Inheritance: CommonAcl
        void Init(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor)
        {
            if (null == rawSecurityDescriptor)
            {
                throw new ArgumentNullException("rawSecurityDescriptor");
            }

            SystemAcl sacl = null;

            if (null != rawSecurityDescriptor.SystemAcl)
            {
                sacl = new SystemAcl(isContainer, isDS, rawSecurityDescriptor.SystemAcl);
            }

            DiscretionaryAcl dacl = null;

            if (null != rawSecurityDescriptor.DiscretionaryAcl)
            {
                dacl = new DiscretionaryAcl(isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl);
            }

            Init(isContainer, isDS,
                 rawSecurityDescriptor.ControlFlags,
                 rawSecurityDescriptor.Owner,
                 rawSecurityDescriptor.Group,
                 sacl, dacl);
        }
 public void PurgeAudit(SecurityIdentifier sid)
 {
     if (SystemAcl != null)
     {
         SystemAcl.Purge(sid);
     }
 }
Esempio n. 3
0
        private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
        {
            if (systemAcl != null && systemAcl.IsContainer != isContainer)
            {
                throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "systemAcl");
            }
            if (discretionaryAcl != null && discretionaryAcl.IsContainer != isContainer)
            {
                throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "discretionaryAcl");
            }
            this._isContainer = isContainer;
            if (systemAcl != null && systemAcl.IsDS != isDS)
            {
                throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "systemAcl");
            }
            if (discretionaryAcl != null && discretionaryAcl.IsDS != isDS)
            {
                throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "discretionaryAcl");
            }
            this._isDS = isDS;
            this._sacl = systemAcl;
            if (discretionaryAcl == null)
            {
                discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(this._isDS, this._isContainer);
            }
            this._dacl = discretionaryAcl;
            ControlFlags controlFlags = flags | ControlFlags.DiscretionaryAclPresent;

            this._rawSd = new RawSecurityDescriptor(systemAcl != null ? controlFlags | ControlFlags.SystemAclPresent : controlFlags& ~ControlFlags.SystemAclPresent, owner, group, systemAcl == null ? (RawAcl)null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
        }
Esempio n. 4
0
		public void AddAuditObjectAceAndCommonAce ()
		{
			SecurityIdentifier sid = new SecurityIdentifier ("BA");
			SystemAcl sacl = new SystemAcl (false, true, 0);

			sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
			               ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid (), Guid.Empty);
			sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
				       ObjectAceFlags.None, Guid.Empty, Guid.Empty);
			Assert.AreEqual (2, sacl.Count);

			CommonAce cace = (CommonAce)sacl [0];
			Assert.AreEqual (1, cace.AccessMask);
			Assert.AreEqual ("S-1-5-32-544", cace.SecurityIdentifier.Value);
			Assert.IsFalse (cace.IsCallback);
			Assert.IsFalse (cace.IsInherited);

			ObjectAce oace = (ObjectAce)sacl [1];
			Assert.AreEqual (1, oace.AccessMask);
			Assert.AreEqual ("S-1-5-32-544", oace.SecurityIdentifier.Value);
			Assert.IsFalse (oace.IsCallback);
			Assert.IsFalse (oace.IsInherited);

			sacl.AddAudit (AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None,
				       ObjectAceFlags.None, Guid.Empty, Guid.Empty);
			Assert.AreEqual (2, sacl.Count);

			CommonAce cace2 = (CommonAce)sacl [0];
			Assert.AreEqual (3, cace2.AccessMask);
		}
 public CommonSecurityDescriptor(bool isContainer, bool isDS,
                                 ControlFlags flags,
                                 SecurityIdentifier owner,
                                 SecurityIdentifier group,
                                 SystemAcl systemAcl,
                                 DiscretionaryAcl discretionaryAcl)
 {
     Init(isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl);
 }
		public CommonSecurityDescriptor (bool isContainer, bool isDS,
						 ControlFlags flags,
						 SecurityIdentifier owner,
						 SecurityIdentifier group,
						 SystemAcl systemAcl,
						 DiscretionaryAcl discretionaryAcl)
		{
			Init (isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl);
		}
Esempio n. 7
0
        public void PurgeAudit(SecurityIdentifier sid)
        {
            ArgumentNullException.ThrowIfNull(sid);

            if (SystemAcl != null)
            {
                SystemAcl.Purge(sid);
            }
        }
 /// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary>
 /// <param name="isContainer">true if the new security descriptor is associated with a container object.</param>
 /// <param name="isDS">true if the new security descriptor is associated with a directory object.</param>
 /// <param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
 /// <param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
 /// <param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
 /// <param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
 /// <param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
 public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
 {
     this.isContainer      = isContainer;
     this.isDS             = isDS;
     this.flags            = flags;
     this.owner            = owner;
     this.group            = group;
     this.systemAcl        = systemAcl;
     this.discretionaryAcl = discretionaryAcl;
     throw new NotImplementedException();
 }
Esempio n. 9
0
		public void AddAuditMergesFlags ()
		{
			SecurityIdentifier sid = new SecurityIdentifier ("BA");
			SystemAcl sacl = new SystemAcl (false, false, 0);

			sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
			sacl.AddAudit (AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);

