public static FileSecurity GetAccessControl(this FileInfo fileInfo, AccessControlSections includeSections)
{
if (fileInfo == null)
throw new ArgumentNullException (nameof (fileInfo));
return fileInfo.GetAccessControl (includeSections);
}
public static DirectorySecurity GetAccessControl(this DirectoryInfo directoryInfo, AccessControlSections includeSections)
{
if (directoryInfo == null)
throw new ArgumentNullException (nameof (directoryInfo));
return directoryInfo.GetAccessControl (includeSections);
}
public ObjectSecurity GetAccessControl(AccessControlSections includeSections)
{
using (this.provider.CurrentPSTransaction)
{
return this.txRegKey.GetAccessControl(includeSections);
}
}
public static RegistrySecurity GetAccessControl (this RegistryKey key, AccessControlSections includeSections)
{
if (key == null)
throw new ArgumentNullException (nameof (key));
return key.GetAccessControl (includeSections);
}
public string GetSddlForm(AccessControlSections includeSections)
{
Contract.Requires(3 < this.BinaryLength);
Contract.Ensures(System.Security.AccessControl.GenericSecurityDescriptor.Revision == 1);
return default(string);
}
/// <summary>
/// Gets the security descriptor for the item specified by <paramref name="path"/>.
/// </summary>
///
/// <param name="path">
/// The path to the item.
/// </param>
///
/// <param name="sections">
/// Specifies the parts of a security descriptor to retrieve.
/// </param>
///
/// <returns>
/// Nothing. An object that represents the security descriptor for the item
/// specified by path is written to the WriteSecurityDescriptorObject method.
/// </returns>
public void GetSecurityDescriptor(string path,
AccessControlSections sections)
{
ObjectSecurity sd = null;
IRegistryWrapper key = null;
// Validate input first.
if (String.IsNullOrEmpty(path))
{
throw PSTraceSource.NewArgumentNullException("path");
}
if ((sections & ~AccessControlSections.All) != 0)
{
throw PSTraceSource.NewArgumentException("sections");
}
path = NormalizePath(path);
key = GetRegkeyForPathWriteIfError(path, false);
if (key != null)
{
try
{
sd = key.GetAccessControl(sections);
}
catch (System.Security.SecurityException e)
{
WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path));
return;
}
WriteSecurityDescriptorObject(sd, path);
}
}
protected NativeObjectSecurity (bool isContainer,
ResourceType resourceType,
string name,
AccessControlSections includeSections)
: this (isContainer, resourceType, name, includeSections, null, null)
{
}
protected NativeObjectSecurity (bool isContainer,
ResourceType resourceType,
SafeHandle handle,
AccessControlSections includeSections)
: this (isContainer, resourceType, handle, includeSections, null, null)
{
}
private static CommonSecurityDescriptor CreateInternal(ResourceType resourceType, bool isContainer, string name, SafeHandle handle, AccessControlSections includeSections, bool createByName, ExceptionFromErrorCode exceptionFromErrorCode, object exceptionContext)
{
RawSecurityDescriptor descriptor;
if (createByName && (name == null))
{
throw new ArgumentNullException("name");
}
if (!createByName && (handle == null))
{
throw new ArgumentNullException("handle");
}
int errorCode = System.Security.AccessControl.Win32.GetSecurityInfo(resourceType, name, handle, includeSections, out descriptor);
if (errorCode == 0)
{
return new CommonSecurityDescriptor(isContainer, false, descriptor, true);
}
Exception exception = null;
if (exceptionFromErrorCode != null)
{
exception = exceptionFromErrorCode(errorCode, name, handle, exceptionContext);
}
if (exception == null)
{
switch (errorCode)
{
case 5:
exception = new UnauthorizedAccessException();
goto Label_0132;
case 0x51b:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
goto Label_0132;
case 0x51c:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
goto Label_0132;
case 0x57:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { errorCode }));
goto Label_0132;
case 0x7b:
exception = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
goto Label_0132;
case 2:
exception = (name == null) ? new FileNotFoundException() : new FileNotFoundException(name);
