void Init (bool isContainer, bool isDS, RawAcl rawAcl)
{
is_container = isContainer;
is_ds = isDS;
raw_acl = rawAcl;
CleanAndRetestCanonicity ();
}
public RawSecurityDescriptor (byte[] binaryForm, int offset)
{
if (binaryForm == null)
throw new ArgumentNullException("binaryForm");
if (offset < 0 || offset > binaryForm.Length - 0x14)
throw new ArgumentOutOfRangeException("offset", offset, "Offset out of range");
if (binaryForm[offset] != 1)
throw new ArgumentException("Unrecognized Security Descriptor revision.", "binaryForm");
resourcemgr_control = binaryForm[offset + 0x01];
control_flags = (ControlFlags)ReadUShort(binaryForm, offset + 0x02);
int ownerPos = ReadInt(binaryForm, offset + 0x04);
int groupPos = ReadInt(binaryForm, offset + 0x08);
int saclPos = ReadInt(binaryForm, offset + 0x0C);
int daclPos = ReadInt(binaryForm, offset + 0x10);
if (ownerPos != 0)
owner_sid = new SecurityIdentifier(binaryForm, ownerPos);
if (groupPos != 0)
group_sid = new SecurityIdentifier(binaryForm, groupPos);
if (saclPos != 0)
system_acl = new RawAcl(binaryForm, saclPos);
if (daclPos != 0)
discretionary_acl = new RawAcl(binaryForm, daclPos);
}
public RawSecurityDescriptor (ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
RawAcl systemAcl,
RawAcl discretionaryAcl)
{
}
// Constructor.
internal CommonAcl(RawAcl acl, bool isContainer, bool isDS,
bool wasCanonicalInitially, byte revision)
{
this.acl = acl;
this.isContainer = isContainer;
this.isDS = isDS;
this.wasCanonicalInitially = wasCanonicalInitially;
this.revision = revision;
}
public void UsesRawAclRevision ()
{
RawAcl acl1 = new RawAcl (RawAcl.AclRevisionDS, 0);
DiscretionaryAcl dacl1 = new DiscretionaryAcl (false, false, acl1);
Assert.AreEqual (4, dacl1.Revision);
RawAcl acl2 = new RawAcl (RawAcl.AclRevision, 0);
DiscretionaryAcl dacl2 = new DiscretionaryAcl (false, true, acl2);
Assert.AreEqual (2, dacl2.Revision);
}
public void BinaryRoundtrip ()
{
RawAcl acl = CreateRoundtripRawAcl ();
byte[] binaryForm1 = new byte[acl.BinaryLength];
acl.GetBinaryForm (binaryForm1, 0);
RawAcl acl2 = new RawAcl (binaryForm1, 0);
byte[] binaryForm2 = new byte[acl2.BinaryLength];
acl2.GetBinaryForm (binaryForm2, 0);
CompareBinaryForms (binaryForm1, binaryForm2);
}
internal CommonAcl (bool isContainer, bool isDS, RawAcl rawAcl)
{
if (rawAcl == null) {
rawAcl = new RawAcl (isDS ? AclRevisionDS : AclRevision, default_capacity);
} else {
// The RawAcl ACEs are cloned.
byte[] binaryForm = new byte [rawAcl.BinaryLength];
rawAcl.GetBinaryForm (binaryForm, 0);
rawAcl = new RawAcl (binaryForm, 0);
}
Init (isContainer, isDS, rawAcl);
}
public void AddAccessFailsOnNonCanonical ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null));
acl.InsertAce (1, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsFalse (dacl.IsCanonical);
Assert.AreEqual (2, dacl.Count);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
}
private void BuildSecurityDescriptor()
{
NTAccount account;
SecurityIdentifier identifier;
CommonAce ace;
RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (this.operationRoleMembers != null)
{
foreach (string str in this.operationRoleMembers)
{
account = new NTAccount(str);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.contractRoleMembers != null)
{
foreach (string str2 in this.contractRoleMembers)
{
account = new NTAccount(str2);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.serviceRoleMembers != null)
{
foreach (string str3 in this.serviceRoleMembers)
{
account = new NTAccount(str3);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
}
public void IndexerMakesCopies ()
{
// This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
// Turns out it applies to more than just the constructor.
