public GetSecurityDescriptorBinaryForm ( ) : byte[] | ||
Résultat | byte[] |
public NativeSecurityAttributes(ObjectSecurity managedSecurityObject, bool inheritHandle) { length = Marshal.SizeOf(typeof(NativeSecurityAttributes)); byte[] binarySecurityDescriptor = managedSecurityObject.GetSecurityDescriptorBinaryForm(); securityDescriptor = Marshal.AllocHGlobal(binarySecurityDescriptor.Length); Marshal.Copy(binarySecurityDescriptor, 0, securityDescriptor, binarySecurityDescriptor.Length); this.inheritHandle = inheritHandle; }
/// <summary>Sort ACEs according to canonical form for this <see cref="ObjectSecurity"/>.</summary> /// <param name="objectSecurity">The object security whose DiscretionaryAcl will be made canonical.</param> public static void CanonicalizeAccessRules(this ObjectSecurity objectSecurity) { if (objectSecurity == null) { throw new ArgumentNullException(nameof(objectSecurity)); } if (objectSecurity.AreAccessRulesCanonical) { return; } // Get raw SD from objectSecurity and canonicalize DACL var sd = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorBinaryForm(), 0); sd.DiscretionaryAcl.Canonicalize(); // Convert SD back into objectSecurity objectSecurity.SetSecurityDescriptorBinaryForm(sd.GetBinaryForm()); }
private static SafeGlobalMemoryBufferHandle ToUnmanagedSecurityAttributes(ObjectSecurity securityDescriptor) { if (securityDescriptor == null) return new SafeGlobalMemoryBufferHandle(); byte[] src = securityDescriptor.GetSecurityDescriptorBinaryForm(); var safeBuffer = new SafeGlobalMemoryBufferHandle(src.Length); try { safeBuffer.CopyFrom(src, 0, src.Length); return safeBuffer; } catch { safeBuffer.Close(); throw; } }
private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections) { byte[] securityDescriptorBinaryForm = sd.GetSecurityDescriptorBinaryForm(); if (Directory.Exists(path)) { DirectorySecurity directorySecurity = new DirectorySecurity(); directorySecurity.SetSecurityDescriptorBinaryForm(securityDescriptorBinaryForm, sections); Directory.SetAccessControl(path, directorySecurity); base.WriteSecurityDescriptorObject(directorySecurity, path); } else { FileSecurity fileSecurity = new FileSecurity(); fileSecurity.SetSecurityDescriptorBinaryForm(securityDescriptorBinaryForm, sections); File.SetAccessControl(path, fileSecurity); base.WriteSecurityDescriptorObject(fileSecurity, path); } }
internal static void SetAccessControlInternal(string path, SafeHandle handle, ObjectSecurity objectSecurity, AccessControlSections includeSections, PathFormat pathFormat) { if (pathFormat == PathFormat.RelativePath) Path.CheckValidPath(path, true, true); if (objectSecurity == null) throw new ArgumentNullException("objectSecurity"); byte[] managedDescriptor = objectSecurity.GetSecurityDescriptorBinaryForm(); using (var safeBuffer = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length)) { string pathLp = Path.GetExtendedLengthPathInternal(null, path, pathFormat, GetFullPathOptions.RemoveTrailingDirectorySeparator | GetFullPathOptions.CheckInvalidPathChars); safeBuffer.CopyFrom(managedDescriptor, 0, managedDescriptor.Length); SecurityDescriptorControl control; uint revision; if (!Security.NativeMethods.GetSecurityDescriptorControl(safeBuffer, out control, out revision)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); PrivilegeEnabler privilegeEnabler = null; try { var securityInfo = SecurityInformation.None; IntPtr pDacl = IntPtr.Zero; if ((includeSections & AccessControlSections.Access) != 0) { bool daclDefaulted, daclPresent; if (!Security.NativeMethods.GetSecurityDescriptorDacl(safeBuffer, out daclPresent, out pDacl, out daclDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (daclPresent) { securityInfo |= SecurityInformation.Dacl; securityInfo |= (control & SecurityDescriptorControl.DaclProtected) != 0 ? SecurityInformation.ProtectedDacl : SecurityInformation.UnprotectedDacl; } } IntPtr pSacl = IntPtr.Zero; if ((includeSections & AccessControlSections.Audit) != 0) { bool saclDefaulted, saclPresent; if (!Security.NativeMethods.GetSecurityDescriptorSacl(safeBuffer, out saclPresent, out pSacl, out saclDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (saclPresent) { securityInfo |= SecurityInformation.Sacl; securityInfo |= (control & SecurityDescriptorControl.SaclProtected) != 0 ? SecurityInformation.ProtectedSacl : SecurityInformation.UnprotectedSacl; privilegeEnabler = new PrivilegeEnabler(Privilege.Security); } } IntPtr pOwner = IntPtr.Zero; if ((includeSections & AccessControlSections.Owner) != 0) { bool ownerDefaulted; if (!Security.NativeMethods.GetSecurityDescriptorOwner(safeBuffer, out pOwner, out ownerDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (pOwner != IntPtr.Zero) securityInfo |= SecurityInformation.Owner; } IntPtr pGroup = IntPtr.Zero; if ((includeSections & AccessControlSections.Group) != 0) { bool groupDefaulted; if (!Security.NativeMethods.GetSecurityDescriptorGroup(safeBuffer, out pGroup, out groupDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (pGroup != IntPtr.Zero) securityInfo |= SecurityInformation.Group; } uint lastError; if (!Utils.IsNullOrWhiteSpace(pathLp)) { // SetNamedSecurityInfo() // In the ANSI version of this function, the name is limited to MAX_PATH characters. // To extend this limit to 32,767 wide characters, call the Unicode version of the function and prepend "\\?\" to the path. // 2013-01-13: MSDN does not confirm LongPath usage but a Unicode version of this function exists. lastError = Security.NativeMethods.SetNamedSecurityInfo(pathLp, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl); if (lastError != Win32Errors.ERROR_SUCCESS) NativeError.ThrowException(lastError, pathLp); } else if (NativeMethods.IsValidHandle(handle)) { lastError = Security.NativeMethods.SetSecurityInfo(handle, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl); if (lastError != Win32Errors.ERROR_SUCCESS) NativeError.ThrowException((int)lastError); } } finally { if (privilegeEnabler != null) privilegeEnabler.Dispose(); } } }
} // SetSecurityDescriptor private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections) { var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE(); byte[] securityDescriptorBinary = null; try { // Get the binary form of the descriptor. PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); securityDescriptorBinary = sd.GetSecurityDescriptorBinaryForm(); } finally { PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); } try { PlatformInvokes.EnableTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState); // Transfer it to the new file / directory. // We keep these two code branches so that we can have more // granular information when we ouput the object type via // WriteSecurityDescriptorObject. if (Directory.Exists(path)) { DirectorySecurity newDescriptor = new DirectorySecurity(); newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections); new DirectoryInfo(path).SetAccessControl(newDescriptor); WriteSecurityDescriptorObject(newDescriptor, path); } else { FileSecurity newDescriptor = new FileSecurity(); newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections); new FileInfo(path).SetAccessControl(newDescriptor); WriteSecurityDescriptorObject(newDescriptor, path); } } finally { PlatformInvokes.RestoreTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState); } }