public void AddResourceAttributeAceTest() { using (var pNewSacl = new SafePACL(256)) { using (var capId = new SafePSID("S-1-17-22")) Assert.That(AddScopedPolicyIDAce(pNewSacl, ACL_REVISION, 0, 0, capId), ResultIs.Successful); var attrValues = new[] { 12L, 32L }; using (var pattrValues = SafeHGlobalHandle.CreateFromList(attrValues)) { var csattr = new CLAIM_SECURITY_ATTRIBUTE_V1 { Name = "Int", ValueType = CLAIM_SECURITY_ATTRIBUTE_TYPE.CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64, ValueCount = (uint)attrValues.Length, Values = new CLAIM_SECURITY_ATTRIBUTE_V1.VALUESUNION { pInt64 = (IntPtr)pattrValues } }; var attr = new[] { csattr }; using (var pattr = SafeHGlobalHandle.CreateFromList(attr)) { var csi = CLAIM_SECURITY_ATTRIBUTES_INFORMATION.Default; csi.AttributeCount = (uint)attr.Length; csi.Attribute.pAttributeV1 = (IntPtr)pattr; var len = 0U; Assert.That(AddResourceAttributeAce(pNewSacl, ACL_REVISION, 0, 0, SafePSID.Everyone, csi, ref len), ResultIs.Successful); } } } }
public void PSIDTest() { var sid = GetCurrentSid(); Assert.That(!sid.IsInvalid); Assert.That(sid.IsValidSid); Assert.That(sid.ToString(), Does.StartWith("S-1-5")); var sid2 = new SafePSID(sid); Assert.That(!sid2.IsInvalid); Assert.That(sid2.ToString(), Is.EqualTo(sid.ToString())); var sid3 = new SafePSID("S-1-1-0"); var id2 = new SecurityIdentifier((IntPtr)sid3); Assert.That(id2.IsWellKnown(WellKnownSidType.WorldSid)); var sid4 = new SafePSID(100); Assert.That(!sid4.IsClosed); Assert.That(!sid4.IsValidSid); Assert.That((int)sid4.Size, Is.EqualTo(100)); sid4.Dispose(); Assert.That(sid4.IsClosed); Assert.That((int)sid4.Size, Is.EqualTo(0)); Assert.That(sid.Equals("X"), Is.False); Assert.That(sid.Equals(sid3), Is.False); }
/// <summary>Copies the specified SID from a memory pointer to a <see cref="SafePSID"/> instance.</summary> /// <param name="psid">The SID pointer. This value remains the responsibility of the caller to release.</param> /// <returns>A <see cref="SafePSID"/> instance.</returns> public static SafePSID CreateFromPtr(IntPtr psid) { var newSid = new SafePSID(GetLengthSid(psid)); CopySid(newSid.Size, newSid.handle, psid); return(newSid); }
public void AllocateAndInitializeSidTest() { var b = AllocateAndInitializeSid(KnownSIDAuthority.SECURITY_WORLD_SID_AUTHORITY, 1, KnownSIDRelativeID.SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, out var pSid); Assert.That(b); var everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null); var esid = new byte[everyone.BinaryLength]; everyone.GetBinaryForm(esid, 0); var peSid = new SafeByteArray(esid); Assert.That(EqualSid(pSid, (IntPtr)peSid)); ConvertStringSidToSid("S-1-2-0", out var lsid); Assert.That(EqualSid(pSid, (IntPtr)lsid), Is.False); string s = null; Assert.That(IsValidSid(pSid), Is.True); Assert.That(() => s = ConvertSidToStringSid(pSid), Throws.Nothing); Assert.That(s, Is.EqualTo("S-1-1-0")); Assert.That(GetSidSubAuthority(pSid, 0), Is.EqualTo(0)); var len = GetLengthSid(pSid); var p2 = new SafePSID(len); b = CopySid(len, (IntPtr)p2, pSid); Assert.That(EqualSid(p2, pSid)); Assert.That(b); }
public static bool LookupAccountName(string systemName, string accountName, out SafePSID sid, out string domainName, out SID_NAME_USE snu) { var sb = new StringBuilder(1024); sid = new SafePSID(256); var sidSz = sid.Size; var sbSz = sb.Capacity; var ret = LookupAccountName(systemName, accountName, sid, ref sidSz, sb, ref sbSz, out snu); domainName = sb.ToString(); return(ret); }