			CommonAce ace = (CommonAce)sacl [0];
			Assert.AreEqual (AuditFlags.Success|AuditFlags.Failure, ace.AuditFlags);
		}
Esempio n. 10
0
        public void PurgeAudit(SecurityIdentifier sid)
        {
            if (sid == null)
            {
                throw new ArgumentNullException(nameof(sid));
            }

            if (SystemAcl != null)
            {
                SystemAcl.Purge(sid);
            }
        }
Esempio n. 11
0
        public void PurgeAudit(SecurityIdentifier sid)
        {
            if (sid == null)
            {
                throw new ArgumentNullException("sid");
            }
            Contract.EndContractBlock();

            if (SystemAcl != null)
            {
                SystemAcl.Purge(sid);
            }
        }
Esempio n. 12
0
		public void AddAuditCommonAce ()
		{
			SecurityIdentifier sid = new SecurityIdentifier ("BA");
			SystemAcl sacl = new SystemAcl (false, false, 0);

			sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);

			CommonAce ace = (CommonAce)sacl [0];
			Assert.AreEqual (AuditFlags.Success, ace.AuditFlags);
			Assert.AreEqual (1, ace.AccessMask);
			Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value);
			Assert.IsFalse (ace.IsInherited);
		}
        public void SetSystemAclProtection(bool isProtected,
                                           bool preserveInheritance)
        {
            if (!isProtected)
            {
                flags &= ~ControlFlags.SystemAclProtected;
                return;
            }

            flags |= ControlFlags.SystemAclProtected;
            if (!preserveInheritance && SystemAcl != null)
            {
                SystemAcl.RemoveInheritedAces();
            }
        }
Esempio n. 14
0
		public void AddAuditCommonAceUsingDSOverload ()
		{
			SecurityIdentifier sid = new SecurityIdentifier ("BA");
			SystemAcl sacl = new SystemAcl (false, true, 0);

			sacl.AddAudit (AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None,
			               ObjectAceFlags.None, Guid.NewGuid (), Guid.NewGuid ());
			Assert.AreEqual (1, sacl.Count);

			CommonAce ace = (CommonAce)sacl [0];
			Assert.AreEqual (AuditFlags.Failure, ace.AuditFlags);
			Assert.AreEqual (1, ace.AccessMask);
			Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value);
			Assert.IsFalse (ace.IsInherited);
		}
Esempio n. 15
0
        public void SetSystemAclProtection(bool isProtected, bool preserveInheritance)
        {
            if (!isProtected)
            {
                RemoveControlFlags(ControlFlags.SystemAclProtected);
            }
            else
            {
                if (!preserveInheritance && SystemAcl != null)
                {
                    SystemAcl.RemoveInheritedAces();
                }

                AddControlFlags(ControlFlags.SystemAclProtected);
            }
        }
        void Init(bool isContainer, bool isDS,
                  ControlFlags flags,
                  SecurityIdentifier owner,
                  SecurityIdentifier group,
                  SystemAcl systemAcl,
                  DiscretionaryAcl discretionaryAcl)
        {
            this.flags        = flags & ~ControlFlags.SystemAclPresent;
            this.is_container = isContainer;
            this.is_ds        = isDS;

            Owner            = owner;
            Group            = group;
            SystemAcl        = systemAcl;
            DiscretionaryAcl = discretionaryAcl;
        }
Esempio n. 17
0
		public CommonSecurityDescriptor (bool isContainer, bool isDS,
						 ControlFlags flags,
						 SecurityIdentifier owner,
						 SecurityIdentifier group,
						 SystemAcl systemAcl,
						 DiscretionaryAcl discretionaryAcl)
		{
			this.isContainer = isContainer;
			this.isDS = isDS;
			this.flags = flags;
			this.owner = owner;
			this.group = group;
			this.systemAcl = systemAcl;
			this.discretionaryAcl = discretionaryAcl;
			
			throw new NotImplementedException ();
		}
		void Init (bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor)
		{
			if (null == rawSecurityDescriptor)
				throw new ArgumentNullException ("rawSecurityDescriptor");
				
			SystemAcl sacl = null;
			if (null != rawSecurityDescriptor.SystemAcl)
				sacl = new SystemAcl (isContainer, isDS, rawSecurityDescriptor.SystemAcl);
				
			DiscretionaryAcl dacl = null;
			if (null != rawSecurityDescriptor.DiscretionaryAcl)
				dacl = new DiscretionaryAcl (isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl);
				
