// Checks if the current user has write access to the file.
private Boolean HasWriteAccess(String fileName)
{
// No user has access to edit read-only file.
if ((File.GetAttributes(fileName) & FileAttributes.ReadOnly) != 0)
{
return(false);
}
// Retrieve the access rules of the specified file.
AuthorizationRuleCollection rules = File.GetAccessControl(fileName).GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));
// Retrieve the groups the user is member in.
IdentityReferenceCollection groups = WindowsIdentity.GetCurrent().Groups;
// Retrieve the SecuityIdentifier of the current user.
String sidCurrentUser = WindowsIdentity.GetCurrent().User.Value;
// Check if writing is denied for the current user or group.
if (rules.OfType <FileSystemAccessRule>().Any(r => (groups.Contains(r.IdentityReference) || r.IdentityReference.Value == sidCurrentUser) && r.AccessControlType == AccessControlType.Deny && (r.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData))
{
return(false);
}
// Check if writing is allowed for the current user or group.
return(rules.OfType <FileSystemAccessRule>().Any(r => (groups.Contains(r.IdentityReference) || r.IdentityReference.Value == sidCurrentUser) && r.AccessControlType == AccessControlType.Allow && (r.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData));
}
/// <summary>
/// Determines whether the indicated file system security object has the indicated file system right.
/// </summary>
/// <param name="fss">The file system security object.</param>
/// <param name="right">The file system right.</param>
/// <returns>True, if the indicated file system security object has the indicated file system right.</returns>
/// <remarks>The current Windows user identity is used to search the security object's ACL for
/// relevent allow or deny rules. To have permission for the indicated right, the object's ACL
/// list must contain an explicit allow rule and no deny rules for either the user identity or a group to which
/// the user belongs.</remarks>
private static bool HasPermission(FileSystemSecurity fss, FileSystemRights right)
{
AuthorizationRuleCollection rules = fss.GetAccessRules(true, true, typeof(SecurityIdentifier));
var groups = WindowsIdentity.GetCurrent().Groups;
SecurityIdentifier user = WindowsIdentity.GetCurrent().User;
FileSystemRights remaining = right;
foreach (FileSystemAccessRule rule in rules.OfType <FileSystemAccessRule>())
{
FileSystemRights test = rule.FileSystemRights & right;
if (test != 0)
{
if (rule.IdentityReference == user || (groups != null && groups.Contains(rule.IdentityReference)))
{
if (rule.AccessControlType == AccessControlType.Allow)
{
remaining &= ~test;
if (remaining == 0)
{
return(true);
}
}
else if (rule.AccessControlType == AccessControlType.Deny)
{
return(false);
}
}
}
}
return(false);
}
public void IntitializeSecurity()
{
DirectorySecurity security = Directory.GetAccessControl(BasePath);
AuthorizationRuleCollection rules = security.GetAccessRules(
true, false, typeof(SecurityIdentifier));
var q = from r in rules.OfType <FileSystemAccessRule>()
where r.IdentityReference == AccountSid
select r;
if (q.Count() != 0)
{
// Remove any existing rules which could be allow or deny.
q.ToList().ForEach(r => security.RemoveAccessRule(r));
}
// BIND only requires modify (e.g. for process file and log).
FileSystemAccessRule rule = new FileSystemAccessRule(
AccountSid,
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
security.AddAccessRule(rule);
Directory.SetAccessControl(BasePath, security);
}
private ServerStatusElement getIscBindSecurityStatus()
{
ServerStatusElement e = new ServerStatusElement();
e.Name = "ISC BIND security (" + ServerConfig.IscBindDirectory.FullName + ")";
DirectorySecurity security = ServerConfig.IscBindDirectory.GetAccessControl();
AuthorizationRuleCollection rules = security.GetAccessRules(
true, false, typeof(SecurityIdentifier));
WindowsUserManager wuManager = new WindowsUserManager(ServerConfig.WindowsServerName);
WindowsUser namedUser = wuManager.Find(iscBindUser);
if (namedUser == null)
{
e.Value = "Windows user '" + iscBindUser + "' is missing";
e.Condition = ServerStatusCondition.Error;
}
else
{
var q = from r in rules.OfType <FileSystemAccessRule>()
where r.IdentityReference == namedUser.Sid
where r.AccessControlType == AccessControlType.Allow
select r;
if (q.Count() != 0)
{
if ((q.Single().FileSystemRights & FileSystemRights.Modify) == FileSystemRights.Modify)
{
e.Value = "User '" + iscBindUser + "' can modify";
e.Condition = ServerStatusCondition.Normal;
}
else
{
e.Value = "User '" + iscBindUser + "' cannot modify";
e.Condition = ServerStatusCondition.Error;
}
}
else
{
e.Value = "User '" + iscBindUser + "' does not have any access";
e.Condition = ServerStatusCondition.Error;
}
if (e.Condition == ServerStatusCondition.Error)
{
// At this point, if the user exists but the security is wrong, it can be reset.