goto Label_0132;
case 0x546:
exception = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
goto Label_0132;
}
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { errorCode }));
}
Label_0132:
throw exception;
}
protected NativeObjectSecurity (bool isContainer,
ResourceType resourceType,
SafeHandle handle,
AccessControlSections includeSections,
ExceptionFromErrorCode exceptionFromErrorCode,
object exceptionContext)
: this (isContainer, resourceType, handle, includeSections)
{
}
public static RegistrySecurity GetAccessControl(this RegistryKey key, AccessControlSections includeSections)
{
if (key.Handle == null)
{
throw new ObjectDisposedException(key.Name, SR.ObjectDisposed_RegKeyClosed);
}
return new RegistrySecurity(key.Handle, key.Name, includeSections);
}
internal FileSecurity(SafeFileHandle handle, string fullPath, AccessControlSections includeSections) : base(false, handle, includeSections, false)
{
if (fullPath != null)
{
new FileIOPermission(FileIOPermissionAccess.NoAccess, AccessControlActions.View, fullPath).Demand();
}
else
{
new FileIOPermission(PermissionState.Unrestricted).Demand();
}
}
private static bool TryGetFileSecurity(string path, AccessControlSections sectionsNeeded,
out FileSystemSecurity security)
{
var exists = false;
security = null;
if (File.Exists(path))
{
exists = true;
security = File.GetAccessControl(path, sectionsNeeded);
}
return exists;
}
private bool TryGetDirectorySecurity(string path, AccessControlSections sectionsNeeded,
out FileSystemSecurity security)
{
var exists = false;
security = null;
if (Directory.Exists(path))
{
exists = true;
security = Directory.GetAccessControl(path, sectionsNeeded);
}
return exists;
}
} // GetPermissionProviderInstance
#endregion private methods
#region GetSecurityDescriptor
/// <summary>
/// Gets the security descriptor from the specified item.
/// </summary>
///
/// <param name="path">
/// The path to the item to retrieve the security descriptor from.
/// </param>
///
/// <param name="sections">
/// Specifies the parts of a security descriptor to retrieve.
/// </param>
///
/// <returns>
/// The security descriptor for the item at the specified path.
/// </returns>
///
internal Collection<PSObject> GetSecurityDescriptor(string path,
AccessControlSections sections)
{
if (path == null)
{
throw PSTraceSource.NewArgumentNullException("path");
}
CmdletProviderContext context = new CmdletProviderContext(this.ExecutionContext);
GetSecurityDescriptor(path, sections, context);
context.ThrowFirstErrorOrDoNothing();
Collection<PSObject> contextResults = context.GetAccumulatedObjects() ?? new Collection<PSObject>();
return contextResults;
} // GetSecurityDescriptor
/// <summary>
/// Internal wrapper for the GetSecurityDescriptor protected method. This method will
/// only be called if the provider implements the ISecurityDescriptorCmdletProvider interface.
/// </summary>
///
/// <param name="path">
/// The path to the item to retrieve the security descriptor from.
/// </param>
///
/// <param name="sections">
/// Specifies the parts of a security descriptor to retrieve.
/// </param>
///
/// <param name="context">
/// The context under which this method is being called.
/// </param>
///
/// <returns>
/// Nothing. An instance of an object that represents the security descriptor
/// for the item specified by the path should be written to the context.
/// </returns>
///
internal void GetSecurityDescriptor(
string path,
AccessControlSections sections,
CmdletProviderContext context)
{
Context = context;
ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider;
//
// if this is not supported, the fn will throw
//
CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider);
// Call interface method
permissionProvider.GetSecurityDescriptor(path, sections);
} // GetSecurityDescriptor
/// <summary>
/// Gets the SecurityDescriptor at the specified path, including only the specified
/// AccessControlSections.
/// </summary>
///
/// <param name="path">
/// The path of the item to retrieve. It may be a drive or provider-qualified path and may include.
/// glob characters.
