internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer)
{
DiscretionaryAcl acl = new DiscretionaryAcl(isContainer, isDS, 1);
acl.AddAccess(AccessControlType.Allow, _sidEveryone, -1, isContainer ? (InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit) : InheritanceFlags.None, PropagationFlags.None);
acl.everyOneFullAccessForNullDacl = true;
return acl;
}
private static void AuthUserStartStop(DiscretionaryAcl dacl)
{
var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
dacl.SetAccess(AccessControlType.Allow, sid, (int) (ServiceAccess.ServiceStart | ServiceAccess.ServiceStop),
InheritanceFlags.None, PropagationFlags.None);
}
protected ObjectSecurity( bool isContainer, bool isDS )
: this()
{
// we will create an empty DACL, denying anyone any access as the default. 5 is the capacity.
DiscretionaryAcl dacl = new DiscretionaryAcl(isContainer, isDS, 5);
_securityDescriptor = new CommonSecurityDescriptor( isContainer, isDS, ControlFlags.None, null, null, null, dacl );
}
static IpcStore()
{
var dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
}
public void AddAccessObjectAceNonDSFailsEvenIfObjectAceFlagsNoneImplyingCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
}
public void NullRawAclRevisionOK ()
{
DiscretionaryAcl dacl1 = new DiscretionaryAcl (false, false, null);
Assert.AreEqual (2, dacl1.Revision);
DiscretionaryAcl dacl2 = new DiscretionaryAcl (false, true, null);
Assert.AreEqual (4, dacl2.Revision);
}
public CommonSecurityDescriptor (bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
Init (isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl);
}
public void EmptyBinaryFormDSOK()
{
DiscretionaryAcl dacl = new DiscretionaryAcl (false, true, 0);
byte[] buffer = new byte[8];
dacl.GetBinaryForm (buffer, 0);
Assert.AreEqual (4, buffer [0]); // Revision
Assert.AreEqual (8, ToUInt16 (buffer, 2)); // ACL Size
Assert.AreEqual (0, ToUInt16 (buffer, 4)); // ACE Count
}
public void UsesRawAclRevision ()
{
RawAcl acl1 = new RawAcl (RawAcl.AclRevisionDS, 0);
DiscretionaryAcl dacl1 = new DiscretionaryAcl (false, false, acl1);
Assert.AreEqual (4, dacl1.Revision);
RawAcl acl2 = new RawAcl (RawAcl.AclRevision, 0);
DiscretionaryAcl dacl2 = new DiscretionaryAcl (false, true, acl2);
Assert.AreEqual (2, dacl2.Revision);
}
private static void EditDacl(DiscretionaryAcl dacl, SecurityIdentifier account, int right, bool add)
{
if (add)
{
dacl.AddAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None);
}
else
{
dacl.RemoveAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None);
}
}
public void AddAccessCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (1, dacl.Count);
CommonAce ace = (CommonAce)dacl[0];
Assert.AreEqual (1, ace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse (ace.IsInherited);
}
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid)
{
SecurityIdentifier sid = new SecurityIdentifier(networkSidSddlForm);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// Deny all access to NetworkSid
dacl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None);
if (userSid != null)
dacl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None);
// Add access to the current user creating the pipe
dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
// Initialize and return the CommonSecurityDescriptor
return new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);;
}
public void AddAccessFailsOnNonCanonical ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null));
acl.InsertAce (1, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsFalse (dacl.IsCanonical);
Assert.AreEqual (2, dacl.Count);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
}
public CommonSecurityDescriptor (bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
this.isContainer = isContainer;
this.isDS = isDS;
this.flags = flags;
this.owner = owner;
this.group = group;
this.systemAcl = systemAcl;
this.discretionaryAcl = discretionaryAcl;
throw new NotImplementedException ();
}
void Init (bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor)
{
if (null == rawSecurityDescriptor)
throw new ArgumentNullException ("rawSecurityDescriptor");
SystemAcl sacl = null;
if (null != rawSecurityDescriptor.SystemAcl)
sacl = new SystemAcl (isContainer, isDS, rawSecurityDescriptor.SystemAcl);
DiscretionaryAcl dacl = null;
if (null != rawSecurityDescriptor.DiscretionaryAcl)
dacl = new DiscretionaryAcl (isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl);
Init (isContainer, isDS,
rawSecurityDescriptor.ControlFlags,
rawSecurityDescriptor.Owner,
rawSecurityDescriptor.Group,
sacl, dacl);
}
private void BuildSecurityDescriptor()
{
NTAccount account;
SecurityIdentifier identifier;
CommonAce ace;
RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (this.operationRoleMembers != null)