			Init (isContainer, isDS,
			      rawSecurityDescriptor.ControlFlags,
			      rawSecurityDescriptor.Owner,
			      rawSecurityDescriptor.Group,
			      sacl, dacl);
		}
Esempio n. 19
0
		public void IndexerMakesCopies ()
		{
			// This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
			// Turns out it applies to more than just the constructor.
			SecurityIdentifier worldSid = new SecurityIdentifier ("WD");

			// RawAcl does not make copies.
			RawAcl acl = new RawAcl (RawAcl.AclRevision, 1);
			CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);
			acl.InsertAce (0, ace);
			Assert.AreSame (acl [0], acl [0]);

			// CommonAcl does.
			SystemAcl sacl = new SystemAcl (false, false, acl);
			Assert.AreNotSame (sacl [0], sacl [0]);

			// Make sure the copying occurs in the constructor as well as the indexer.
			ace.AceFlags = AceFlags.FailedAccess;
			Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags);
		}
Esempio n. 20
0
        public void PurgeAudit(SecurityIdentifier sid)
        {
            ArgumentNullException.ThrowIfNull(sid);

            SystemAcl?.Purge(sid);
        }
        private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
        {
            base.WriteLock();
            try
            {
                SecurityInfos      securityInformation = 0;
                SecurityIdentifier owner = null;
                SecurityIdentifier group = null;
                SystemAcl          sacl  = null;
                DiscretionaryAcl   dacl  = null;
                if (((includeSections & AccessControlSections.Owner) != AccessControlSections.None) && (base._securityDescriptor.Owner != null))
                {
                    securityInformation |= SecurityInfos.Owner;
                    owner = base._securityDescriptor.Owner;
                }
                if (((includeSections & AccessControlSections.Group) != AccessControlSections.None) && (base._securityDescriptor.Group != null))
                {
                    securityInformation |= SecurityInfos.Group;
                    group = base._securityDescriptor.Group;
                }
                if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
                {
                    securityInformation |= SecurityInfos.SystemAcl;
                    if ((base._securityDescriptor.IsSystemAclPresent && (base._securityDescriptor.SystemAcl != null)) && (base._securityDescriptor.SystemAcl.Count > 0))
                    {
                        sacl = base._securityDescriptor.SystemAcl;
                    }
                    else
                    {
                        sacl = null;
                    }
                    if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None)
                    {
                        securityInformation |= (SecurityInfos)this.ProtectedSystemAcl;
                    }
                    else
                    {
                        securityInformation |= (SecurityInfos)this.UnprotectedSystemAcl;
                    }
                }
                if (((includeSections & AccessControlSections.Access) != AccessControlSections.None) && base._securityDescriptor.IsDiscretionaryAclPresent)
                {
                    securityInformation |= SecurityInfos.DiscretionaryAcl;
                    if (base._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
                    {
                        dacl = null;
                    }
                    else
                    {
                        dacl = base._securityDescriptor.DiscretionaryAcl;
                    }
                    if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None)
                    {
                        securityInformation |= (SecurityInfos)this.ProtectedDiscretionaryAcl;
                    }
                    else
                    {
                        securityInformation |= (SecurityInfos)this.UnprotectedDiscretionaryAcl;
                    }
                }
                if (securityInformation == 0)
                {
                    return;
                }
                int errorCode = System.Security.AccessControl.Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, sacl, dacl);
                if (errorCode == 0)
                {
                    goto Label_0249;
                }
                Exception exception = null;
                if (this._exceptionFromErrorCode != null)
                {
                    exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext);
                }
                if (exception == null)
                {
                    switch (errorCode)
                    {
                    case 5:
                        exception = new UnauthorizedAccessException();
                        goto Label_0246;

                    case 0x51b:
                        exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
                        goto Label_0246;

                    case 0x51c:
                        exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
                        goto Label_0246;

                    case 0x7b:
                        exception = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
                        goto Label_0246;

                    case 6:
                        exception = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
                        goto Label_0246;

                    case 2:
                        exception = new FileNotFoundException();
                        goto Label_0246;

                    case 0x546:
                        exception = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
                        goto Label_0246;
                    }
                    exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { errorCode }));
                }
Label_0246:
                throw exception;
Label_0249:
                base.OwnerModified       = false;
                base.GroupModified       = false;
                base.AccessRulesModified = false;
                base.AuditRulesModified  = false;
            }
            finally
            {
                base.WriteUnlock();
            }
        }
Esempio n. 22
0
 public byte[] ToSaclBytes()
 {
     SystemAcl sacl = new SystemAcl(false, false, 0);
     byte[] bytes = new byte[sacl.BinaryLength];
     sacl.GetBinaryForm(bytes, 0);
     return bytes;
 }
Esempio n. 23
0
        internal static void SetAccessControlExtracted(FileSystemSecurity security, string name)
        {
            //security.WriteLock();
            AccessControlSections includeSections = AccessControlSections.Audit | AccessControlSections.Owner | AccessControlSections.Group;