public static bool GetWindowsAccountDomainSid(PSID pSid, out SafePSID pDomainSid) { uint sz = 0; if (!GetWindowsAccountDomainSid(pSid, SafePSID.Null, ref sz) && sz == 0) { pDomainSid = SafePSID.Null; return(false); } pDomainSid = new SafePSID(sz); return(GetWindowsAccountDomainSid(pSid, pDomainSid, ref sz)); }
public void AuthzAddSidsToContextTest() { using SafePSID everyoneSid = ConvertStringSidToSid("S-1-1-0"); using SafePSID localSid = ConvertStringSidToSid("S-1-2-0"); SID_AND_ATTRIBUTES sids = new() { Sid = everyoneSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED }; SID_AND_ATTRIBUTES restrictedSids = new() { Sid = localSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED }; using SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM = GetAuthzInitializeResourceManager(); using SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx = GetCurrentUserAuthContext(hRM); Assert.That(AuthzAddSidsToContext(hCtx, sids, 1, restrictedSids, 1, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE hNewCtx), ResultIs.Successful); } [Test]
/****************************************************************************++ * * Description : * * This function creates a well known sid using User domain. CreateWellKnownSid requires * domain sid to be provided to generate such sids. This function first gets the domain sid * out of the user information in the token and then generate a well known sid. * * Arguments: * * hToken - [supplies] The token for which sid has to be generated * sidType - [supplies] The type of well known sid * pSid - [receives] The newly create sid * pdwSidSize - [Supplies/Receives] The size of the memory allocated for ppSid * * Returns: * * Errors returned by GetTokenInformation * Errors returned by CreateWellKnownSid * E_OUTOFMEMORY In case there is not enough memory * Errors returned by GetWindowsAccountDomainSid * --***************************************************************************/ static SafePSID CreateWellKnownSidForAccount(HTOKEN hToken, WELL_KNOWN_SID_TYPE sidType) { var hTok = new SafeHTOKEN((IntPtr)hToken, false); using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser); // // Now get the domain sid from the TokenUser // Win32Error.ThrowLastErrorIfFalse(GetWindowsAccountDomainSid(pUserToken.ToStructure <TOKEN_USER>().User.Sid, out var pDomainSid)); return(SafePSID.CreateWellKnown(sidType, pDomainSid)); }
/// <summary>Gets the SID for an ACE.</summary> /// <param name="pAce">A pointer to an ACE.</param> /// <returns>The SID value.</returns> /// <exception cref="ArgumentNullException">pAce</exception> public static SafePSID GetSid(this PACE pAce) { if (pAce.IsNull) { throw new ArgumentNullException(nameof(pAce)); } var offset = Marshal.SizeOf(typeof(ACE_HEADER)) + sizeof(uint); if (pAce.IsObjectAce()) { offset += sizeof(uint) + Marshal.SizeOf(typeof(Guid)) * 2; } return(SafePSID.CreateFromPtr(pAce.DangerousGetHandle().Offset(offset))); }
private PSID GetSid(string accountName) { int sidSize = 0, nameSize = 0; LookupAccountName(svr, accountName, SafePSID.Null, ref sidSize, null, ref nameSize, out var accountType); var domainName = new System.Text.StringBuilder(nameSize); var sid = new SafePSID(sidSize); if (!LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, out accountType)) { throw new System.ComponentModel.Win32Exception(); } return(sid); }