{
foreach (string str in this.operationRoleMembers)
{
account = new NTAccount(str);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.contractRoleMembers != null)
{
foreach (string str2 in this.contractRoleMembers)
{
account = new NTAccount(str2);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.serviceRoleMembers != null)
{
foreach (string str3 in this.serviceRoleMembers)
{
account = new NTAccount(str3);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
}
private static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = (allowedSids == null) ? 3 : (2 + allowedSids.Count);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
discretionaryAcl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), 0x10000000, InheritanceFlags.None, PropagationFlags.None);
int accessMask = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), accessMask, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier sid = allowedSids[i];
discretionaryAcl.AddAccess(AccessControlType.Allow, sid, accessMask, InheritanceFlags.None, PropagationFlags.None);
}
}
discretionaryAcl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, discretionaryAcl);
byte[] binaryForm = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(binaryForm, 0);
return binaryForm;
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary>
/// <param name="isContainer">true if the new security descriptor is associated with a container object.</param>
/// <param name="isDS">true if the new security descriptor is associated with a directory object.</param>
/// <param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
this.isContainer = isContainer;
this.isDS = isDS;
this.flags = flags;
this.owner = owner;
this.group = group;
this.systemAcl = systemAcl;
this.discretionaryAcl = discretionaryAcl;
throw new NotImplementedException();
}
public void InheritanceFlagsAreClearedBeforeMergeCheckingWhenNotContainer ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
RawAcl acl = MakeRawAcl (new GenericAce[] {
new CommonAce (AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 1, sid, false, null),
new CommonAce (AceFlags.ObjectInherit, AceQualifier.AccessAllowed, 2, sid, false, null)
});
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.AreEqual (1, dacl.Count);
CommonAce ace = (CommonAce) dacl [0];
Assert.AreEqual (3, ace.AccessMask);
Assert.AreEqual (InheritanceFlags.None, ace.InheritanceFlags);
}
public void InheritanceFlagsDoNotMergeForAccessMasksThatAND ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
RawAcl acl = MakeRawAcl (new GenericAce[] {
new CommonAce (AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 1, sid, false, null),
new CommonAce (AceFlags.ObjectInherit, AceQualifier.AccessAllowed, 3, sid, false, null)
});
DiscretionaryAcl dacl = new DiscretionaryAcl (true, false, acl);
Assert.AreEqual (2, dacl.Count);
}
public void ContiguousRangeSorting ()
{
SecurityIdentifier[] sids = new SecurityIdentifier[] {
new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null), // S-1-5-32-544
new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null), // S-1-5-32-545
new SecurityIdentifier (WellKnownSidType.WorldSid, null), // S-1-1-0
new SecurityIdentifier ("S-1-5-40"),
new SecurityIdentifier ("S-1-5-30-123"),
new SecurityIdentifier ("S-1-5-32-99"),
new SecurityIdentifier ("S-1-5-23-45-67"),
new SecurityIdentifier ("S-1-5-32-5432"),
new SecurityIdentifier ("S-1-0-2"),
new SecurityIdentifier ("S-1-6-0")
};
GenericAce[] aces = new GenericAce[sids.Length];
for (int i = 0; i < aces.Length; i ++)
aces [i] = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sids[i], false, null);
RawAcl acl = MakeRawAcl (aces);
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsTrue (dacl.IsCanonical);
Assert.AreEqual (sids[8], ((CommonAce)dacl [0]).SecurityIdentifier); // S-1-0-2
Assert.AreEqual (sids[2], ((CommonAce)dacl [1]).SecurityIdentifier); // S-1-1-0
Assert.AreEqual (sids[3], ((CommonAce)dacl [2]).SecurityIdentifier); // S-1-5-40
Assert.AreEqual (sids[4], ((CommonAce)dacl [3]).SecurityIdentifier); // S-1-5-30-123
Assert.AreEqual (sids[5], ((CommonAce)dacl [4]).SecurityIdentifier); // S-1-5-32-99
Assert.AreEqual (sids[0], ((CommonAce)dacl [5]).SecurityIdentifier); // S-1-5-32-544
Assert.AreEqual (sids[1], ((CommonAce)dacl [6]).SecurityIdentifier); // S-1-5-32-545
Assert.AreEqual (sids[7], ((CommonAce)dacl [7]).SecurityIdentifier); // S-1-5-32-5432
Assert.AreEqual (sids[6], ((CommonAce)dacl [8]).SecurityIdentifier); // S-1-5-23-45-67
Assert.AreEqual (sids[9], ((CommonAce)dacl [9]).SecurityIdentifier); // S-1-6-0
}
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
base.WriteLock();
try
{
SecurityInfos securityInfos = (SecurityInfos)0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != null)