            SecurityInfos securityInfo = (SecurityInfos)0;
            SecurityIdentifier owner = null;
            SecurityIdentifier group = null;
            SystemAcl sacl = null;
            DiscretionaryAcl dacl = null;
            if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None)
            {
                owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier));
                if (owner != null)
                {
                    securityInfo = securityInfo | SecurityInfos.Owner;
                }
            }

            if ((includeSections & AccessControlSections.Group) != AccessControlSections.None)
            {
                @group = (SecurityIdentifier)security.GetGroup(typeof(SecurityIdentifier));
                if (@group != null)
                {
                    securityInfo = securityInfo | SecurityInfos.Group;
                }
            }
            var securityDescriptorBinaryForm = security.GetSecurityDescriptorBinaryForm();
            RawSecurityDescriptor rawSecurityDescriptor = null;
            bool isDiscretionaryAclPresent = false;
            if (securityDescriptorBinaryForm != null)
            {
                rawSecurityDescriptor = new RawSecurityDescriptor(securityDescriptorBinaryForm, 0);
                isDiscretionaryAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None;
            }

            if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
            {
                securityInfo = securityInfo | SecurityInfos.SystemAcl;
                sacl = null;
                if (rawSecurityDescriptor != null)
                {
                    var isSystemAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None;
                    if (isSystemAclPresent && rawSecurityDescriptor.SystemAcl != null && rawSecurityDescriptor.SystemAcl.Count > 0)
                    {
                        // are all system acls on a file not a container?
                        const bool notAContainer = false;
                        const bool notADirectoryObjectACL = false;

                        sacl = new SystemAcl(notAContainer, notADirectoryObjectACL,
                            rawSecurityDescriptor.SystemAcl);
                    }
                    securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ?
                        (uint)securityInfo | UnprotectedSystemAcl : (uint)securityInfo | ProtectedSystemAcl));
                }
            }
            if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && isDiscretionaryAclPresent)
            {
                securityInfo = securityInfo | SecurityInfos.DiscretionaryAcl;
                dacl = null;
                if (rawSecurityDescriptor != null)
                {
                    //if (!this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
                    {
                        dacl = new DiscretionaryAcl(false, false, rawSecurityDescriptor.DiscretionaryAcl);
                    }
                    securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ?
                        (uint)securityInfo | UnprotectedDiscretionaryAcl : (uint)securityInfo | ProtectedDiscretionaryAcl));
                }
            }
            if (securityInfo == 0) return;

            int errorNum = SetSecurityInfo(ResourceType.FileObject, name, null, securityInfo, owner, @group, sacl, dacl);
            if (errorNum != 0)
            {
                Exception exception = GetExceptionFromWin32Error(errorNum, name);
                if (exception == null)
                {
                    if (errorNum == NativeMethods.ERROR_ACCESS_DENIED)
                    {
                        exception = new UnauthorizedAccessException();
                    }
                    else if (errorNum == NativeMethods.ERROR_INVALID_OWNER)
                    {
                        exception = new InvalidOperationException("Invalid owner");
                    }
                    else if (errorNum == NativeMethods.ERROR_INVALID_PRIMARY_GROUP)
                    {
                        exception = new InvalidOperationException("Invalid group");
                    }
                    else if (errorNum == NativeMethods.ERROR_INVALID_NAME)
                    {
                        exception = new ArgumentException("Invalid name", "name");
                    }
                    else if (errorNum == NativeMethods.ERROR_INVALID_HANDLE)
                    {
                        exception = new NotSupportedException("Invalid Handle");
                    }
                    else if (errorNum == NativeMethods.ERROR_FILE_NOT_FOUND)
                    {
                        exception = new FileNotFoundException();
                    }
                    else if (errorNum != NativeMethods.ERROR_NO_SECURITY_ON_OBJECT)
                    {
                        exception = new InvalidOperationException("Unexpected error");
                    }
                    else
                    {
                        exception = new NotSupportedException("No associated security");
                    }
                }
                throw exception;
            }
            //finally
            //{
                //security.WriteLUnlck();
            //}
        }
 /// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary><param name="isContainer">true if the new security descriptor is associated with a container object.</param><param name="isDS">true if the new security descriptor is associated with a directory object.</param><param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
 public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
 {
     throw new NotImplementedException();
 }
Esempio n. 25
0
		void RemoveSpecificBegin (SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags)
		{
			SecurityIdentifier otherSid = new SecurityIdentifier ("BU");