/// </param>
///
/// <param name="sections">
/// The sections of the security descriptor to include.
/// </param>
///
/// <returns>
/// Nothing. An object that represents the security descriptor for the item
/// specified by path is written to the context's pipeline.
/// </returns>
///
/// <exception cref="System.ArgumentException">
/// path is null or empty.
/// path doesn't exist
/// sections is not valid.
/// </exception>
public void GetSecurityDescriptor(string path,
AccessControlSections sections)
{
ObjectSecurity sd = null;
path = NormalizePath(path);
if (String.IsNullOrEmpty(path))
{
throw PSTraceSource.NewArgumentNullException("path");
}
if ((sections & ~AccessControlSections.All) != 0)
{
throw PSTraceSource.NewArgumentException("sections");
}
var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE();
try
{
PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
if (Directory.Exists(path))
{
sd = new DirectorySecurity(path, sections);
}
else
{
sd = new FileSecurity(path, sections);
}
}
catch (System.Security.SecurityException e)
{
WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path));
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
}
WriteSecurityDescriptorObject(sd, path);
}
/// <inheritdoc />
public DirectorySecurity GetAccessControl(string path, AccessControlSections includeSections)
{
return(this.SurroundWithExtension(() => System.IO.Directory.GetAccessControl(path, includeSections), path, includeSections));
}
public void SetSecurityDescriptorSddlForm(string sddlForm, AccessControlSections includeSections)
{
}
public DirectorySecurity(string name, AccessControlSections includeSections)
{
}
public GenericSecurity(
bool isContainer, ResourceType resType, SafeHandle objectHandle,
AccessControlSections sectionsRequested)
: base(isContainer, resType, objectHandle, sectionsRequested)
{
}
public FileSecurity GetAccessControl(AccessControlSections includeSections)
{
return(File.GetAccessControlCore <FileSecurity>(false, LongFullName, includeSections, PathFormat.LongFullPath));
}
internal FileSystemSecurity(bool isContainer, SafeFileHandle?handle, AccessControlSections includeSections, bool isDirectory)
: base(isContainer, s_ResourceType, handle, includeSections, _HandleErrorCode, isDirectory)
{
}
internal FileSystemSecurity(bool isContainer, string name, AccessControlSections includeSections, bool isDirectory)
: base(isContainer, s_ResourceType, PathInternal.EnsureExtendedPrefixIfNeeded(Path.GetFullPath(name)), includeSections, _HandleErrorCode, isDirectory)
{
}
internal FileSystemSecurity(bool isContainer, string name, AccessControlSections includeSections, bool isDirectory) : base(isContainer, ResourceType.FileObject, name, includeSections, new NativeObjectSecurity.ExceptionFromErrorCode(FileSystemSecurity._HandleErrorCode), isDirectory)
{
}
//
// Wrapper around advapi32.GetSecurityInfo
//
internal static unsafe int GetSecurityInfo(
ResourceType resourceType,
string?name,
SafeHandle?handle,
AccessControlSections accessControlSections,
out RawSecurityDescriptor?resultSd
)
{
resultSd = null;
int errorCode;
IntPtr SidOwner, SidGroup, Dacl, Sacl, ByteArray;
SecurityInfos SecurityInfos = 0;
Privilege? privilege = null;
if ((accessControlSections & AccessControlSections.Owner) != 0)
{
SecurityInfos |= SecurityInfos.Owner;
}
if ((accessControlSections & AccessControlSections.Group) != 0)
{
SecurityInfos |= SecurityInfos.Group;
}
if ((accessControlSections & AccessControlSections.Access) != 0)
{
SecurityInfos |= SecurityInfos.DiscretionaryAcl;
}
if ((accessControlSections & AccessControlSections.Audit) != 0)
{
SecurityInfos |= SecurityInfos.SystemAcl;
privilege = new Privilege(Privilege.Security);
}
try
{
if (privilege != null)
{
try
{
privilege.Enable();
}
catch (PrivilegeNotHeldException)
{
// we will ignore this exception and press on just in case this is a remote resource
}
}
if (name != null)
{
errorCode = (int)Interop.Advapi32.GetSecurityInfoByName(name, (uint)resourceType, (uint)SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray);
}
else if (handle != null)
{
if (handle.IsInvalid)
{
throw new ArgumentException(
SR.Argument_InvalidSafeHandle,
nameof(handle));
}
else
{
errorCode = (int)Interop.Advapi32.GetSecurityInfoByHandle(handle, (uint)resourceType, (uint)SecurityInfos, &SidOwner, &SidGroup, &Dacl, &Sacl, &ByteArray);
}
}
else
{
// both are null, shouldn't happen
// Changing from SystemException to ArgumentException as this code path is indicative of a null name argument
// as well as an accessControlSections argument with an audit flag
throw new ArgumentException();
}
if (errorCode == Interop.Errors.ERROR_SUCCESS && IntPtr.Zero.Equals(ByteArray))
{
//
// This means that the object doesn't have a security descriptor. And thus we throw
// a specific exception for the caller to catch and handle properly.