SecurityIdentifier worldSid = new SecurityIdentifier ("WD");
// RawAcl does not make copies.
RawAcl acl = new RawAcl (RawAcl.AclRevision, 1);
CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);
acl.InsertAce (0, ace);
Assert.AreSame (acl [0], acl [0]);
// CommonAcl does.
SystemAcl sacl = new SystemAcl (false, false, acl);
Assert.AreNotSame (sacl [0], sacl [0]);
// Make sure the copying occurs in the constructor as well as the indexer.
ace.AceFlags = AceFlags.FailedAccess;
Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags);
}
static RawAcl CreateRoundtripRawAcl ()
{
SecurityIdentifier sid = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
Assert.AreEqual (16, sid.BinaryLength);
GenericAce[] aces = new GenericAce[] {
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid,
ObjectAceFlags.ObjectAceTypePresent,
Guid.Empty, Guid.Empty, false, new byte[8]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 2, sid,
ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, Guid.Empty, true, new byte[16]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, new Guid ("{8865FB90-A9EB-422F-A8BA-07ECA611D699}"), true, new byte[4]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.ObjectAceTypePresent|ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, new Guid ("{B893007C-38D5-4827-A698-BA25F1E30BAC}"), true, new byte[4]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.None,
Guid.Empty, new Guid ("{C0F9DF22-C320-4400-B41F-754F69668640}"), true, new byte[4])
};
// Make sure this created right, first of all.
Assert.AreEqual (AceType.AccessAllowedObject, aces [0].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [1].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [2].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [3].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [4].AceType);
Assert.AreEqual (52, aces [0].BinaryLength);
Assert.AreEqual (60, aces [1].BinaryLength);
Assert.AreEqual (48, aces [2].BinaryLength);
Assert.AreEqual (64, aces [3].BinaryLength);
Assert.AreEqual (32, aces [4].BinaryLength);
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
for (int i = 0; i < aces.Length; i ++)
acl.InsertAce (i, aces[i]);
return acl;
}
public void GetBinaryForm ()
{
RawAcl acl = new RawAcl (1, 0);
byte[] buffer = new byte[acl.BinaryLength];
acl.GetBinaryForm (buffer, 0);
byte[] sdBinary = new byte[] { 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
acl.InsertAce (0, ace);
buffer = new byte[acl.BinaryLength];
acl.GetBinaryForm (buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
}
private void SetCurrentProcessTokenDacl(RawAcl dacl)
{
IntPtr hProcess = IntPtr.Zero;
IntPtr hProcessToken = IntPtr.Zero;
IntPtr securityDescriptorPtr = IntPtr.Zero;
try
{
hProcess = NativeMethods.GetCurrentProcess();
if (!NativeMethods.OpenProcessToken(hProcess, NativeMethods.TOKEN_ALL_ACCESS, out hProcessToken))
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
// Get security descriptor associated with the kernel object and modify it.
uint returnLength;
NativeMethods.GetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, IntPtr.Zero, 0, out returnLength);
int lasterror = Marshal.GetLastWin32Error(); //#pragma warning disable 56523 doesnt recognize 56523
securityDescriptorPtr = Marshal.AllocCoTaskMem((int)returnLength);
if (!NativeMethods.GetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, securityDescriptorPtr, returnLength, out returnLength))
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
byte[] sdBytes = new byte[returnLength];
Marshal.Copy(securityDescriptorPtr, sdBytes, 0, (int)returnLength);
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(sdBytes, 0);
rawSecurityDescriptor.DiscretionaryAcl = dacl;
sdBytes = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(sdBytes, 0);
Marshal.FreeCoTaskMem(securityDescriptorPtr);
securityDescriptorPtr = Marshal.AllocCoTaskMem(rawSecurityDescriptor.BinaryLength);
Marshal.Copy(sdBytes, 0, securityDescriptorPtr, rawSecurityDescriptor.BinaryLength);
if (!NativeMethods.SetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, securityDescriptorPtr))
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
}
finally
{
if (hProcess != IntPtr.Zero && hProcess != (IntPtr)(-1))
if (!NativeMethods.CloseHandle(hProcess))
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
if (hProcessToken != IntPtr.Zero)
if (!NativeMethods.CloseHandle(hProcessToken))
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
if (securityDescriptorPtr != IntPtr.Zero)
Marshal.FreeCoTaskMem(securityDescriptorPtr);
}
}
private void Button_Click(object sender, RoutedEventArgs e)