			sacl.AddAudit (AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);
			sacl.RemoveAuditSpecific (AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);
			sacl.RemoveAuditSpecific (AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);
			sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);
			Assert.AreEqual (3, ((CommonAce)sacl [0]).AccessMask);
			sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3,
			                          inheritanceFlags ^ InheritanceFlags.ContainerInherit,
			                          PropagationFlags.None);
			Assert.AreEqual (1, sacl.Count);
		}
Esempio n. 26
0
        private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
        {
            if (systemAcl != null &&
                systemAcl.IsContainer != isContainer)
            {
                throw new ArgumentException(
                     isContainer ?
                        SR.AccessControl_MustSpecifyContainerAcl :
                        SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(systemAcl));
            }

            if (discretionaryAcl != null &&
                discretionaryAcl.IsContainer != isContainer)
            {
                throw new ArgumentException(
                     isContainer ?
                        SR.AccessControl_MustSpecifyContainerAcl :
                        SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(discretionaryAcl));
            }

            _isContainer = isContainer;

            if (systemAcl != null &&
                systemAcl.IsDS != isDS)
            {
                throw new ArgumentException(
                     isDS ?
                        SR.AccessControl_MustSpecifyDirectoryObjectAcl :
                        SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(systemAcl));
            }

            if (discretionaryAcl != null &&
                discretionaryAcl.IsDS != isDS)
            {
                throw new ArgumentException(
                    isDS ?
                        SR.AccessControl_MustSpecifyDirectoryObjectAcl :
                        SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(discretionaryAcl));
            }

            _isDS = isDS;

            _sacl = systemAcl;

            //
            // Replace null DACL with an allow-all for everyone DACL
            //

            if (discretionaryAcl == null)
            {
                //
                // to conform to native behavior, we will add allow everyone ace for DACL
                //

                discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer);
            }

            _dacl = discretionaryAcl;

            //
            // DACL is never null. So always set the flag bit on
            //

            ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent;

            //
            // Keep SACL and the flag bit in sync.
            //

            if (systemAcl == null)
            {
                unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); }
            }
            else
            {
                actualFlags |= (ControlFlags.SystemAclPresent);
            }

            _rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
        }
		public void AddSystemAcl(byte revision, int trusted)
		{
			SystemAcl = new SystemAcl (IsContainer, IsDS, revision, trusted);
			flags |= ControlFlags.SystemAclPresent;
		}
 public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
 {
 }
 public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
 {
 }
 public void AddSystemAcl(byte revision, int trusted)
 {
     SystemAcl = new SystemAcl(IsContainer, IsDS, revision, trusted);
     flags    |= ControlFlags.SystemAclPresent;
 }
 private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
 {
     base.WriteLock();
     try
     {
         SecurityInfos      securityInfos = (SecurityInfos)0;
         SecurityIdentifier owner         = null;
         SecurityIdentifier group         = null;
         SystemAcl          sacl          = null;
         DiscretionaryAcl   dacl          = null;
         if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != null)
         {
             securityInfos |= SecurityInfos.Owner;
             owner          = this._securityDescriptor.Owner;
         }
         if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != null)
         {
             securityInfos |= SecurityInfos.Group;
             group          = this._securityDescriptor.Group;
         }
         if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
         {
             securityInfos |= SecurityInfos.SystemAcl;
             if (this._securityDescriptor.IsSystemAclPresent && this._securityDescriptor.SystemAcl != null && this._securityDescriptor.SystemAcl.Count > 0)
             {
                 sacl = this._securityDescriptor.SystemAcl;
             }
             else
             {
                 sacl = null;
             }
             if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None)
             {
                 securityInfos |= (SecurityInfos)this.ProtectedSystemAcl;
             }
             else
             {
                 securityInfos |= (SecurityInfos)this.UnprotectedSystemAcl;
             }
         }
         if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent)
         {
             securityInfos |= SecurityInfos.DiscretionaryAcl;
             if (this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
             {
                 dacl = null;
             }
             else
             {
                 dacl = this._securityDescriptor.DiscretionaryAcl;
             }
             if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None)
             {
                 securityInfos |= (SecurityInfos)this.ProtectedDiscretionaryAcl;
             }
             else
             {
                 securityInfos |= (SecurityInfos)this.UnprotectedDiscretionaryAcl;
             }
         }
         if (securityInfos != (SecurityInfos)0)
         {
             int num = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInfos, owner, group, sacl, dacl);
             if (num != 0)
             {
                 Exception ex = null;
                 if (this._exceptionFromErrorCode != null)
                 {
                     ex = this._exceptionFromErrorCode(num, name, handle, exceptionContext);
                 }
                 if (ex == null)
                 {
                     if (num == 5)
                     {
                         ex = new UnauthorizedAccessException();
                     }
                     else if (num == 1307)
                     {
                         ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
                     }
                     else if (num == 1308)
                     {
                         ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
                     }
                     else if (num == 123)
                     {
                         ex = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
                     }
                     else if (num == 6)
                     {
                         ex = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
                     }
                     else if (num == 2)
                     {
                         ex = new FileNotFoundException();
                     }
                     else if (num == 1350)
                     {
                         ex = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
                     }
                     else
                     {
                         ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[]
                         {
                             num
                         }));
                     }
                 }
                 throw ex;
             }
             base.OwnerModified       = false;
             base.GroupModified       = false;
             base.AccessRulesModified = false;
             base.AuditRulesModified  = false;
         }
     }
     finally
     {
         base.WriteUnlock();
     }
 }
Esempio n. 32
0
		public void SetAudit ()
		{
			SecurityIdentifier adminSid = new SecurityIdentifier ("BA"); // S-1-5-32-544
			SecurityIdentifier userSid = new SecurityIdentifier ("BU"); // S-1-5-32-545