{
securityInfos |= SecurityInfos.Owner;
owner = this._securityDescriptor.Owner;
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != null)
{
securityInfos |= SecurityInfos.Group;
group = this._securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInfos |= SecurityInfos.SystemAcl;
if (this._securityDescriptor.IsSystemAclPresent && this._securityDescriptor.SystemAcl != null && this._securityDescriptor.SystemAcl.Count > 0)
{
sacl = this._securityDescriptor.SystemAcl;
}
else
{
sacl = null;
}
if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None)
{
securityInfos |= (SecurityInfos)this.ProtectedSystemAcl;
}
else
{
securityInfos |= (SecurityInfos)this.UnprotectedSystemAcl;
}
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent)
{
securityInfos |= SecurityInfos.DiscretionaryAcl;
if (this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = null;
}
else
{
dacl = this._securityDescriptor.DiscretionaryAcl;
}
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None)
{
securityInfos |= (SecurityInfos)this.ProtectedDiscretionaryAcl;
}
else
{
securityInfos |= (SecurityInfos)this.UnprotectedDiscretionaryAcl;
}
}
if (securityInfos != (SecurityInfos)0)
{
int num = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInfos, owner, group, sacl, dacl);
if (num != 0)
{
Exception ex = null;
if (this._exceptionFromErrorCode != null)
{
ex = this._exceptionFromErrorCode(num, name, handle, exceptionContext);
}
if (ex == null)
{
if (num == 5)
{
ex = new UnauthorizedAccessException();
}
else if (num == 1307)
{
ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
}
else if (num == 1308)
{
ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
}
else if (num == 123)
{
ex = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
}
else if (num == 6)
{
ex = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
}
else if (num == 2)
{
ex = new FileNotFoundException();
}
else if (num == 1350)
{
ex = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
}
else
{
ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[]
{
num
}));
}
}
throw ex;
}
base.OwnerModified = false;
base.GroupModified = false;
base.AccessRulesModified = false;
base.AuditRulesModified = false;
}
}
finally
{
base.WriteUnlock();
}
}
public void PurgeAccessControl(SecurityIdentifier sid)
{
DiscretionaryAcl.Purge(sid);
}
// // Summary: // Initializes a new instance of the System.Security.AccessControl.CommonSecurityDescriptor // class from the specified information. // // Parameters: // isContainer: // true if the new security descriptor is associated with a container object. // // isDS: // true if the new security descriptor is associated with a directory object. // // flags: // Flags that specify behavior of the new System.Security.AccessControl.CommonSecurityDescriptor // object. // // owner: // The owner for the new System.Security.AccessControl.CommonSecurityDescriptor // object. // // group: // The primary group for the new System.Security.AccessControl.CommonSecurityDescriptor // object. // // systemAcl: // The System Access Control List (SACL) for the new System.Security.AccessControl.CommonSecurityDescriptor // object. // // discretionaryAcl: // The Discretionary Access Control List (DACL) for the new System.Security.AccessControl.CommonSecurityDescriptor // object. extern public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl);
private void Button_Click(object sender, RoutedEventArgs e)
{
WindowsIdentity user = WindowsIdentity.GetCurrent();
if (user != null)
{
int length = 0;
IntPtr token = user.Token;
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out length);
IntPtr TokenInformation = Marshal.AllocHGlobal((int)length);
bool Result = GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, TokenInformation, (uint)length, out length);
TOKEN_DEFAULT_DACL dacl = (TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_DEFAULT_DACL));
ACL acl = (ACL)Marshal.PtrToStructure(dacl.DefaultDacl, typeof(ACL));
byte[] aceArr = new byte[acl.AclSize];
Marshal.Copy(dacl.DefaultDacl, aceArr, 0, acl.AclSize);
RawAcl rawAcl = new RawAcl(aceArr, 0);
DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, rawAcl);
string titel = "titel";
AclUIAdapter.EditSecurity(new ServiceSecurityModel(System.Environment.MachineName, titel));
}
}
void Init (bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
this.flags = flags & ~ControlFlags.SystemAclPresent;
this.is_container = isContainer;
this.is_ds = isDS;
Owner = owner;
Group = group;
SystemAcl = systemAcl;
DiscretionaryAcl = discretionaryAcl;
}
public void DoesNotMergeOrEvaluateOrderingForInherited ()
{
SecurityIdentifier sid = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
RawAcl acl = MakeRawAcl(new GenericAce[] {