{
WindowsIdentity user = WindowsIdentity.GetCurrent();
if (user != null)
{
int length = 0;
IntPtr token = user.Token;
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out length);
IntPtr TokenInformation = Marshal.AllocHGlobal((int)length);
bool Result = GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, TokenInformation, (uint)length, out length);
TOKEN_DEFAULT_DACL dacl = (TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_DEFAULT_DACL));
ACL acl = (ACL)Marshal.PtrToStructure(dacl.DefaultDacl, typeof(ACL));
byte[] aceArr = new byte[acl.AclSize];
Marshal.Copy(dacl.DefaultDacl, aceArr, 0, acl.AclSize);
RawAcl rawAcl = new RawAcl(aceArr, 0);
DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, rawAcl);
string titel = "titel";
AclUIAdapter.EditSecurity(new ServiceSecurityModel(System.Environment.MachineName, titel));
}
}
//
// Creates a security descriptor explicitly
//
public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
: base()
{
CreateFromParts(flags, owner, group, systemAcl, discretionaryAcl);
}
private CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
: this(isContainer, isDS, flags, owner, group, systemAcl == null ? null : new SystemAcl(isContainer, isDS, systemAcl), discretionaryAcl == null ? null : new DiscretionaryAcl(isContainer, isDS, discretionaryAcl))
{
}
//
// Internal version - if 'trusted' is true,
// takes ownership of the given raw ACL
//
internal SystemAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted )
: base( isContainer, isDS, rawAcl, trusted, false )
{
}
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(default(bool), default(bool), default(byte), default(int))
{
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.SystemAcl" /> class with the specified values from the specified <see cref="T:System.Security.AccessControl.RawAcl" /> object.</summary>
/// <param name="isContainer">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a container.</param>
/// <param name="isDS">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a directory object Access Control List (ACL).</param>
/// <param name="rawAcl">The underlying <see cref="T:System.Security.AccessControl.RawAcl" /> object for the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object. Specify null to create an empty ACL.</param>
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : this(isContainer, isDS, 0)
{
}
private CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
: this(isContainer, isDS, flags, owner, group, systemAcl == null ? null : new SystemAcl(isContainer, isDS, systemAcl), discretionaryAcl == null ? null : new DiscretionaryAcl(isContainer, isDS, discretionaryAcl))
{
}
internal SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl, bool trusted) : base(isContainer, isDS, rawAcl, trusted, false)
{
}
private void CreateFromParts(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
this.SetFlags(flags);
this.Owner = owner;
this.Group = group;
this.SystemAcl = systemAcl;
this.DiscretionaryAcl = discretionaryAcl;
this.ResourceManagerControl = (byte)0;
}
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl)
: base(isContainer, isDS, rawAcl)
{
}
public RawSecurityDescriptor(System.Security.AccessControl.ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
this.CreateFromParts(flags, owner, group, systemAcl, discretionaryAcl);
}
public RawSecurityDescriptor(byte[] binaryForm, int offset)
{
SecurityIdentifier identifier;
SecurityIdentifier identifier2;
RawAcl acl;
RawAcl acl2;
if (binaryForm == null)
{
throw new ArgumentNullException("binaryForm");
}
if (offset < 0)
{
throw new ArgumentOutOfRangeException("offset", Environment.GetResourceString("ArgumentOutOfRange_NeedNonNegNum"));
}
if ((binaryForm.Length - offset) < 20)
{
throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("ArgumentOutOfRange_ArrayTooSmall"));
}
if (binaryForm[offset] != GenericSecurityDescriptor.Revision)
{
throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorRevision"));
}
byte num = binaryForm[offset + 1];
System.Security.AccessControl.ControlFlags flags = (System.Security.AccessControl.ControlFlags)(binaryForm[offset + 2] + (binaryForm[offset + 3] << 8));
if ((flags & System.Security.AccessControl.ControlFlags.SelfRelative) == System.Security.AccessControl.ControlFlags.None)
{
throw new ArgumentException(Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorSelfRelativeForm"), "binaryForm");
}
int num2 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 4);
if (num2 != 0)
{
identifier = new SecurityIdentifier(binaryForm, offset + num2);