			SystemAcl sacl = new SystemAcl (true, false, 0);
			sacl.SetAudit (AuditFlags.Success, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None);
			sacl.SetAudit (AuditFlags.Success, userSid, 2, InheritanceFlags.None, PropagationFlags.None);
			Assert.AreEqual (2, sacl.Count);

			CommonAce ace = (CommonAce)sacl [0];
			Assert.AreEqual (adminSid, ace.SecurityIdentifier);
			Assert.AreEqual (1, ace.AccessMask);

			sacl.SetAudit (AuditFlags.Success, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
			Assert.AreNotEqual (4, ace.AccessMask);
			ace = (CommonAce)sacl [0];
			Assert.AreEqual (4, ace.AccessMask);

			sacl.SetAudit (AuditFlags.Failure, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
			Assert.AreEqual (2, sacl.Count);
			ace = (CommonAce)sacl [0];
			Assert.AreEqual (AuditFlags.Failure, ace.AuditFlags);
			Assert.AreEqual (adminSid, ace.SecurityIdentifier);
			ace = (CommonAce)sacl [1];
			Assert.AreEqual (AuditFlags.Success, ace.AuditFlags);
			Assert.AreEqual (userSid, ace.SecurityIdentifier);
		}
Esempio n. 33
0
		public void RemoveSpecific ()
		{
			SecurityIdentifier sid = new SecurityIdentifier ("BA");
			SystemAcl sacl = new SystemAcl (false, false, 0);

			RemoveSpecificBegin (sid, sacl, InheritanceFlags.None);
			sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None);
			Assert.AreEqual (0, sacl.Count);
		}
		public void SaclPresent ()
		{
			SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null);
			SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
			SystemAcl sacl = new SystemAcl (false, false, 0);
			CommonSecurityDescriptor csd;

			csd = new CommonSecurityDescriptor
				(false, false, ControlFlags.None, userSid, groupSid, null, null);
			Assert.IsNull (csd.SystemAcl);
			Assert.IsTrue (csd.IsSystemAclCanonical);

			csd = new CommonSecurityDescriptor
				(false, false, ControlFlags.SystemAclPresent, userSid, groupSid, null, null);
			Assert.IsNull (csd.SystemAcl);
			Assert.IsTrue (csd.IsSystemAclCanonical);
			Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags);

			csd = new CommonSecurityDescriptor
				(false, false, ControlFlags.None, userSid, groupSid, sacl, null);
			Assert.AreSame (sacl, csd.SystemAcl);
			Assert.IsTrue (csd.IsSystemAclCanonical);
			Assert.AreEqual (0, csd.SystemAcl.Count);
			Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
			                 | ControlFlags.SystemAclPresent
			                 | ControlFlags.SelfRelative, csd.ControlFlags);

			csd.SystemAcl = null;
			Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
			                 | ControlFlags.SelfRelative, csd.ControlFlags);
		}
		void Init (bool isContainer, bool isDS,
			   ControlFlags flags,
			   SecurityIdentifier owner,
			   SecurityIdentifier group,
			   SystemAcl systemAcl,
			   DiscretionaryAcl discretionaryAcl)
		{
			this.flags = flags & ~ControlFlags.SystemAclPresent;
			this.is_container = isContainer;
			this.is_ds = isDS;
			
			Owner = owner;
			Group = group;
			SystemAcl = systemAcl;
			DiscretionaryAcl = discretionaryAcl;
		}
Esempio n. 36
0
		public void RemoveSpecificUsingDSOverload ()
		{
			SecurityIdentifier sid = new SecurityIdentifier ("BA");
			SystemAcl sacl = new SystemAcl (false, true, 0);

			RemoveSpecificBegin (sid, sacl, InheritanceFlags.None);
			sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None,
			                          ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty);
			Assert.AreEqual (1, sacl.Count);
			sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None,
			                          ObjectAceFlags.None, Guid.Empty, Guid.Empty);
			Assert.AreEqual (0, sacl.Count);
		}
Esempio n. 37
0
        //
        // Attempts to persist the security descriptor onto the object
        //

        private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
        {
            WriteLock();

            try
            {
                int           error;
                SecurityInfos securityInfo = 0;