new CommonAce (AceFlags.Inherited, AceQualifier.AccessDenied, 1, sid, false, null),
new CommonAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 2, sid, false, null),
new CommonAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 4, sid, false, null),
new CommonAce (AceFlags.Inherited, AceQualifier.AccessDenied, 8, sid, false, null)
});
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsTrue (dacl.IsCanonical);
Assert.AreEqual (4, dacl.Count);
}
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
if (systemAcl != null &&
systemAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
"systemAcl");
}
if (discretionaryAcl != null &&
discretionaryAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
"discretionaryAcl");
}
_isContainer = isContainer;
if (systemAcl != null &&
systemAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
"systemAcl");
}
if (discretionaryAcl != null &&
discretionaryAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
"discretionaryAcl");
}
_isDS = isDS;
_sacl = systemAcl;
//
// Replace null DACL with an allow-all for everyone DACL
//
if (discretionaryAcl == null)
{
//
// to conform to native behavior, we will add allow everyone ace for DACL
//
discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer);
}
_dacl = discretionaryAcl;
//
// DACL is never null. So always set the flag bit on
//
ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent;
//
// Keep SACL and the flag bit in sync.
//
if (systemAcl == null)
{
unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); }
}
else
{
actualFlags |= (ControlFlags.SystemAclPresent);
}
_rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
}
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
base.WriteLock();
try
{
SecurityInfos securityInformation = 0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if (((includeSections & AccessControlSections.Owner) != AccessControlSections.None) && (base._securityDescriptor.Owner != null))
{
securityInformation |= SecurityInfos.Owner;
owner = base._securityDescriptor.Owner;
}
if (((includeSections & AccessControlSections.Group) != AccessControlSections.None) && (base._securityDescriptor.Group != null))
{
securityInformation |= SecurityInfos.Group;
group = base._securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInformation |= SecurityInfos.SystemAcl;
if ((base._securityDescriptor.IsSystemAclPresent && (base._securityDescriptor.SystemAcl != null)) && (base._securityDescriptor.SystemAcl.Count > 0))
{
sacl = base._securityDescriptor.SystemAcl;
}
else
{
sacl = null;
}
if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None)
{
securityInformation |= (SecurityInfos)this.ProtectedSystemAcl;
}
else
{
securityInformation |= (SecurityInfos)this.UnprotectedSystemAcl;
}
}
if (((includeSections & AccessControlSections.Access) != AccessControlSections.None) && base._securityDescriptor.IsDiscretionaryAclPresent)
{
securityInformation |= SecurityInfos.DiscretionaryAcl;
if (base._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = null;
}
else
{
dacl = base._securityDescriptor.DiscretionaryAcl;
}
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None)
{
securityInformation |= (SecurityInfos)this.ProtectedDiscretionaryAcl;
}
else
{
securityInformation |= (SecurityInfos)this.UnprotectedDiscretionaryAcl;
}
}
if (securityInformation == 0)
{
return;
}
int errorCode = System.Security.AccessControl.Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, sacl, dacl);
if (errorCode == 0)
{
goto Label_0249;
}
Exception exception = null;
if (this._exceptionFromErrorCode != null)
{
exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext);
}
if (exception == null)
{
switch (errorCode)
{
case 5:
exception = new UnauthorizedAccessException();
goto Label_0246;
case 0x51b:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
goto Label_0246;
case 0x51c:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
goto Label_0246;
case 0x7b:
exception = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
goto Label_0246;
case 6:
exception = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
goto Label_0246;
case 2:
exception = new FileNotFoundException();
goto Label_0246;
case 0x546:
exception = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
goto Label_0246;
}
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { errorCode }));
}
Label_0246:
throw exception;
Label_0249:
base.OwnerModified = false;
base.GroupModified = false;
base.AccessRulesModified = false;
base.AuditRulesModified = false;
}
finally
{
base.WriteUnlock();
}
}
//
// Creates a security descriptor explicitly
//
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
CreateFromParts(isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl);
}
// Token: 0x06002071 RID: 8305 RVA: 0x00071BE0 File Offset: 0x0006FDE0
