/// <summary>
/// Get a known SID based on a specific enumeration.
/// </summary>
/// <param name="sid">The enumerated sid value.</param>
/// <returns></returns>
public static Sid GetKnownSid(KnownSidValue sid)
{
switch (sid)
{
case KnownSidValue.Null: return(new Sid(SecurityAuthority.Null, 0));
case KnownSidValue.World: return(new Sid(SecurityAuthority.World, 0));
case KnownSidValue.Local: return(new Sid(SecurityAuthority.Local, 0));
case KnownSidValue.CreatorOwner: return(new Sid(SecurityAuthority.Creator, 0));
case KnownSidValue.CreatorGroup: return(new Sid(SecurityAuthority.Creator, 1));
case KnownSidValue.OwnerRights: return(new Sid(SecurityAuthority.Creator, 4));
case KnownSidValue.Service: return(new Sid(SecurityAuthority.Nt, 6));
case KnownSidValue.Anonymous: return(new Sid(SecurityAuthority.Nt, 7));
case KnownSidValue.AuthenticatedUsers: return(new Sid(SecurityAuthority.Nt, 11));
case KnownSidValue.Restricted: return(new Sid(SecurityAuthority.Nt, 12));
case KnownSidValue.LocalSystem: return(new Sid(SecurityAuthority.Nt, 18));
case KnownSidValue.LocalService: return(new Sid(SecurityAuthority.Nt, 19));
case KnownSidValue.NetworkService: return(new Sid(SecurityAuthority.Nt, 20));
case KnownSidValue.AllApplicationPackages: return(new Sid(SecurityAuthority.Package, 2, 1));
case KnownSidValue.AllRestrictedApplicationPackages: return(new Sid(SecurityAuthority.Package, 2, 2));
case KnownSidValue.TrustedInstaller: return(NtSecurity.GetServiceSid("TrustedInstaller"));
case KnownSidValue.BuiltinUsers: return(new Sid(SecurityAuthority.Nt, 32, 545));
case KnownSidValue.BuiltinAdministrators: return(new Sid(SecurityAuthority.Nt, 32, 544));
case KnownSidValue.CapabilityInternetClient: return(GetCapabilitySid(1));
case KnownSidValue.CapabilityInternetClientServer: return(GetCapabilitySid(2));
case KnownSidValue.CapabilityPrivateNetworkClientServer: return(GetCapabilitySid(3));
case KnownSidValue.CapabilityPicturesLibrary: return(GetCapabilitySid(4));
case KnownSidValue.CapabilityVideosLibrary: return(GetCapabilitySid(5));
case KnownSidValue.CapabilityMusicLibrary: return(GetCapabilitySid(6));
case KnownSidValue.CapabilityDocumentsLibrary: return(GetCapabilitySid(7));
case KnownSidValue.CapabilityEnterpriseAuthentication: return(GetCapabilitySid(8));
case KnownSidValue.CapabilitySharedUserCertificates: return(GetCapabilitySid(9));
case KnownSidValue.CapabilityRemovableStorage: return(GetCapabilitySid(10));
case KnownSidValue.CapabilityAppointments: return(GetCapabilitySid(11));
case KnownSidValue.CapabilityContacts: return(GetCapabilitySid(12));
case KnownSidValue.CapabilityInternetExplorer: return(GetCapabilitySid(4096));
case KnownSidValue.CapabilityConstrainedImpersonation:
return(NtSecurity.GetCapabilitySid("constrainedImpersonation"));
case KnownSidValue.Self: return(new Sid(SecurityAuthority.Nt, 10));
default:
throw new ArgumentException("Unknown SID type");
}
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
Sid sid;
if (Sddl != null)
{
sid = new Sid(Sddl);
}
else if (Name != null)
{
sid = NtSecurity.LookupAccountName(Name);
}
else if (ServiceName != null)
{
sid = NtSecurity.GetServiceSid(ServiceName);
}
else if (IntegrityLevel.HasValue)
{
sid = NtSecurity.GetIntegritySid(IntegrityLevel.Value);
}
else if (IntegrityLevelRaw.HasValue)
{
sid = NtSecurity.GetIntegritySidRaw(IntegrityLevelRaw.Value);
}
else if (PackageName != null)
{
sid = TokenUtils.DerivePackageSidFromName(PackageName);
if (RestrictedPackageName != null)
{
sid = TokenUtils.DeriveRestrictedPackageSidFromSid(sid, RestrictedPackageName);
}
}
else if (KnownSid.HasValue)
{
sid = KnownSids.GetKnownSid(KnownSid.Value);
}
else if (Token)
{
using (NtToken token = NtToken.OpenProcessToken())
{
if (PrimaryGroup)
{
sid = token.PrimaryGroup;
}
else if (Owner)
{