                SecurityIdentifier owner = null, group = null;
                SystemAcl          sacl = null;
                DiscretionaryAcl   dacl = null;

                if ((includeSections & AccessControlSections.Owner) != 0 && _securityDescriptor.Owner != null)
                {
                    securityInfo |= SecurityInfos.Owner;
                    owner         = _securityDescriptor.Owner;
                }

                if ((includeSections & AccessControlSections.Group) != 0 && _securityDescriptor.Group != null)
                {
                    securityInfo |= SecurityInfos.Group;
                    group         = _securityDescriptor.Group;
                }

                if ((includeSections & AccessControlSections.Audit) != 0)
                {
                    securityInfo |= SecurityInfos.SystemAcl;
                    if (_securityDescriptor.IsSystemAclPresent &&
                        _securityDescriptor.SystemAcl != null &&
                        _securityDescriptor.SystemAcl.Count > 0)
                    {
                        sacl = _securityDescriptor.SystemAcl;
                    }
                    else
                    {
                        sacl = null;
                    }

                    if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != 0)
                    {
                        securityInfo = (SecurityInfos)((uint)securityInfo | ProtectedSystemAcl);
                    }
                    else
                    {
                        securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedSystemAcl);
                    }
                }

                if ((includeSections & AccessControlSections.Access) != 0 && _securityDescriptor.IsDiscretionaryAclPresent)
                {
                    securityInfo |= SecurityInfos.DiscretionaryAcl;

                    // if the DACL is in fact a crafted replaced for NULL replacement, then we will persist it as NULL
                    if (_securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
                    {
                        dacl = null;
                    }
                    else
                    {
                        dacl = _securityDescriptor.DiscretionaryAcl;
                    }

                    if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != 0)
                    {
                        securityInfo = unchecked ((SecurityInfos)((uint)securityInfo | ProtectedDiscretionaryAcl));
                    }
                    else
                    {
                        securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedDiscretionaryAcl);
                    }
                }

                if (securityInfo == 0)
                {
                    //
                    // Nothing to persist
                    //

                    return;
                }

                error = Win32.SetSecurityInfo(_resourceType, name, handle, securityInfo, owner, group, sacl, dacl);

                if (error != Interop.Errors.ERROR_SUCCESS)
                {
                    System.Exception exception = null;

                    if (_exceptionFromErrorCode != null)
                    {
                        exception = _exceptionFromErrorCode(error, name, handle, exceptionContext);
                    }

                    if (exception == null)
                    {
                        if (error == Interop.Errors.ERROR_ACCESS_DENIED)
                        {
                            exception = new UnauthorizedAccessException();
                        }
                        else if (error == Interop.Errors.ERROR_INVALID_OWNER)
                        {
                            exception = new InvalidOperationException(SR.AccessControl_InvalidOwner);
                        }
                        else if (error == Interop.Errors.ERROR_INVALID_PRIMARY_GROUP)
                        {
                            exception = new InvalidOperationException(SR.AccessControl_InvalidGroup);
                        }
                        else if (error == Interop.Errors.ERROR_INVALID_NAME)
                        {
                            exception = new ArgumentException(SR.Argument_InvalidName, nameof(name));
                        }
                        else if (error == Interop.Errors.ERROR_INVALID_HANDLE)
                        {
                            exception = new NotSupportedException(SR.AccessControl_InvalidHandle);
                        }
                        else if (error == Interop.Errors.ERROR_FILE_NOT_FOUND)
                        {
                            exception = new FileNotFoundException();
                        }
                        else if (error == Interop.Errors.ERROR_NO_SECURITY_ON_OBJECT)
                        {
                            exception = new NotSupportedException(SR.AccessControl_NoAssociatedSecurity);
                        }
                        else
                        {
                            Debug.Fail($"Unexpected error code {error}");
                            exception = new InvalidOperationException(SR.Format(SR.AccessControl_UnexpectedError, error));
                        }
                    }

                    throw exception;
                }

                //
                // Everything goes well, let us clean the modified flags.
                // We are in proper write lock, so just go ahead
                //

