInformation.Sacl;
securityInfo |= (control & SecurityDescriptorControl.SaclProtected) != 0
? SecurityInformation.ProtectedSacl
: SecurityInformation.UnprotectedSacl;
privilegeEnabler = new PrivilegeEnabler(Privilege.Security);
}
}
IntPtr pOwner = IntPtr.Zero;
if ((includeSections & AccessControlSections.Owner) != 0)
{
bool ownerDefaulted;
if (!Security.NativeMethods.GetSecurityDescriptorOwner(safeBuffer, out pOwner, out ownerDefaulted))
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
if (pOwner != IntPtr.Zero)
securityInfo |= SecurityInformation.Owner;
}
IntPtr pGroup = IntPtr.Zero;
if ((includeSections & AccessControlSections.Group) != 0)
{
bool groupDefaulted;
if (!Security.NativeMethods.GetSecurityDescriptorGroup(safeBuffer, out pGroup, out groupDefaulted))
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
if (pGroup != IntPtr.Zero)
securityInfo |= SecurityInformation.Group;
}
uint lastError;
if (!Utils.IsNullOrWhiteSpace(pathLp))
{
// SetNamedSecurityInfo()
// In the ANSI version of this function, the name is limited to MAX_PATH characters.
// To extend this limit to 32,767 wide characters, call the Unicode version of the function and prepend "\\?\" to the path.
// 2013-01-13: MSDN does not confirm LongPath usage but a Unicode version of this function exists.
lastError = Security.NativeMethods.SetNamedSecurityInfo(pathLp, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl);
if (lastError != Win32Errors.ERROR_SUCCESS)
NativeError.ThrowException(lastError, pathLp);
}
else if (NativeMethods.IsValidHandle(handle))
{
lastError = Security.NativeMethods.SetSecurityInfo(handle, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl);
if (lastError != Win32Errors.ERROR_SUCCESS)
NativeError.ThrowException((int)lastError);
}
}
finally
{
if (privilegeEnabler != null)
privilegeEnabler.Dispose();
}
}
}
} // SetSecurityDescriptor
private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections)
{
var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE();
byte[] securityDescriptorBinary = null;
try
{
// Get the binary form of the descriptor.
PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
securityDescriptorBinary = sd.GetSecurityDescriptorBinaryForm();
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
}
try
{
PlatformInvokes.EnableTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState);
// Transfer it to the new file / directory.
// We keep these two code branches so that we can have more
// granular information when we ouput the object type via
// WriteSecurityDescriptorObject.
if (Directory.Exists(path))
{
DirectorySecurity newDescriptor = new DirectorySecurity();
newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections);
new DirectoryInfo(path).SetAccessControl(newDescriptor);
WriteSecurityDescriptorObject(newDescriptor, path);
}
else
{
FileSecurity newDescriptor = new FileSecurity();
newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections);
new FileInfo(path).SetAccessControl(newDescriptor);
WriteSecurityDescriptorObject(newDescriptor, path);
}
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState);
}
}
