public AddAccess ( System accessType, System sid, System rule ) : void | ||
accessType | System | |
sid | System | |
rule | System | |
return | void |
internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer) { DiscretionaryAcl acl = new DiscretionaryAcl(isContainer, isDS, 1); acl.AddAccess(AccessControlType.Allow, _sidEveryone, -1, isContainer ? (InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit) : InheritanceFlags.None, PropagationFlags.None); acl.everyOneFullAccessForNullDacl = true; return acl; }
static IpcStore() { var dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None); IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid) { SecurityIdentifier sid = new SecurityIdentifier(networkSidSddlForm); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); // Deny all access to NetworkSid dacl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None); if (userSid != null) dacl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None); // Add access to the current user creating the pipe dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None); // Initialize and return the CommonSecurityDescriptor return new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);; }
public void AddAccessObjectAceNonDSFailsEvenIfObjectAceFlagsNoneImplyingCommonAce () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); }
// Token: 0x06001EF7 RID: 7927 RVA: 0x0006D054 File Offset: 0x0006B254 internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer) { DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, 1); discretionaryAcl.AddAccess(AccessControlType.Allow, DiscretionaryAcl._sidEveryone, -1, isContainer ? (InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit) : InheritanceFlags.None, PropagationFlags.None); discretionaryAcl.everyOneFullAccessForNullDacl = true; return(discretionaryAcl); }
private static void EditDacl(DiscretionaryAcl dacl, SecurityIdentifier account, int right, bool add) { if (add) { dacl.AddAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None); } else { dacl.RemoveAccess(AccessControlType.Allow, account, right, InheritanceFlags.None, PropagationFlags.None); } }
public void AddAccessCommonAce () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual (1, dacl.Count); CommonAce ace = (CommonAce)dacl[0]; Assert.AreEqual (1, ace.AccessMask); Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse (ace.IsInherited); }
public void AddAccessFailsOnNonCanonical () { SecurityIdentifier sid = new SecurityIdentifier ("BU"); RawAcl acl = new RawAcl (RawAcl.AclRevision, 0); acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null)); acl.InsertAce (1, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null)); DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl); Assert.IsFalse (dacl.IsCanonical); Assert.AreEqual (2, dacl.Count); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None); }
private static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights) { int capacity = (allowedSids == null) ? 3 : (2 + allowedSids.Count); DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, capacity); discretionaryAcl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), 0x10000000, InheritanceFlags.None, PropagationFlags.None); int accessMask = GenerateClientAccessRights(accessRights); if (allowedSids == null) { discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), accessMask, InheritanceFlags.None, PropagationFlags.None); } else { for (int i = 0; i < allowedSids.Count; i++) { SecurityIdentifier sid = allowedSids[i]; discretionaryAcl.AddAccess(AccessControlType.Allow, sid, accessMask, InheritanceFlags.None, PropagationFlags.None); } } discretionaryAcl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, discretionaryAcl); byte[] binaryForm = new byte[descriptor.BinaryLength]; descriptor.GetBinaryForm(binaryForm, 0); return binaryForm; }
internal static DiscretionaryAcl CreateAllowEveryoneFullAccess(bool isDS, bool isContainer) { DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, 1); int num1 = 0; SecurityIdentifier sid = DiscretionaryAcl._sidEveryone; int accessMask = -1; int num2 = isContainer ? 3 : 0; int num3 = 0; discretionaryAcl.AddAccess((AccessControlType)num1, sid, accessMask, (InheritanceFlags)num2, (PropagationFlags)num3); int num4 = 1; discretionaryAcl.everyOneFullAccessForNullDacl = num4 != 0; return(discretionaryAcl); }
internal static void EnsureServiceAclsCorrect() { var psd = new byte[0]; uint bufSizeNeeded; var ok = Advapi32.QueryServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded); if (!ok) { int err = Marshal.GetLastWin32Error(); if (err == 122) { // ERROR_INSUFFICIENT_BUFFER // expected; now we know bufsize psd = new byte[bufSizeNeeded]; ok = Advapi32.QueryServiceObjectSecurity( Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded); } else { throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for Service: error code=" + err); } } if (!ok) { throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for Service: error code=" + Marshal.GetLastWin32Error()); } // get security descriptor via raw into DACL form so ACE // ordering checks are done for us. var rsd = new RawSecurityDescriptor(psd, 0); var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)ServiceAccess.ServiceCoapp, InheritanceFlags.None, PropagationFlags.None); // convert discretionary ACL back to raw form; looks like via byte[] is only way var rawdacl = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(rawdacl, 0); rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0); // set raw security descriptor on service again var rawsd = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(rawsd, 0); ok = Advapi32.SetServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd); if (!ok) { throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error()); } }