public void InitTest() { var sid = GetCurrentSid(); var sidStr = sid.ToString(); Assert.That(sidStr, Does.StartWith("S-1-5-")); var ssid = sid.ToString().Substring(6).Split('-').Select(int.Parse).ToArray(); var i = ssid[0]; var dest = new int[ssid.Length - 1]; Array.Copy(ssid, 1, dest, 0, ssid.Length - 1); var sid2 = SafePSID.Init(KnownSIDAuthority.SECURITY_NT_AUTHORITY, i, dest); Assert.That(sid2.IsValidSid); Assert.That(sid, Is.EqualTo(sid2)); }
/// <summary>Creates a SID for predefined aliases.</summary> /// <param name="WellKnownSidType">Member of the WELL_KNOWN_SID_TYPE enumeration that specifies what the SID will identify.</param> /// <param name="DomainSid"> /// A pointer to a SID that identifies the domain to use when creating the SID. Pass <c>PSID.NULL</c> to use the local computer. /// </param> /// <returns>A <see cref="SafePSID"/> instance.</returns> public static SafePSID CreateWellKnown(WELL_KNOWN_SID_TYPE sidType, PSID domainSid = default) { var sz = 0U; CreateWellKnownSid(sidType, domainSid, Null, ref sz); if (sz == 0) { Win32Error.ThrowLastError(); } var newSid = new SafePSID((int)sz); if (!CreateWellKnownSid(sidType, domainSid, newSid, ref sz)) { Win32Error.ThrowLastError(); } return(newSid); }
public void EqualsTest() { var ssid = new SafePSID("S-1-1-0"); var esid = SafePSID.Everyone; var mesid = SafePSID.Current; Assert.That(ssid == esid, Is.True); Assert.That(ssid != mesid, Is.True); Assert.That(ssid.Equals(null), Is.False); Assert.That(ssid == null, Is.False); Assert.That(ssid.Equals((PSID)esid), Is.True); Assert.That(ssid.Equals((IntPtr)esid), Is.True); Assert.That(ssid.Equals((object)esid), Is.True); Assert.That(ssid.Equals((object)(PSID)esid), Is.True); Assert.That(ssid.Equals((object)(IntPtr)esid), Is.True); Assert.That(ssid.Equals((object)54), Is.False); }
public void AuditQuerySetGlobalSaclTest() { Assert.That(AuditQueryGlobalSacl("Key", out var orig), Is.True); var psid = SafePSID.CreateWellKnown(WELL_KNOWN_SID_TYPE.WinWorldSid); var explAcc = new EXPLICIT_ACCESS { grfAccessMode = ACCESS_MODE.SET_AUDIT_SUCCESS, grfAccessPermissions = 0x20006 /* KEY_WRITE */, grfInheritance = INHERIT_FLAGS.NO_INHERITANCE, Trustee = new TRUSTEE(psid, TRUSTEE_TYPE.TRUSTEE_IS_WELL_KNOWN_GROUP) }; SetEntriesInAcl(1, new[] { explAcc }, PACL.NULL, out var newAcl).ThrowIfFailed(); Assert.That(AuditSetGlobalSacl("Key", newAcl), Is.True); Assert.That(AuditSetGlobalSacl("Key", orig), Is.True); }
public void AuthzModifySidsTest() { using (var hRM = GetAuthzInitializeResourceManager()) using (var hCtx = GetCurrentUserAuthContext(hRM)) { var tg = new TOKEN_GROUPS(1); var psid = new SafePSID("S-1-5-32-551"); tg.Groups[0] = new SID_AND_ATTRIBUTES { Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED, Sid = (IntPtr)psid }; var b = AuthzModifySids(hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, new[] { AUTHZ_SID_OPERATION.AUTHZ_SID_OPERATION_ADD }, in tg); if (!b) { TestContext.WriteLine($"AuthzModifySids:{Win32Error.GetLastError()}"); } Assert.That(b); } }
public void SetNamedSecurityInfoTest() { using (var pSD = GetSD(fn)) { Assert.That(GetSecurityDescriptorOwner(pSD, out var owner, out var def)); Assert.That((IntPtr)owner, Is.Not.EqualTo(IntPtr.Zero)); var admins = new SafePSID("S-1-5-32-544"); var err = SetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION, admins, PSID.NULL, IntPtr.Zero, IntPtr.Zero); if (err.Failed) { TestContext.WriteLine($"SetNamedSecurityInfo failed: {err}"); } Assert.That(err.Succeeded); err = SetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION, owner, PSID.NULL, IntPtr.Zero, IntPtr.Zero); if (err.Failed) { TestContext.WriteLine($"SetNamedSecurityInfo failed: {err}"); } Assert.That(err.Succeeded); } }