sid = token.Owner;
}
else if (LogonGroup)
{
sid = token.LogonSid.Sid;
}
else if (AppContainer)
{
sid = token.AppContainerSid;
}
else if (Label)
{
sid = token.IntegrityLevelSid.Sid;
}
else
{
sid = token.User.Sid;
}
}
}
else if (CapabilityName != null)
{
sid = CapabilityGroup ? NtSecurity.GetCapabilityGroupSid(CapabilityName)
: NtSecurity.GetCapabilitySid(CapabilityName);
}
else if (RelativeIdentifiers != null)
{
sid = new Sid(SecurityAuthority, RelativeIdentifiers);
}
else
{
throw new ArgumentException("No SID type specified");
}
WriteObject(sid);
}
/// <summary>
/// Add mandatory integrity label to SACL
/// </summary>
/// <param name="level">The integrity level</param>
public void AddMandatoryLabel(TokenIntegrityLevel level)
{
AddMandatoryLabel(NtSecurity.GetIntegritySid(level), AceFlags.None, MandatoryLabelPolicy.NoWriteUp);
}
/// <summary>
/// Add mandatory integrity label to SACL
/// </summary>
/// <param name="level">The integrity level</param>
/// <param name="flags">The ACE flags.</param>
/// <param name="policy">The mandatory label policy</param>
public void AddMandatoryLabel(TokenIntegrityLevel level, AceFlags flags, MandatoryLabelPolicy policy)
{
AddMandatoryLabel(NtSecurity.GetIntegritySid(level), flags, policy);
}
/// <summary>
/// Convert security descriptor to SDDL string
/// </summary>
/// <param name="security_information">The parts of the security descriptor to return</param>
/// <returns>The SDDL string</returns>
public string ToSddl(SecurityInformation security_information)
{
return(NtSecurity.SecurityDescriptorToSddl(ToByteArray(), security_information));
}
private void AddAccessAllowedAceInternal(AccessMask mask, AceFlags flags, string sid)
{
AddAce(AceType.Allowed, mask, flags, NtSecurity.SidFromSddl(sid));
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
Sid sid;
switch (ParameterSetName)
{
case "sddl":
sid = new Sid(Sddl);
break;
case "name":
sid = NtSecurity.LookupAccountName(Name);
break;
case "service":
sid = NtSecurity.GetServiceSid(ServiceName);
break;
case "il":
sid = NtSecurity.GetIntegritySid(IntegrityLevel);
break;
case "il_raw":
sid = NtSecurity.GetIntegritySidRaw(IntegrityLevelRaw);
break;
case "package":
sid = TokenUtils.DerivePackageSidFromName(PackageName);
if (RestrictedPackageName != null)
{
sid = TokenUtils.DeriveRestrictedPackageSidFromSid(sid, RestrictedPackageName);
}
break;
case "known":
sid = KnownSids.GetKnownSid(KnownSid);
break;
case "token":
using (NtToken token = NtToken.OpenProcessToken())
{
if (PrimaryGroup)
{
sid = token.PrimaryGroup;
}
else if (Owner)
{
sid = token.Owner;
}
else if (LogonGroup)
{
sid = token.LogonSid.Sid;
}
else if (AppContainer)
{
sid = token.AppContainerSid;
}
else if (Label)
{
sid = token.IntegrityLevelSid.Sid;
}
else
{
sid = token.User.Sid;
}
}
break;
case "cap":
sid = CapabilityGroup ? NtSecurity.GetCapabilityGroupSid(CapabilityName)
: NtSecurity.GetCapabilitySid(CapabilityName);
break;
case "sid":
sid = new Sid(SecurityAuthority, RelativeIdentifiers);
break;
case "logon":
sid = NtSecurity.GetLogonSessionSid();
break;
default:
throw new ArgumentException("No SID type specified");
}
WriteObject(sid);
}
/// <summary>
/// Set the object's security descriptor
/// </summary>
/// <param name="security_desc">The security descriptor to set.</param>
/// <param name="security_information">What parts of the security descriptor to set</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The NT status code.</returns>
public NtStatus SetSecurityDescriptor(SecurityDescriptor security_desc, SecurityInformation security_information, bool throw_on_error)
{
using (var buffer = security_desc.ToSafeBuffer(true)) {
return(NtSecurity.SetSecurityDescriptor(Handle, buffer, security_information, throw_on_error));
}
}
/// <summary>
/// Get the SID name for this SID.