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
if (systemAcl != null && systemAcl.IsContainer != isContainer)
{
throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "systemAcl");
}
if (discretionaryAcl != null && discretionaryAcl.IsContainer != isContainer)
{
throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "discretionaryAcl");
}
this._isContainer = isContainer;
if (systemAcl != null && systemAcl.IsDS != isDS)
{
throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "systemAcl");
}
if (discretionaryAcl != null && discretionaryAcl.IsDS != isDS)
{
throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "discretionaryAcl");
}
this._isDS = isDS;
this._sacl = systemAcl;
if (discretionaryAcl == null)
{
discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(this._isDS, this._isContainer);
}
this._dacl = discretionaryAcl;
ControlFlags controlFlags = flags | ControlFlags.DiscretionaryAclPresent;
if (systemAcl == null)
{
controlFlags &= ~ControlFlags.SystemAclPresent;
}
else
{
controlFlags |= ControlFlags.SystemAclPresent;
}
this._rawSd = new RawSecurityDescriptor(controlFlags, owner, group, (systemAcl == null) ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
}
public void EmptyBinaryLengthOK()
{
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0);
Assert.AreEqual (8, dacl.BinaryLength);
}
public void AddDiscretionaryAcl (byte revision, int trusted)
{
DiscretionaryAcl = new DiscretionaryAcl (IsContainer, IsDS, revision, trusted);
flags |= ControlFlags.DiscretionaryAclPresent;
}
//
// Attempts to persist the security descriptor onto the object
//
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
WriteLock();
try
{
int error;
SecurityInfos securityInfo = 0;
SecurityIdentifier owner = null, group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != 0 && _securityDescriptor.Owner != null)
{
securityInfo |= SecurityInfos.Owner;
owner = _securityDescriptor.Owner;
}
if ((includeSections & AccessControlSections.Group) != 0 && _securityDescriptor.Group != null)
{
securityInfo |= SecurityInfos.Group;
group = _securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != 0)
{
securityInfo |= SecurityInfos.SystemAcl;
if (_securityDescriptor.IsSystemAclPresent &&
_securityDescriptor.SystemAcl != null &&
_securityDescriptor.SystemAcl.Count > 0)
{
sacl = _securityDescriptor.SystemAcl;
}
else
{
sacl = null;
}
if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != 0)
{
securityInfo = (SecurityInfos)((uint)securityInfo | ProtectedSystemAcl);
}
else
{
securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedSystemAcl);
}
}
if ((includeSections & AccessControlSections.Access) != 0 && _securityDescriptor.IsDiscretionaryAclPresent)
{
securityInfo |= SecurityInfos.DiscretionaryAcl;
// if the DACL is in fact a crafted replaced for NULL replacement, then we will persist it as NULL
if (_securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = null;
}
else
{
dacl = _securityDescriptor.DiscretionaryAcl;
}
if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != 0)
{
securityInfo = unchecked ((SecurityInfos)((uint)securityInfo | ProtectedDiscretionaryAcl));
}
else
{
securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedDiscretionaryAcl);
}
}
if (securityInfo == 0)
{
//
// Nothing to persist
//
return;
}
error = Win32.SetSecurityInfo(_resourceType, name, handle, securityInfo, owner, group, sacl, dacl);
if (error != Interop.Errors.ERROR_SUCCESS)
{
System.Exception exception = null;
if (_exceptionFromErrorCode != null)
{
exception = _exceptionFromErrorCode(error, name, handle, exceptionContext);
}
if (exception == null)
{
if (error == Interop.Errors.ERROR_ACCESS_DENIED)
{
exception = new UnauthorizedAccessException();
}
else if (error == Interop.Errors.ERROR_INVALID_OWNER)
{
exception = new InvalidOperationException(SR.AccessControl_InvalidOwner);
}
else if (error == Interop.Errors.ERROR_INVALID_PRIMARY_GROUP)
{
exception = new InvalidOperationException(SR.AccessControl_InvalidGroup);
}
else if (error == Interop.Errors.ERROR_INVALID_NAME)
{
exception = new ArgumentException(
SR.Argument_InvalidName,
nameof(name));
}
else if (error == Interop.Errors.ERROR_INVALID_HANDLE)
{
exception = new NotSupportedException(SR.AccessControl_InvalidHandle);
}
else if (error == Interop.Errors.ERROR_FILE_NOT_FOUND)
{
exception = new FileNotFoundException();
}
else if (error == Interop.Errors.ERROR_NO_SECURITY_ON_OBJECT)
{
exception = new NotSupportedException(SR.AccessControl_NoAssociatedSecurity);
}
else
{
Debug.Fail($"Unexpected error code {error}");
exception = new InvalidOperationException(SR.Format(SR.AccessControl_UnexpectedError, error));
}
}
throw exception;
}
//
// Everything goes well, let us clean the modified flags.