                this.OwnerModified       = false;
                this.GroupModified       = false;
                this.AccessRulesModified = false;
                this.AuditRulesModified  = false;
            }
            finally
            {
                WriteUnlock();
            }
        }
Esempio n. 38
0
 private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
 {
     this.WriteLock();
     try
     {
         SecurityInfos      securityInformation = (SecurityInfos)0;
         SecurityIdentifier owner            = (SecurityIdentifier)null;
         SecurityIdentifier group            = (SecurityIdentifier)null;
         SystemAcl          systemAcl        = (SystemAcl)null;
         DiscretionaryAcl   discretionaryAcl = (DiscretionaryAcl)null;
         if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != (SecurityIdentifier)null)
         {
             securityInformation |= SecurityInfos.Owner;
             owner = this._securityDescriptor.Owner;
         }
         if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != (SecurityIdentifier)null)
         {
             securityInformation |= SecurityInfos.Group;
             group = this._securityDescriptor.Group;
         }
         if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
         {
             SecurityInfos securityInfos = securityInformation | SecurityInfos.SystemAcl;
             systemAcl           = !this._securityDescriptor.IsSystemAclPresent || this._securityDescriptor.SystemAcl == null || this._securityDescriptor.SystemAcl.Count <= 0 ? (SystemAcl)null : this._securityDescriptor.SystemAcl;
             securityInformation = (this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ? securityInfos | (SecurityInfos)this.UnprotectedSystemAcl : securityInfos | (SecurityInfos)this.ProtectedSystemAcl;
         }
         if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent)
         {
             SecurityInfos securityInfos = securityInformation | SecurityInfos.DiscretionaryAcl;
             discretionaryAcl    = !this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl ? this._securityDescriptor.DiscretionaryAcl : (DiscretionaryAcl)null;
             securityInformation = (this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ? securityInfos | (SecurityInfos)this.UnprotectedDiscretionaryAcl : securityInfos | (SecurityInfos)this.ProtectedDiscretionaryAcl;
         }
         if (securityInformation == (SecurityInfos)0)
         {
             return;
         }
         int errorCode = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, (GenericAcl)systemAcl, (GenericAcl)discretionaryAcl);
         if (errorCode != 0)
         {
             Exception exception = (Exception)null;
             if (this._exceptionFromErrorCode != null)
             {
                 exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext);
             }
             if (exception == null)
             {
                 if (errorCode == 5)
                 {
                     exception = (Exception) new UnauthorizedAccessException();
                 }
                 else if (errorCode == 1307)
                 {
                     exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
                 }
                 else if (errorCode == 1308)
                 {
                     exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
                 }
                 else if (errorCode == 123)
                 {
                     exception = (Exception) new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
                 }
                 else if (errorCode == 6)
                 {
                     exception = (Exception) new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
                 }
                 else if (errorCode == 2)
                 {
                     exception = (Exception) new FileNotFoundException();
                 }
                 else if (errorCode == 1350)
                 {
                     exception = (Exception) new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
                 }
                 else
                 {
                     exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", (object)errorCode));
                 }
             }
             throw exception;
         }
         this.OwnerModified       = false;
         this.GroupModified       = false;
         this.AccessRulesModified = false;
         this.AuditRulesModified  = false;
     }
     finally
     {
         this.WriteUnlock();
     }
 }
Esempio n. 39
0
        private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
        {
            if (systemAcl != null &&
                systemAcl.IsContainer != isContainer)
            {
                throw new ArgumentException(
                          isContainer ?
                          SR.AccessControl_MustSpecifyContainerAcl :
                          SR.AccessControl_MustSpecifyLeafObjectAcl,
                          nameof(systemAcl));
            }

            if (discretionaryAcl != null &&
                discretionaryAcl.IsContainer != isContainer)
            {
                throw new ArgumentException(
                          isContainer ?
                          SR.AccessControl_MustSpecifyContainerAcl :
                          SR.AccessControl_MustSpecifyLeafObjectAcl,
                          nameof(discretionaryAcl));
            }

            _isContainer = isContainer;

            if (systemAcl != null &&
                systemAcl.IsDS != isDS)
            {
                throw new ArgumentException(
                          isDS ?
                          SR.AccessControl_MustSpecifyDirectoryObjectAcl :
                          SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
                          nameof(systemAcl));
            }

            if (discretionaryAcl != null &&
                discretionaryAcl.IsDS != isDS)
            {
                throw new ArgumentException(
                          isDS ?
                          SR.AccessControl_MustSpecifyDirectoryObjectAcl :
                          SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
                          nameof(discretionaryAcl));
            }

            _isDS = isDS;

            _sacl = systemAcl;

            //
            // Replace null DACL with an allow-all for everyone DACL
            //

            if (discretionaryAcl == null)
            {
                //
                // to conform to native behavior, we will add allow everyone ace for DACL
                //

                discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer);
            }

            _dacl = discretionaryAcl;

            //
            // DACL is never null. So always set the flag bit on
            //

            ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent;

            //
            // Keep SACL and the flag bit in sync.
            //

            if (systemAcl == null)
            {
                unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); }
            }
            else
            {
                actualFlags |= (ControlFlags.SystemAclPresent);
            }

            _rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
        }
		public void ContainerAndDSConsistencyEnforcedB ()
		{
			SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null);
			SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);

			SystemAcl sacl = new SystemAcl (false, false, 0);
			new CommonSecurityDescriptor (true, false, ControlFlags.None, userSid, groupSid, sacl, null);
		}