//
throw new InvalidOperationException(SR.InvalidOperation_NoSecurityDescriptor);
}
else if (errorCode == Interop.Errors.ERROR_NOT_ALL_ASSIGNED ||
errorCode == Interop.Errors.ERROR_PRIVILEGE_NOT_HELD)
{
throw new PrivilegeNotHeldException(Privilege.Security);
}
else if (errorCode == Interop.Errors.ERROR_ACCESS_DENIED ||
errorCode == Interop.Errors.ERROR_CANT_OPEN_ANONYMOUS)
{
throw new UnauthorizedAccessException();
}
if (errorCode != Interop.Errors.ERROR_SUCCESS)
{
goto Error;
}
}
catch
{
// protection against exception filter-based luring attacks
privilege?.Revert();
throw;
}
finally
{
privilege?.Revert();
}
//
// Extract data from the returned pointer
//
uint Length = Interop.Advapi32.GetSecurityDescriptorLength(ByteArray);
byte[] BinaryForm = new byte[Length];
Marshal.Copy(ByteArray, BinaryForm, 0, (int)Length);
Marshal.FreeHGlobal(ByteArray);
resultSd = new RawSecurityDescriptor(BinaryForm, 0);
return(Interop.Errors.ERROR_SUCCESS);
Error:
if (errorCode == Interop.Errors.ERROR_NOT_ENOUGH_MEMORY)
{
throw new OutOfMemoryException();
}
return(errorCode);
}
public NtStatus SetFileSecurity(string fileName, FileSystemSecurity security, AccessControlSections sections,
DokanFileInfo info)
{
return(DokanResult.Error);
}
public NtStatus GetFileSecurity(string fileName, out FileSystemSecurity security, AccessControlSections sections, DokanFileInfo info)
{
security = (FileSystemSecurity)null;
return(NtStatus.NoSuchPrivilege);
}
public override DirectorySecurity GetAccessControl(AccessControlSections includeSections)
{
return(instance.GetAccessControl(includeSections));
}
public override FileSecurity GetAccessControl(string path, AccessControlSections includeSections)
{
return(new FileInfo(path).GetAccessControl(includeSections));
}
internal RegistrySecurity(SafeRegistryHandle hKey, string name, AccessControlSections includeSections)
: base(true, ResourceType.RegistryKey, hKey, includeSections, _HandleErrorCode, null)
{
}
public NtStatus GetFileSecurity(string fileName, out FileSystemSecurity security, AccessControlSections sections,
DokanFileInfo info)
{
OnFileRead(fileName);
try
{
security = info.IsDirectory
? (FileSystemSecurity)Directory.GetAccessControl(GetPath(fileName))
: File.GetAccessControl(GetPath(fileName));
return(Trace(nameof(GetFileSecurity), fileName, info, DokanResult.Success, sections.ToString()));
}
catch (UnauthorizedAccessException)
{
security = null;
return(Trace(nameof(GetFileSecurity), fileName, info, DokanResult.AccessDenied, sections.ToString()));
}
}
new public void Persist(SafeHandle handle, AccessControlSections includeSections)
{
base.Persist(handle, includeSections);
}
internal static T GetAccessControlCore <T>(bool isFolder, string path, AccessControlSections includeSections, PathFormat pathFormat)
{
SecurityInformation securityInfo = 0;
PrivilegeEnabler privilegeEnabler = null;
if ((includeSections & AccessControlSections.Access) != 0)
{
securityInfo |= SecurityInformation.Dacl;
}
if ((includeSections & AccessControlSections.Group) != 0)
{
securityInfo |= SecurityInformation.Group;
}
if ((includeSections & AccessControlSections.Owner) != 0)
{
securityInfo |= SecurityInformation.Owner;
}
if ((includeSections & AccessControlSections.Audit) != 0)
{
// We need the SE_SECURITY_NAME privilege enabled to be able to get the
// SACL descriptor. So we enable it here for the remainder of this function.