}
else
{
identifier = null;
}
int num3 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 8);
if (num3 != 0)
{
identifier2 = new SecurityIdentifier(binaryForm, offset + num3);
}
else
{
identifier2 = null;
}
int num4 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 12);
if (((flags & System.Security.AccessControl.ControlFlags.SystemAclPresent) != System.Security.AccessControl.ControlFlags.None) && (num4 != 0))
{
acl = new RawAcl(binaryForm, offset + num4);
}
else
{
acl = null;
}
int num5 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 0x10);
if (((flags & System.Security.AccessControl.ControlFlags.DiscretionaryAclPresent) != System.Security.AccessControl.ControlFlags.None) && (num5 != 0))
{
acl2 = new RawAcl(binaryForm, offset + num5);
}
else
{
acl2 = null;
}
this.CreateFromParts(flags, identifier, identifier2, acl, acl2);
if ((flags & System.Security.AccessControl.ControlFlags.RMControlValid) != System.Security.AccessControl.ControlFlags.None)
{
this.ResourceManagerControl = num;
}
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> class with the specified values.</summary><param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
throw new NotImplementedException();
}
public RawSecurityDescriptor(ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
Contract.Ensures(this.ResourceManagerControl == 0);
}
//
// Creates a security descriptor explicitly
//
public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
: base()
{
CreateFromParts(flags, owner, group, systemAcl, discretionaryAcl);
}
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(default(bool), default(bool), default(byte), default(int))
{
}
//
// Creates an ACL from a raw ACL
// - 'trusted' (internal) callers get to pass the raw ACL
// that this object will take ownership of
// - 'untrusted' callers are handled by creating a local
// copy of the ACL passed in
//
internal CommonAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted, bool isDacl )
: base()
{
if ( rawAcl == null )
{
throw new ArgumentNullException( "rawAcl" );
}
Contract.EndContractBlock();
_isContainer = isContainer;
_isDS = isDS;
if (trusted)
{
//
// In the trusted case, we take over ownership of the ACL passed in
//
_acl = rawAcl;
RemoveMeaninglessAcesAndFlags( isDacl );
}
else
{
//
// In the untrusted case, we create our own raw ACL to keep the ACEs in
//
_acl = new RawAcl( rawAcl.Revision, rawAcl.Count );
for ( int i = 0; i < rawAcl.Count; i++ )
{
//
// Clone each ACE prior to putting it in
//
GenericAce ace = rawAcl[i].Copy();
//
// Avoid inserting meaningless ACEs
//
if ( true == InspectAce( ref ace, isDacl ))
{
_acl.InsertAce( _acl.Count, ace );
}
}
}
//
// See whether the ACL is canonical to begin with
//
if ( true == CanonicalCheck( isDacl ))
{
//
// Sort and compact the array
//
Canonicalize( true, isDacl );
_isCanonical = true;
}
else
{
_isCanonical = false;
}
}
public SystemAcl (bool isContainer, bool isDS, RawAcl rawAcl)
: this (isContainer, isDS, 0)
{
// this.raw_acl = rawAcl;
}
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl)
: base(isContainer, isDS, rawAcl)
{
}
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl)
: base(rawAcl, isContainer, isDS, false, rawAcl.Revision)
{
}
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl)
: this(isContainer, isDS, 0)
{
// this.raw_acl = rawAcl;
}
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl)
: base(rawAcl, isContainer, isDS, false, rawAcl.Revision)
{
}
private void CreateFromParts(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
SetFlags(flags);
Owner = owner;
Group = group;
SystemAcl = systemAcl;
DiscretionaryAcl = discretionaryAcl;
ResourceManagerControl = 0;
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> class with the specified values.</summary>
/// <param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
/// <param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
/// <param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
/// <param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
/// <param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
}
//
// Creates a security descriptor from its binary representation
// Important: the representation must be in self-relative format
//
public RawSecurityDescriptor(byte[] binaryForm, int offset)
: base()
{
//
// The array passed in must be valid
//
if (binaryForm == null)
{
throw new ArgumentNullException(nameof(binaryForm));
}
if (offset < 0)
{
//
// Offset must not be negative
//
throw new ArgumentOutOfRangeException(nameof(offset),
SR.ArgumentOutOfRange_NeedNonNegNum);
}
//