internal static CommonSecurityDescriptor GetServerPipeSecurity() { // Built-in Admin SID SecurityIdentifier adminSID = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess( AccessControlType.Allow, adminSID, _pipeAccessMaskFullControl, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor( false, false, ControlFlags.DiscretionaryAclPresent | ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted, null, null, null, dacl); // Conditionally add User SID bool isAdminElevated = new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator); if (!isAdminElevated) { securityDesc.DiscretionaryAcl.AddAccess( AccessControlType.Allow, WindowsIdentity.GetCurrent().User, _pipeAccessMaskFullControl, InheritanceFlags.None, PropagationFlags.None); } return securityDesc; }
public void AddAccessObjectAceAndCommonAce () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); DiscretionaryAcl dacl = new DiscretionaryAcl (false, true, 0); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid (), Guid.Empty); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual (2, dacl.Count); CommonAce cace = (CommonAce)dacl [0]; Assert.AreEqual (1, cace.AccessMask); Assert.AreEqual ("S-1-5-32-544", cace.SecurityIdentifier.Value); Assert.IsFalse (cace.IsCallback); Assert.IsFalse (cace.IsInherited); ObjectAce oace = (ObjectAce)dacl [1]; Assert.AreEqual (1, oace.AccessMask); Assert.AreEqual ("S-1-5-32-544", oace.SecurityIdentifier.Value); Assert.IsFalse (oace.IsCallback); Assert.IsFalse (oace.IsInherited); dacl.AddAccess (AccessControlType.Allow, sid, 2, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual (2, dacl.Count); CommonAce cace2 = (CommonAce)dacl [0]; Assert.AreEqual (3, cace2.AccessMask); }
void RemoveSpecificBegin (SecurityIdentifier sid, DiscretionaryAcl dacl, InheritanceFlags inheritanceFlags) { SecurityIdentifier otherSid = new SecurityIdentifier ("BU"); dacl.AddAccess (AccessControlType.Allow, sid, 3, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, dacl.Count); dacl.RemoveAccessSpecific (AccessControlType.Deny, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, dacl.Count); dacl.RemoveAccessSpecific (AccessControlType.Allow, otherSid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, dacl.Count); dacl.RemoveAccessSpecific (AccessControlType.Allow, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, dacl.Count); Assert.AreEqual (3, ((CommonAce)dacl [0]).AccessMask); dacl.RemoveAccessSpecific (AccessControlType.Allow, sid, 3, inheritanceFlags ^ InheritanceFlags.ContainerInherit, PropagationFlags.None); Assert.AreEqual (1, dacl.Count); }
TestSecurity FactoryCallTest (bool objectAce) { SecurityIdentifier sid = new SecurityIdentifier ("WD"); DiscretionaryAcl dacl = new DiscretionaryAcl (true, true, 1); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None, objectAce ? ObjectAceFlags.ObjectAceTypePresent : ObjectAceFlags.None, Guid.NewGuid (), Guid.Empty); CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor (true, true, ControlFlags.None, null, null, null, dacl); TestSecurity security = new TestSecurity (descriptor); security.GetAccessRules (true, true, typeof (SecurityIdentifier)); return security; }
public void PropagationFlagsRequireInheritanceFlagsForAdd () { SecurityIdentifier sid = new SecurityIdentifier ("BU"); DiscretionaryAcl dacl = new DiscretionaryAcl (true, false, 0); dacl.AddAccess (AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.InheritOnly); }
public void InheritanceFlagsRequireContainer () { SecurityIdentifier sid = new SecurityIdentifier ("BU"); DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0); dacl.AddAccess (AccessControlType.Allow, sid, 3, InheritanceFlags.ContainerInherit, PropagationFlags.None); }
private static DiscretionaryAcl GetDacl(SecurityIdentifier securityIdentifiers) { DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 16); dacl.AddAccess(AccessControlType.Allow, securityIdentifiers, GenericExecute, InheritanceFlags.None, PropagationFlags.None); return dacl; }
// These two are based on similar utility methods in EasyHook: private static IpcServerChannel CreateServerChannel(string channelName) { Dictionary<string, string> properties = new Dictionary<string, string>(); properties["name"] = channelName; properties["portName"] = channelName; DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess( AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), -1, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor secDesc = new CommonSecurityDescriptor( false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); BinaryServerFormatterSinkProvider sinkProv = new BinaryServerFormatterSinkProvider(); sinkProv.TypeFilterLevel = TypeFilterLevel.Full; return new IpcServerChannel(properties, sinkProv, secDesc); }