privilegeEnabler = new PrivilegeEnabler(Privilege.Security);
securityInfo |= SecurityInformation.Sacl;
}
using (privilegeEnabler)
{
string pathLp = Path.GetExtendedLengthPathCore(null, path, pathFormat, GetFullPathOptions.RemoveTrailingDirectorySeparator | GetFullPathOptions.FullCheck);
IntPtr pSidOwner, pSidGroup, pDacl, pSacl;
SafeGlobalMemoryBufferHandle pSecurityDescriptor;
ObjectSecurity objectSecurity;
uint lastError = Security.NativeMethods.GetNamedSecurityInfo(pathLp, ObjectType.FileObject, securityInfo, out pSidOwner, out pSidGroup, out pDacl, out pSacl, out pSecurityDescriptor);
try
{
if (lastError == Win32Errors.ERROR_FILE_NOT_FOUND || lastError == Win32Errors.ERROR_PATH_NOT_FOUND)
{
lastError = (isFolder ? Win32Errors.ERROR_PATH_NOT_FOUND : Win32Errors.ERROR_FILE_NOT_FOUND);
}
// If the function fails, the return value is zero.
if (lastError != Win32Errors.ERROR_SUCCESS)
{
NativeError.ThrowException(lastError, pathLp);
}
if (!NativeMethods.IsValidHandle(pSecurityDescriptor, false))
{
throw new IOException(Resources.Returned_Invalid_Security_Descriptor);
}
uint length = Security.NativeMethods.GetSecurityDescriptorLength(pSecurityDescriptor);
// Seems not to work: Method .CopyTo: length > Capacity, so an Exception is thrown.
//byte[] managedBuffer = new byte[length];
//pSecurityDescriptor.CopyTo(managedBuffer, 0, (int) length);
byte[] managedBuffer = pSecurityDescriptor.ToByteArray(0, (int)length);
objectSecurity = (isFolder) ? (ObjectSecurity) new DirectorySecurity() : new FileSecurity();
objectSecurity.SetSecurityDescriptorBinaryForm(managedBuffer);
}
finally
{
if (pSecurityDescriptor != null)
{
pSecurityDescriptor.Close();
}
}
return((T)(object)objectSecurity);
}
}
/// <summary>
/// Sets the security of a file or directory object.
/// </summary>
/// <param name="fileName">File path requested by the Kernel on the FileSystem.</param>
/// <param name="security">A FileSystemSecurity with security information to set.</param>
/// <param name="sections">A AccessControlSections with access sections on which.</param>
/// <param name="info">An IDokanFileInfo with information about the file or directory.</param>
/// <returns>NtStatus or DokanResult appropriate to the request result.</returns>
public NtStatus SetFileSecurity(string fileName, FileSystemSecurity security, AccessControlSections sections, IDokanFileInfo info)
{
// TODO implement SetFileSecurity
return(NtStatus.Success);
}
protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, string name, AccessControlSections includeSections);
/// <summary>
/// Get specified information about the security of a file or directory.
