protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, string name, AccessControlSections includeSections, NativeObjectSecurity.ExceptionFromErrorCode exceptionFromErrorCode, object exceptionContext);
/// <summary> /// Canonicalize the Dacl /// </summary> /// <param name="objectSecurity"></param> public static void CanonicalizeDacl(NativeObjectSecurity objectSecurity) { if (objectSecurity.AreAccessRulesCanonical) { return; } // A canonical ACL must have ACES sorted according to the following order: // 1. Access-denied on the object // 2. Access-denied on a child or property // 3. Access-allowed on the object // 4. Access-allowed on a child or property // 5. All inherited ACEs RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access)); var explicitDenyDacl = new List <CommonAce>(); var explicitDenyObjectDacl = new List <CommonAce>(); var inheritedDacl = new List <CommonAce>(); var explicitAllowDacl = new List <CommonAce>(); var explicitAllowObjectDacl = new List <CommonAce>(); foreach (CommonAce ace in descriptor.DiscretionaryAcl) { if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); } else { switch (ace.AceType) { case AceType.AccessAllowed: explicitAllowDacl.Add(ace); break; case AceType.AccessDenied: explicitDenyDacl.Add(ace); break; case AceType.AccessAllowedObject: explicitAllowObjectDacl.Add(ace); break; case AceType.AccessDeniedObject: explicitDenyObjectDacl.Add(ace); break; } } } int aceIndex = 0; var newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count); explicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); if (aceIndex != descriptor.DiscretionaryAcl.Count) { throw new InvalidOperationException("The Dacl cannot be canonicalized since it would potentially result in a loss of information"); } descriptor.DiscretionaryAcl = newDacl; objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access); }
protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, NativeObjectSecurity.ExceptionFromErrorCode exceptionFromErrorCode, object exceptionContext);
internal static void SetSecurityInfo(SafeHandle handle, NativeMethods.SE_OBJECT_TYPE objectType, NativeObjectSecurity fileSecurity) { byte[] managedDescriptor = fileSecurity.GetSecurityDescriptorBinaryForm(); using (SafeGlobalMemoryBufferHandle hDescriptor = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length)) { hDescriptor.CopyFrom(managedDescriptor, 0, managedDescriptor.Length); NativeMethods.SECURITY_DESCRIPTOR_CONTROL control; uint revision; if (!NativeMethods.GetSecurityDescriptorControl(hDescriptor, out control, out revision)) { NativeError.ThrowException(); } IntPtr pDacl; bool daclDefaulted, daclPresent; if (!NativeMethods.GetSecurityDescriptorDacl(hDescriptor, out daclPresent, out pDacl, out daclDefaulted)) { NativeError.ThrowException(); } IntPtr pSacl; bool saclDefaulted, saclPresent; if (!NativeMethods.GetSecurityDescriptorSacl(hDescriptor, out saclPresent, out pSacl, out saclDefaulted)) { NativeError.ThrowException(); } IntPtr pOwner; bool ownerDefaulted; if (!NativeMethods.GetSecurityDescriptorOwner(hDescriptor, out pOwner, out ownerDefaulted)) { NativeError.ThrowException(); } IntPtr pGroup; bool GroupDefaulted; if (!NativeMethods.GetSecurityDescriptorGroup(hDescriptor, out pGroup, out GroupDefaulted)) { NativeError.ThrowException(); } PrivilegeEnabler privilegeEnabler = null; try { NativeMethods.SECURITY_INFORMATION info = 0; if (daclPresent) { info |= NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION; if ((control & NativeMethods.SECURITY_DESCRIPTOR_CONTROL.SE_DACL_PROTECTED) != 0) { info |= NativeMethods.SECURITY_INFORMATION.PROTECTED_DACL_SECURITY_INFORMATION; } else { info |= NativeMethods.SECURITY_INFORMATION.UNPROTECTED_DACL_SECURITY_INFORMATION; } } if (saclPresent) { info |= NativeMethods.SECURITY_INFORMATION.SACL_SECURITY_INFORMATION; if ((control & NativeMethods.SECURITY_DESCRIPTOR_CONTROL.SE_SACL_PROTECTED) != 0) { info |= NativeMethods.SECURITY_INFORMATION.PROTECTED_SACL_SECURITY_INFORMATION; } else { info |= NativeMethods.SECURITY_INFORMATION.UNPROTECTED_SACL_SECURITY_INFORMATION; } privilegeEnabler = new PrivilegeEnabler(Privilege.Security); } if (pOwner != IntPtr.Zero) { info |= NativeMethods.SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION; } if (pGroup != IntPtr.Zero) { info |= NativeMethods.SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION; } uint errorCode = NativeMethods.SetSecurityInfo(handle, objectType, info, pOwner, pGroup, pDacl, pSacl); if (errorCode != 0) { NativeError.ThrowException((int)errorCode); } } finally { if (privilegeEnabler != null) { privilegeEnabler.Dispose(); } } } }