// At least make sure the header is in place
//
if (binaryForm.Length - offset < HeaderLength)
{
throw new ArgumentOutOfRangeException(
nameof(binaryForm),
SR.ArgumentOutOfRange_ArrayTooSmall);
}
//
// We only understand revision-1 security descriptors
//
if (binaryForm[offset + 0] != Revision)
{
throw new ArgumentOutOfRangeException(nameof(binaryForm),
SR.AccessControl_InvalidSecurityDescriptorRevision);
}
Contract.EndContractBlock();
ControlFlags flags;
SecurityIdentifier owner, group;
RawAcl sacl, dacl;
byte rmControl;
//
// Extract the ResourceManagerControl field
//
rmControl = binaryForm[offset + 1];
//
// Extract the control flags
//
flags = (ControlFlags)((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8));
//
// Make sure that the input is in self-relative format
//
if ((flags & ControlFlags.SelfRelative) == 0)
{
throw new ArgumentException(
SR.AccessControl_InvalidSecurityDescriptorSelfRelativeForm,
nameof(binaryForm));
}
//
// Extract the owner SID
//
int ownerOffset = UnmarshalInt(binaryForm, offset + OwnerFoundAt);
if (ownerOffset != 0)
{
owner = new SecurityIdentifier(binaryForm, offset + ownerOffset);
}
else
{
owner = null;
}
//
// Extract the group SID
//
int groupOffset = UnmarshalInt(binaryForm, offset + GroupFoundAt);
if (groupOffset != 0)
{
group = new SecurityIdentifier(binaryForm, offset + groupOffset);
}
else
{
group = null;
}
//
// Extract the SACL
//
int saclOffset = UnmarshalInt(binaryForm, offset + SaclFoundAt);
if (((flags & ControlFlags.SystemAclPresent) != 0) &&
saclOffset != 0)
{
sacl = new RawAcl(binaryForm, offset + saclOffset);
}
else
{
sacl = null;
}
//
// Extract the DACL
//
int daclOffset = UnmarshalInt(binaryForm, offset + DaclFoundAt);
if (((flags & ControlFlags.DiscretionaryAclPresent) != 0) &&
daclOffset != 0)
{
dacl = new RawAcl(binaryForm, offset + daclOffset);
}
else
{
dacl = null;
}
//
// Create the resulting security descriptor
//
CreateFromParts(flags, owner, group, sacl, dacl);
//
// In the offchance that the flags indicate that the rmControl
// field is meaningful, remember what was there.
//
if ((flags & ControlFlags.RMControlValid) != 0)
{
ResourceManagerControl = rmControl;
}
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.SystemAcl" /> class with the specified values from the specified <see cref="T:System.Security.AccessControl.RawAcl" /> object.</summary><param name="isContainer">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a container.</param><param name="isDS">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a directory object Access Control List (ACL).</param><param name="rawAcl">The underlying <see cref="T:System.Security.AccessControl.RawAcl" /> object for the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object. Specify null to create an empty ACL.</param>
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl)
{
throw new NotImplementedException();
}
private static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
{
if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); }
if (objectSecurity.AreAccessRulesCanonical) { return; }
// A canonical ACL must have ACES sorted according to the following order:
// 1. Access-denied on the object
// 2. Access-denied on a child or property
// 3. Access-allowed on the object
// 4. Access-allowed on a child or property
// 5. All inherited ACEs
RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
List<CommonAce> implicitDenyDacl = new List<CommonAce>();
List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>();
List<CommonAce> inheritedDacl = new List<CommonAce>();
List<CommonAce> implicitAllowDacl = new List<CommonAce>();
List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); }
else
{
switch (ace.AceType)
{
case AceType.AccessAllowed:
implicitAllowDacl.Add(ace);
break;
case AceType.AccessDenied:
implicitDenyDacl.Add(ace);
break;
case AceType.AccessAllowedObject:
implicitAllowObjectDacl.Add(ace);
break;
case AceType.AccessDeniedObject:
implicitDenyObjectDacl.Add(ace);
break;
}
}
}
Int32 aceIndex = 0;
RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
if (aceIndex != descriptor.DiscretionaryAcl.Count)
{
System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information");
return;
}
descriptor.DiscretionaryAcl = newDacl;
objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}
public DiscretionaryAcl(bool isContainer, bool isDS,
RawAcl rawAcl)
{
throw new NotImplementedException();
}
// The preferred order in which ACEs are added to DACLs is
// documented here: http://search.msdn.microsoft.com/search/results.aspx?qu=Order+of+ACEs+in+a+DACL&View=msdn&st=b.