private static bool GetAccountSid(string SystemName, string AccountName, out SafePSID Sid) { var cbSid = 128; // initial allocation attempt var cchReferencedDomain = 16; // initial allocation size // // initial memory allocations // Sid = new SafePSID(cbSid); var ReferencedDomain = new StringBuilder(cchReferencedDomain); // // Obtain the SID of the specified account on the specified system. // while (!LookupAccountName(SystemName, AccountName, Sid, ref cbSid, ReferencedDomain, ref cchReferencedDomain, out _)) { if (Win32Error.GetLastError() == Win32Error.ERROR_INSUFFICIENT_BUFFER) { // // reallocate memory // Sid.Size = cbSid; ReferencedDomain.Capacity = cchReferencedDomain; } else { return(false); } } // // Indicate success. // return(true); }
/// <summary>Indicates whether the current object is equal to another object of the same type.</summary> /// <param name="other">An object to compare with this object.</param> /// <returns>true if the current object is equal to the <paramref name="other"/> parameter; otherwise, false.</returns> public bool Equals(SafePSID other) => EqualSid(this, other);
public void ToStringTest() { var sid = SafePSID.Init(KnownSIDAuthority.SECURITY_WORLD_SID_AUTHORITY, KnownSIDRelativeID.SECURITY_WORLD_RID); Assert.That(sid.ToString(), Is.EqualTo("S-1-1-0")); }
/****************************************************************************++ * * Routine Description: * * Verifies whether specified well-known SID is in the current user token * * Arguments: * * sid - one of the WELL_KNOWN_SID_TYPE consts * hToken - Optional the token for which we want to test membership * pfMember - [Receives] TRUE if specified sid is a member of the user token, false otherwise * * Notes: * * - * * Return Value: * * Errors returned by CreateWellKnownSid * Errors returned by CheckTokenMembership * --*****************************************************************************/ static HRESULT IsMemberOf(WELL_KNOWN_SID_TYPE sid, HTOKEN hToken, out bool pfMember) { pfMember = false; try { var hTok = new SafeHTOKEN((IntPtr)hToken, false); using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser); SafePSID pSID = null; try { // // create SID for the authenticated users // pSID = SafePSID.CreateWellKnown(sid); } catch { // // In case of invalid-arg we might need to provide the domain, so create well known sid for domain // pSID = CreateWellKnownSidForAccount(hToken, sid); } // // check whether token has this sid // if (!CheckTokenMembership(hToken, pSID, out pfMember)) { var hr = Win32Error.GetLastError().ToHRESULT(); // just to be on the safe side (as we don't know that CheckTokenMembership // does not modify fAuthenticated in case of error) pfMember = false; if (hr == HRESULT.E_ACCESSDENIED && hToken.IsNull) { // unable to query the thread token. Open as self and try again using var ttok = SafeHTOKEN.FromThread(GetCurrentThread(), TokenAccess.TOKEN_QUERY); { if (CheckTokenMembership(ttok, pSID, out pfMember)) { return(HRESULT.S_OK); } else { // stick with the original error code, but ensure that fMember is correct pfMember = false; } } } } return(HRESULT.S_OK); } catch (Exception ex) { var hr = HRESULT.FromException(ex); if (hr == (HRESULT)Win32Error.ERROR_NON_ACCOUNT_SID) { return(HRESULT.S_OK); } return(hr); } }