public void InvalidAccessControlType () { // This is also testing the fact that the AccessControlType is checked before the // InheritanceFlags are validated -- IsContainer is false here, so if the InheritanceFlags // were checked first, ArgumentException would be thrown instead. SecurityIdentifier sid = new SecurityIdentifier ("BA"); DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, 0); dacl.AddAccess ((AccessControlType)43210, sid, 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }
private static DiscretionaryAcl getDacl(List<SecurityIdentifier> securityIdentifiers) { DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 16); foreach (SecurityIdentifier sec in securityIdentifiers) { dacl.AddAccess(AccessControlType.Allow, sec, GENERIC_EXECUTE, InheritanceFlags.None, PropagationFlags.None); } return dacl; }
static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights) { int capacity = allowedSids == null ? 3 : 2 + allowedSids.Count; DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, capacity); // add deny ACE first so that we don't get short circuited dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), UnsafeNativeMethods.GENERIC_ALL, InheritanceFlags.None, PropagationFlags.None); // clients get different rights, since they shouldn't be able to listen int clientAccessRights = GenerateClientAccessRights(accessRights); if (allowedSids == null) { dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), clientAccessRights, InheritanceFlags.None, PropagationFlags.None); } else { for (int i = 0; i < allowedSids.Count; i++) { SecurityIdentifier allowedSid = allowedSids[i]; dacl.AddAccess(AccessControlType.Allow, allowedSid, clientAccessRights, InheritanceFlags.None, PropagationFlags.None); } } dacl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None); if (AppContainerInfo.IsRunningInAppContainer) { // NamedPipeBinding requires dacl with current AppContainer SID // to setup multiple NamedPipes in the BeginAccept loop. dacl.AddAccess( AccessControlType.Allow, AppContainerInfo.GetCurrentAppContainerSid(), accessRights, InheritanceFlags.None, PropagationFlags.None); } CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, dacl); byte[] binarySecurityDescriptor = new byte[securityDescriptor.BinaryLength]; securityDescriptor.GetBinaryForm(binarySecurityDescriptor, 0); return binarySecurityDescriptor; }
public void Register(bool useIPC, bool useTCP, bool useHTTP) { // データベースの復元 try { Database.Instance.Load(); } catch (Exception) { // 最初は必ず失敗する } // IPCを使うと、コネクションが残りっぱなしになったときに、不具合が起こる。 // PCをスタンバイさせるとまずいので、IPCは使わない方がいい。 if (useIPC) { // IPCを使うときは、サーバ側でACLを設定しないとダメみたい。 // ここのサンプルをコピーして使用。 // http://msdn2.microsoft.com/en-us/library/ms180985(vs.80).aspx IDictionary props = new Hashtable(); props["portName"] = AppSettings.Instance.ObjectUri; // This is the wellknown sid for network sid string networkSidSddlForm = @"S-1-5-2"; // Local administrators sid SecurityIdentifier localAdminSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); // Local Power users sid SecurityIdentifier powerUsersSid = new SecurityIdentifier(WellKnownSidType.BuiltinPowerUsersSid, null); // Network sid SecurityIdentifier networkSid = new SecurityIdentifier(networkSidSddlForm); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); // Disallow access from off machine dacl.AddAccess(AccessControlType.Deny, networkSid, -1, InheritanceFlags.None, PropagationFlags.None); // Allow acces only from local administrators and power users dacl.AddAccess(AccessControlType.Allow, localAdminSid, -1, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, powerUsersSid, -1, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); // IPC Channelを作成 _ipcChannel = new IpcServerChannel(props, null, securityDescriptor); ChannelServices.RegisterChannel(_ipcChannel, false); } if (useHTTP) { // HTTP Channelを作成 _httpChannel = new HttpServerChannel(AppSettings.Instance.HttpPort); ChannelServices.RegisterChannel(_httpChannel, false); } if (useTCP) { // TCP Channelを作成 _tcpChannel = new TcpServerChannel(AppSettings.Instance.TcpPort); ChannelServices.RegisterChannel(_tcpChannel, true); } RemotingConfiguration.RegisterWellKnownServiceType(typeof(IRmainteImpl), AppSettings.Instance.ObjectUri, WellKnownObjectMode.Singleton); }
internal static CommonSecurityDescriptor CreateSecurityDescriptor(SecurityIdentifier userSid) { SecurityIdentifier sid = new SecurityIdentifier("S-1-5-2"); DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, 1); discretionaryAcl.AddAccess(AccessControlType.Deny, sid, -1, InheritanceFlags.None, PropagationFlags.None); if (userSid != null) { discretionaryAcl.AddAccess(AccessControlType.Allow, userSid, -1, InheritanceFlags.None, PropagationFlags.None); } discretionaryAcl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None); return new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent | ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted, null, null, null, discretionaryAcl); }