// This routine follows that logic to determine the position of an ACE in the DACL.
private int FindIndexInDacl(CommonAce newAce, RawAcl dacl)
{
int i = 0;
for (i = 0; i < dacl.Count; i++)
{
if (dacl[i] is CommonAce && ((CommonAce)dacl[i]).SecurityIdentifier.Value == newAce.SecurityIdentifier.Value && dacl[i].AceType == newAce.AceType)
{
i = -1;
break;
}
if (newAce.AceType == AceType.AccessDenied && dacl[i].AceType == AceType.AccessDenied && !newAce.IsInherited && !dacl[i].IsInherited)
continue;
if (newAce.AceType == AceType.AccessDenied && !newAce.IsInherited)
break;
if (newAce.AceType == AceType.AccessAllowed && dacl[i].AceType == AceType.AccessAllowed && !newAce.IsInherited && !dacl[i].IsInherited)
continue;
if (newAce.AceType == AceType.AccessAllowed && !newAce.IsInherited)
break;
}
return i;
}
//
// Internal version - if 'trusted' is true,
// takes ownership of the given raw ACL
//
internal DiscretionaryAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted )
: base( isContainer, isDS, rawAcl == null ? new RawAcl( isDS ? AclRevisionDS : AclRevision, 0 ) : rawAcl, trusted, true )
{
}
public byte[] GetSecurity(SecurityInformation requestedInformation, bool wantDefault)
{
//FileSecurity fsec= new FileSecurity(@"c:\Test1\test.txt",~AccessControlSections.Audit);
//return fsec.GetSecurityDescriptorBinaryForm();
WindowsIdentity user = WindowsIdentity.GetCurrent();
if (user != null)
{
int length = 0;
IntPtr token = user.Token;
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out length);
IntPtr TokenInformation = Marshal.AllocHGlobal((int) length);
bool Result = GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, TokenInformation, (uint) length,
out length);
TOKEN_DEFAULT_DACL dacl =
(TOKEN_DEFAULT_DACL) Marshal.PtrToStructure(TokenInformation, typeof (TOKEN_DEFAULT_DACL));
ACL acl = (ACL) Marshal.PtrToStructure(dacl.DefaultDacl, typeof (ACL));
byte[] aceArr = new byte[acl.AclSize];
Marshal.Copy(dacl.DefaultDacl, aceArr, 0, acl.AclSize);
RawAcl rawAcl = new RawAcl(aceArr, 0);
Marshal.FreeHGlobal(TokenInformation);
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out length);
TokenInformation = Marshal.AllocHGlobal((int) length);
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenOwner, TokenInformation, (uint)length,
out length);
TOKEN_OWNER tokOwner = (TOKEN_OWNER) Marshal.PtrToStructure(TokenInformation, typeof (TOKEN_OWNER));
SecurityIdentifier ownerSID= new SecurityIdentifier(tokOwner.Owner);
Marshal.FreeHGlobal(TokenInformation);
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, IntPtr.Zero, 0, out length);
TokenInformation = Marshal.AllocHGlobal((int)length);
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, TokenInformation, (uint)length,
out length);
TOKEN_PRIMARY_GROUP tokGroup= (TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_PRIMARY_GROUP));
SecurityIdentifier groupSID = new SecurityIdentifier(tokGroup.PrimaryGroup);
RawSecurityDescriptor rawDesc = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, ownerSID, groupSID, null, rawAcl);
byte[] ret = new byte[rawDesc.BinaryLength];
rawDesc.GetBinaryForm(ret, 0);
return ret;
}
return null;
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> class from the specified array of byte values.</summary>
/// <param name="binaryForm">The array of byte values from which to create the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param>
/// <param name="offset">The offset in the <paramref name="binaryForm" /> array at which to begin copying.</param>
// Token: 0x06002063 RID: 8291 RVA: 0x0007194C File Offset: 0x0006FB4C
public RawSecurityDescriptor(byte[] binaryForm, int offset)
{
if (binaryForm == null)
{
throw new ArgumentNullException("binaryForm");
}
if (offset < 0)
{
throw new ArgumentOutOfRangeException("offset", Environment.GetResourceString("ArgumentOutOfRange_NeedNonNegNum"));
}
if (binaryForm.Length - offset < 20)
{
throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("ArgumentOutOfRange_ArrayTooSmall"));
}
if (binaryForm[offset] != GenericSecurityDescriptor.Revision)
{
throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorRevision"));
}
byte resourceManagerControl = binaryForm[offset + 1];
ControlFlags controlFlags = (ControlFlags)((int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8));
if ((controlFlags & ControlFlags.SelfRelative) == ControlFlags.None)