/// </summary>
/// <param name="bypass_cache">True to bypass the SID name cache.</param>
/// <returns>The SID name.</returns>
public SidName GetName(bool bypass_cache)
{
return(NtSecurity.GetNameForSid(this, bypass_cache));
}
/// <summary>
/// Convert an SDDL SID string to a Sid
/// </summary>
/// <param name="sddl">The SDDL SID string</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The converted Sid</returns>
/// <exception cref="NtException">Thrown if cannot convert from a SDDL string.</exception>
public static NtResult <Sid> Parse(string sddl, bool throw_on_error)
{
return(NtSecurity.SidFromSddl(sddl, throw_on_error));
}
private void AddAccessDeniedAceInternal(uint mask, AceFlags flags, string sid)
{
AddAce(AceType.Denied, mask, flags, NtSecurity.SidFromSddl(sid));
}
/// <summary>
/// Convert an enumerable access rights to a string
/// </summary>
/// <param name="granted_access">The granted access mask.</param>
/// <param name="map_to_generic">True to try and convert to generic rights where possible.</param>
/// <returns>The string format of the access rights</returns>
public string AccessMaskToString(AccessMask granted_access, bool map_to_generic)
{
return(NtSecurity.AccessMaskToString(granted_access, AccessRightsType, GenericMapping, map_to_generic));
}
/// <summary>
/// Convert an enumerable access rights to a string
/// </summary>
/// <param name="container">True to use the container access type.</param>
/// <param name="granted_access">The granted access mask.</param>
/// <param name="map_to_generic">True to try and convert to generic rights where possible.</param>
/// <param name="sdk_names">Set to true to use SDK style names.</param>
/// <returns>The string format of the access rights</returns>
public string AccessMaskToString(bool container, AccessMask granted_access, bool map_to_generic, bool sdk_names)
{
return(NtSecurity.AccessMaskToString(granted_access, container ? ContainerAccessRightsType : AccessRightsType,
GenericMapping, map_to_generic, sdk_names));
}
/// <summary>
/// Add an integrity level to the boundary descriptor.
/// </summary>
/// <remarks>This integrity level is used in an access check when creating or deleting private namespaces.</remarks>
/// <param name="integrity_level">The integrity level to add.</param>
public void AddIntegrityLevel(TokenIntegrityLevel integrity_level)
{
AddIntegrityLevel(NtSecurity.GetIntegritySid(integrity_level));
}
/// <summary>
/// Constructor from an SDDL string
/// </summary>
/// <param name="sddl">The SDDL string</param>
/// <exception cref="NtException">Thrown if invalid SDDL</exception>
public SecurityDescriptor(string sddl)
: this(NtSecurity.SddlToSecurityDescriptor(sddl))
{
}
/// <summary>
/// Constructor from an SDDL string.
/// </summary>
/// <param name="sid">The SID in SDDL format.</param>
/// <example>
/// new Sid("S-1-0-0");
/// new Sid("WD");
/// </example>
/// <seealso cref="NtSecurity.LookupAccountName(string)"/>
public Sid(string sid) : this(NtSecurity.SidFromSddl(sid))
{
}
/// <summary>
/// Get security descriptor as a byte array
/// </summary>
/// <param name="security_information">What parts of the security descriptor to retrieve</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <return>The NT status result and security descriptor.</return>
public NtResult <byte[]> GetSecurityDescriptorBytes(SecurityInformation security_information, bool throw_on_error)
{
using (var buffer = NtSecurity.GetSecurityDescriptor(Handle, security_information, throw_on_error)) {
return(buffer.Map(b => b.ToArray()));
}
}