///
/// If NtStatus.NotImplemented is returned, dokan library will handle the request by building a sddl of the current process user with authenticate user rights for context menu.
/// </summary>
/// <param name="fileName">File or directory name.</param>
/// <param name="security">A FileSystemSecurity with security information to return.</param>
/// <param name="sections">A AccessControlSections with access sections to return.</param>
/// <param name="info">An IDokanFileInfo with information about the file or directory.</param>
/// <returns></returns>
public NtStatus GetFileSecurity(string fileName, out FileSystemSecurity security, AccessControlSections sections, IDokanFileInfo info)
{
// TODO implement GetFileSecurity
security = new DirectorySecurity(); // FileSecurity
return(NtStatus.Success);
}
protected sealed override void Persist(SafeHandle handle, AccessControlSections includeSections);
public void SetSecurityDescriptorBinaryForm(byte[] binaryForm, AccessControlSections includeSections)
{
}
protected sealed override void Persist(string name, AccessControlSections includeSections);
public string GetSecurityDescriptorSddlForm(AccessControlSections includeSections)
{
}
public string GetSecurityDescriptorSddlForm(AccessControlSections includeSections);
protected virtual void Persist(SafeHandle handle, AccessControlSections includeSections);
public void SetSecurityDescriptorBinaryForm(byte[] binaryForm, AccessControlSections includeSections);
public NtStatus SetFileSecurity(string fileName, FileSystemSecurity security, AccessControlSections sections,
DokanFileInfo info)
{
OnFileChanged(fileName);
try
{
if (info.IsDirectory)
{
Directory.SetAccessControl(GetPath(fileName), (DirectorySecurity)security);
}
else
{
File.SetAccessControl(GetPath(fileName), (FileSecurity)security);
}
return(Trace(nameof(SetFileSecurity), fileName, info, DokanResult.Success, sections.ToString()));
}
catch (UnauthorizedAccessException)
{
return(Trace(nameof(SetFileSecurity), fileName, info, DokanResult.AccessDenied, sections.ToString()));
}
}
public static FileSecurity GetAccessControl(string path, AccessControlSections includeSections)
{
return(GetAccessControlCore <FileSecurity>(false, path, includeSections, PathFormat.RelativePath));
}
protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections);
public DirectorySecurity GetAccessControl(AccessControlSections includeSections)
{
return(Directory.GetAccessControl(base.FullPath, includeSections));
}
protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, string name, AccessControlSections includeSections, NativeObjectSecurity.ExceptionFromErrorCode exceptionFromErrorCode, object exceptionContext);
public override NtStatus SetFileSecurity(string fileName, FileSystemSecurity security, AccessControlSections sections, DokanFileInfo info)
{
return(NtStatus.DiskFull);
}
protected void Persist(SafeHandle handle, AccessControlSections includeSections, object exceptionContext);
public abstract FileSecurity GetAccessControl(string path, AccessControlSections includeSections);
protected void Persist(string name, AccessControlSections includeSections, object exceptionContext);
internal PipeSecurity(SafeHandle handle, AccessControlSections includeSections)
: base(false, ResourceType.FileObject, handle, includeSections)
{
}
protected virtual void Persist(bool enableOwnershipPrivilege, string name, AccessControlSections includeSections);
public PipeSecurity(string pipeName, AccessControlSections sectionsRequested)
: base("\\\\.\\pipe\\" + pipeName, ResourceType.FileObject, sectionsRequested, false)
{
}
protected virtual void Persist(string name, AccessControlSections includeSections);
public PipeSecurity(IntPtr pipeHandle, AccessControlSections sectionsRequested)
: base(BaseSecurity.GetReadHandle(pipeHandle), ResourceType.FileObject, sectionsRequested, false)
{
}
public void SetSecurityDescriptorSddlForm(string sddlForm, AccessControlSections includeSections);
public static DirectorySecurity GetAccessControl(string path, AccessControlSections includeSections)
{
throw new PlatformNotSupportedException();
}