{
throw new ArgumentException(Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorSelfRelativeForm"), "binaryForm");
}
int num = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 4);
SecurityIdentifier owner;
if (num != 0)
{
owner = new SecurityIdentifier(binaryForm, offset + num);
}
else
{
owner = null;
}
int num2 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 8);
SecurityIdentifier group;
if (num2 != 0)
{
group = new SecurityIdentifier(binaryForm, offset + num2);
}
else
{
group = null;
}
int num3 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 12);
RawAcl systemAcl;
if ((controlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None && num3 != 0)
{
systemAcl = new RawAcl(binaryForm, offset + num3);
}
else
{
systemAcl = null;
}
int num4 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 16);
RawAcl discretionaryAcl;
if ((controlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None && num4 != 0)
{
discretionaryAcl = new RawAcl(binaryForm, offset + num4);
}
else
{
discretionaryAcl = null;
}
this.CreateFromParts(controlFlags, owner, group, systemAcl, discretionaryAcl);
if ((controlFlags & ControlFlags.RMControlValid) != ControlFlags.None)
{
this.ResourceManagerControl = resourceManagerControl;
}
}
private void CreateFromParts(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl)
{
SetFlags(flags);
Owner = owner;
Group = group;
SystemAcl = systemAcl;
DiscretionaryAcl = discretionaryAcl;
ResourceManagerControl = 0;
}
// Token: 0x06001EE7 RID: 7911 RVA: 0x0006CCD6 File Offset: 0x0006AED6
internal DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl, bool trusted) : base(isContainer, isDS, (rawAcl == null) ? new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 0) : rawAcl, trusted, true)
{
}
//
// Creates a security descriptor from its binary representation
// Important: the representation must be in self-relative format
//
public RawSecurityDescriptor(byte[] binaryForm, int offset)
: base()
{
//
// The array passed in must be valid
//
if (binaryForm == null)
{
throw new ArgumentNullException(nameof(binaryForm));
}
if (offset < 0)
{
//
// Offset must not be negative
//
throw new ArgumentOutOfRangeException(nameof(offset),
SR.ArgumentOutOfRange_NeedNonNegNum);
}
//
// At least make sure the header is in place
//
if (binaryForm.Length - offset < HeaderLength)
{
throw new ArgumentOutOfRangeException(
nameof(binaryForm),
SR.ArgumentOutOfRange_ArrayTooSmall);
}
//
// We only understand revision-1 security descriptors
//
if (binaryForm[offset + 0] != Revision)
{
throw new ArgumentOutOfRangeException(nameof(binaryForm),
SR.AccessControl_InvalidSecurityDescriptorRevision);
}
Contract.EndContractBlock();
ControlFlags flags;
SecurityIdentifier owner, group;
RawAcl sacl, dacl;
byte rmControl;
//
// Extract the ResourceManagerControl field
//
rmControl = binaryForm[offset + 1];
//
// Extract the control flags
//
flags = (ControlFlags)((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8));
//
// Make sure that the input is in self-relative format
//
if ((flags & ControlFlags.SelfRelative) == 0)
{
throw new ArgumentException(
SR.AccessControl_InvalidSecurityDescriptorSelfRelativeForm,
nameof(binaryForm));
}
//
// Extract the owner SID
//
int ownerOffset = UnmarshalInt(binaryForm, offset + OwnerFoundAt);
if (ownerOffset != 0)
{
owner = new SecurityIdentifier(binaryForm, offset + ownerOffset);
}
else
{
owner = null;
}
//
// Extract the group SID
//
int groupOffset = UnmarshalInt(binaryForm, offset + GroupFoundAt);
if (groupOffset != 0)
{
group = new SecurityIdentifier(binaryForm, offset + groupOffset);
}
else
{
group = null;
}
//
// Extract the SACL
//
int saclOffset = UnmarshalInt(binaryForm, offset + SaclFoundAt);
if (((flags & ControlFlags.SystemAclPresent) != 0) &&
saclOffset != 0)
{
sacl = new RawAcl(binaryForm, offset + saclOffset);
}
else
{
sacl = null;
}
//
// Extract the DACL
//
int daclOffset = UnmarshalInt(binaryForm, offset + DaclFoundAt);
if (((flags & ControlFlags.DiscretionaryAclPresent) != 0) &&
daclOffset != 0)
{
dacl = new RawAcl(binaryForm, offset + daclOffset);
}
else
{
dacl = null;
}
//
// Create the resulting security descriptor
//
CreateFromParts(flags, owner, group, sacl, dacl);
//
// In the offchance that the flags indicate that the rmControl
// field is meaningful, remember what was there.