e.ActionText = "Repair";
e.ActionCommand = "RepairBindSecurity";
}
}
return(e);
}
private IEnumerable <FileSystemAccessRule> getMatchingRules <TSecurity>(
SecurityIdentifier identity,
AccessControlType access,
TSecurity security)
where TSecurity : FileSystemSecurity
{
AuthorizationRuleCollection rules = security.GetAccessRules(
true, false, typeof(SecurityIdentifier));
var q = from r in rules.OfType <FileSystemAccessRule>()
where r.IdentityReference == identity
where r.AccessControlType == access
select r;
return(q);
}
private void CheckAgentRootDirectorySecure()
{
Trace.Info(nameof(CheckAgentRootDirectorySecure));
try
{
string rootDirPath = HostContext.GetDirectory(WellKnownDirectory.Root);
if (!String.IsNullOrEmpty(rootDirPath))
{
// Get info about root folder
DirectoryInfo dirInfo = new DirectoryInfo(rootDirPath);
// Get directory access control list
DirectorySecurity directorySecurityInfo = dirInfo.GetAccessControl();
AuthorizationRuleCollection dirAccessRules = directorySecurityInfo.GetAccessRules(true, true, typeof(NTAccount));
// Get identity reference of the BUILTIN\Users group
IdentityReference bulitInUsersGroup = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).Translate(typeof(NTAccount));
// Check if BUILTIN\Users group have modify/write rights for the agent root folder
List <FileSystemAccessRule> potentiallyInsecureRules = dirAccessRules.OfType <FileSystemAccessRule>().AsParallel()
.Where(rule => rule.IdentityReference == bulitInUsersGroup && (rule.FileSystemRights.HasFlag(FileSystemRights.Write) || rule.FileSystemRights.HasFlag(FileSystemRights.Modify)))
.ToList <FileSystemAccessRule>();
// Notify user if there are some potentially insecure access rules for the agent root folder
if (potentiallyInsecureRules.Count != 0)
{
Trace.Warning("The {0} group have the following permissions to the agent root folder: ", bulitInUsersGroup.ToString());
potentiallyInsecureRules.ForEach(accessRule => Trace.Warning("- {0}", accessRule.FileSystemRights.ToString()));
_term.Write(StringUtil.Loc("agentRootFolderInsecure", bulitInUsersGroup.ToString()));
}
}
else
{
Trace.Warning("Can't get path to the agent root folder, check was skipped.");
}
}
catch (Exception ex) {
Trace.Warning("Can't check permissions for agent root folder:");
Trace.Warning(ex.Message);
_term.Write(StringUtil.Loc("agentRootFolderCheckError"));
}
}
public void ClearDenyACEs(string path)
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
FileSecurity fs = new FileSecurity(path, AccessControlSections.Access);
AuthorizationRuleCollection rules = fs.GetAccessRules(true, true, typeof(SecurityIdentifier));
SecurityIdentifier user = WindowsIdentity.GetCurrent().User;
AuthorizationRuleCollection newRules = new AuthorizationRuleCollection();
FileSystemSecurity fssNew = new FileSecurity();
foreach (FileSystemAccessRule rule in rules.OfType <FileSystemAccessRule>())
{
if (rule.IdentityReference == user && rule.AccessControlType == AccessControlType.Deny)
{
fs.RemoveAccessRule(rule);
FileInfo fi = new FileInfo(path);
fi.SetAccessControl(fs);
}
}
}
}
private static bool IsFileSystemAccessRuleSet(FileSystemRights rights, CommonObjectSecurity commonObjectSecurity, AccessControlType accessControlType)
{
AuthorizationRuleCollection rules = commonObjectSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
return(rules.OfType <FileSystemAccessRule>().Any(fs => fs.FileSystemRights.HasFlag(rights) && fs.AccessControlType == accessControlType));
}