// We are in proper write lock, so just go ahead
//
this.OwnerModified = false;
this.GroupModified = false;
this.AccessRulesModified = false;
this.AuditRulesModified = false;
}
finally
{
WriteUnlock();
}
}
public void SetterNotSupported ()
{
SecurityIdentifier sid = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
RawAcl acl = MakeRawAcl(new GenericAce[] {
new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null),
new CommonAce (AceFlags.Inherited, AceQualifier.AccessDenied, 2, sid, false, null),
new CommonAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 4, sid, false, null),
new CommonAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 4, sid, false, null)
});
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsTrue (dacl.IsCanonical);
Assert.AreEqual (4, dacl.Count);
bool throws1 = false;
try { dacl[0] = acl[0]; } catch (NotSupportedException) { throws1 = true; }
Assert.IsTrue (throws1);
bool throws2 = false;
try { dacl[0] = acl[2]; } catch (NotSupportedException) { throws2 = true; }
Assert.IsTrue (throws2);
}
public void BinaryRoundtrip ()
{
RawAcl acl = GetRemovesMeaninglessAcesAcl ();
DiscretionaryAcl dacl1 = new DiscretionaryAcl (false, false, acl);
byte[] binaryForm1 = new byte[dacl1.BinaryLength];
dacl1.GetBinaryForm (binaryForm1, 0);
DiscretionaryAcl dacl2 = new DiscretionaryAcl (false, false, new RawAcl (binaryForm1, 0));
byte[] binaryForm2 = new byte[dacl2.BinaryLength];
dacl2.GetBinaryForm (binaryForm2, 0);
Assert.AreEqual (binaryForm1.Length, binaryForm2.Length);
for (int i = 0; i < binaryForm1.Length; i ++)
Assert.AreEqual (binaryForm1 [i], binaryForm2 [i]);
}
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
if (systemAcl != null &&
systemAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(systemAcl));
}
if (discretionaryAcl != null &&
discretionaryAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(discretionaryAcl));
}
_isContainer = isContainer;
if (systemAcl != null &&
systemAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(systemAcl));
}
if (discretionaryAcl != null &&
discretionaryAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(discretionaryAcl));
}
_isDS = isDS;
_sacl = systemAcl;
//
// Replace null DACL with an allow-all for everyone DACL
//
if (discretionaryAcl == null)
{
//
// to conform to native behavior, we will add allow everyone ace for DACL
//
discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer);
}
_dacl = discretionaryAcl;
//
// DACL is never null. So always set the flag bit on
//
ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent;
//
// Keep SACL and the flag bit in sync.
//
if (systemAcl == null)
{
unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); }
}
else
{
actualFlags |= (ControlFlags.SystemAclPresent);
}
_rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
}
public void RevisionDSOK ()
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, true, 0);
Assert.AreEqual (4, dacl.Revision);
}
public void RemovesMeaninglessAces ()
{
RawAcl acl = GetRemovesMeaninglessAcesAcl ();
DiscretionaryAcl dacl1 = new DiscretionaryAcl (false, false, acl);
Assert.IsTrue (dacl1.IsCanonical);
Assert.AreEqual (7, dacl1.Count);
Assert.AreEqual (12, ((KnownAce)dacl1 [0]).AccessMask);
DiscretionaryAcl dacl2 = new DiscretionaryAcl (true, false, acl);
Assert.IsTrue (dacl2.IsCanonical);
Assert.AreEqual (8, dacl2.Count);
Assert.AreEqual (12, ((KnownAce)dacl1 [0]).AccessMask);
}
public void AddDiscretionaryAcl(byte revision, int trusted)
{
DiscretionaryAcl = new DiscretionaryAcl(IsContainer, IsDS, revision, trusted);
flags |= ControlFlags.DiscretionaryAclPresent;
}