//
if ((flags & ControlFlags.RMControlValid) != 0)
{
ResourceManagerControl = rmControl;
}
}
public DiscretionaryAcl(bool isContainer, bool isDS,
RawAcl rawAcl)
: base(isContainer, isDS, 0)
{
// this.raw_acl = rawAcl;
}
//
// Creates an empty ACL
//
internal CommonAcl( bool isContainer, bool isDS, byte revision, int capacity )
: base()
{
_isContainer = isContainer;
_isDS = isDS;
_acl = new RawAcl( revision, capacity );
_isCanonical = true; // since it is empty
}
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl)
: base(rawAcl, isContainer, isDS, false, rawAcl.Revision) {}
//
// Creates an ACL from a given raw ACL
// after canonicalizing it
//
public SystemAcl( bool isContainer, bool isDS, RawAcl rawAcl )
: this( isContainer, isDS, rawAcl, false )
{
}
static RawAcl MakeRawAcl (GenericAce[] aces)
{
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
for (int i = 0; i < aces.Length; i ++) { acl.InsertAce (i, aces [i]); }
return acl;
}
//
// Creates an ACL from a given raw ACL
// after canonicalizing it
//
public DiscretionaryAcl( bool isContainer, bool isDS, RawAcl rawAcl )
: this( isContainer, isDS, rawAcl, false )
{
}
// // Summary: // Initializes a new instance of the System.Security.AccessControl.DiscretionaryAcl // class with the specified values from the specified System.Security.AccessControl.RawAcl // object. // // Parameters: // isContainer: // true if the new System.Security.AccessControl.DiscretionaryAcl object is // a container. // // isDS: // true if the new System.Security.AccessControl.DiscretionaryAcl object is // a directory object Access Control List (ACL). // // rawAcl: // The underlying System.Security.AccessControl.RawAcl object for the new System.Security.AccessControl.DiscretionaryAcl // object. Specify null to create an empty ACL. public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl);
// // Summary: // Initializes a new instance of the System.Security.AccessControl.SystemAcl // class with the specified values from the specified System.Security.AccessControl.RawAcl // object. // // Parameters: // isContainer: // true if the new System.Security.AccessControl.SystemAcl object is a container. // // isDS: // true if the new System.Security.AccessControl.SystemAcl object is a directory // object Access Control List (ACL). // // rawAcl: // The underlying System.Security.AccessControl.RawAcl object for the new System.Security.AccessControl.SystemAcl // object. Specify null to create an empty ACL. extern public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl);
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> class with the specified values from the specified <see cref="T:System.Security.AccessControl.RawAcl" /> object.</summary>
/// <param name="isContainer">
/// <see langword="true" /> if the new <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> object is a container.</param>
/// <param name="isDS">
/// <see langword="true" /> if the new <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> object is a directory object Access Control List (ACL).</param>
/// <param name="rawAcl">The underlying <see cref="T:System.Security.AccessControl.RawAcl" /> object for the new <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> object. Specify <see langword="null" /> to create an empty ACL.</param>
// Token: 0x06001EE6 RID: 7910 RVA: 0x0006CCCA File Offset: 0x0006AECA
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : this(isContainer, isDS, rawAcl, false)
{
}