static void Main(string[] args) { if (args.Length < 1) { Console.WriteLine("Please specify a SID."); } var sidString = args[0]; var success = Authz.AuthzInitializeResourceManager(Authz.AuthzResourceManagerFlags.AUTHZ_RM_FLAG_NO_AUDIT, null, null, null, "", out var rm); if (!success) { ReportLastError("AuthzInitializeResourceManager"); return; } var sid = new SecurityIdentifier(sidString); var sidBytes = new byte[sid.BinaryLength]; sid.GetBinaryForm(sidBytes, 0); var psid = new SafePSID(sidBytes); success = Authz.AuthzInitializeContextFromSid(Authz.AuthzContextFlags.DEFAULT, psid, rm, IntPtr.Zero, new LUID(), IntPtr.Zero, out var context); if (!success) { ReportLastError("AuthzInitializeContextFromSid"); Authz.AuthzFreeResourceManager(rm); return; } success = Authz.AuthzGetInformationFromContext(context, Authz.AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, 0, out var sizeRequired, IntPtr.Zero); if (!success && Win32Error.GetLastError() != Win32Error.ERROR_INSUFFICIENT_BUFFER) { ReportLastError("AuthzGetInformationFromContext part 1"); Authz.AuthzFreeContext(context); Authz.AuthzFreeResourceManager(rm); return; } if (sizeRequired == 0) { Console.WriteLine("No context information available?"); Authz.AuthzFreeContext(context); Authz.AuthzFreeResourceManager(rm); return; } uint size = sizeRequired; var buffer = new SafeHGlobalHandle(size); success = Authz.AuthzGetInformationFromContext(context, Authz.AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, size, out sizeRequired, buffer); if (!success) { ReportLastError("AuthzGetInformationFromContext part 2"); Authz.AuthzFreeContext(context); Authz.AuthzFreeResourceManager(rm); return; } var tokenGroups = buffer.ToArray <TOKEN_GROUPS>(1); for (var i = 0; i < tokenGroups[0].GroupCount; i++) { var tokenGroup = tokenGroups[0].Groups[i]; var thisSid = new SecurityIdentifier(tokenGroup.Sid.GetBinaryForm(), 0); string accountName = null; try { accountName = thisSid.Translate(typeof(NTAccount)).Value; } catch { } Console.WriteLine($"{thisSid} {accountName ?? tokenGroup.ToString()}"); } }
public void GetBinaryForm() { var sid = new SafePSID("S-1-1-0"); Assert.That(sid.GetBinaryForm(), Is.EquivalentTo(new SecurityIdentifier(WellKnownSidType.WorldSid, null).GetBytes())); }
public static extern bool CreateWellKnownSid(WELL_KNOWN_SID_TYPE WellKnownSidType, PSID DomainSid, SafePSID pSid, ref uint cbSid);
/// <summary>Indicates whether the current object is equal to another object of the same type.</summary> /// <param name="other">An object to compare with this object.</param> /// <returns>true if the current object is equal to the <paramref name="other"/> parameter; otherwise, false.</returns> public bool Equals(SafePSID other) => other != null && (ReferenceEquals(this, other) || EqualSid(this, other));
public void _Setup() { hPol = LsaOpenPolicy(LsaPolicyRights.POLICY_ALL_ACCESS); pSid = SafePSID.Current; }
public static extern bool GetWindowsAccountDomainSid(PSID pSid, SafePSID pDomainSid, ref uint cbDomainSid);
public void _SetupTests() { pCurSid = SafePSID.Current; secPriv = new ElevPriv(new[] { "SeSecurityPrivilege", "SeAuditPrivilege" }); }
public static extern bool LookupAccountName(string lpSystemName, string lpAccountName, SafePSID Sid, ref int cbSid, StringBuilder ReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
public void InitializeSidTest() { using (var pSid = new SafePSID(32)) Assert.That(InitializeSid(pSid, KnownSIDAuthority.SECURITY_LOCAL_SID_AUTHORITY, 2), ResultIs.Successful); }