public static AuthorizationRuleCollection GetAccess(PSObject instance) { AuthorizationRuleCollection accessRules; if (instance != null) { ObjectSecurity baseObject = instance.BaseObject as ObjectSecurity; if (baseObject == null) { PSTraceSource.NewArgumentException("instance"); } CommonObjectSecurity commonObjectSecurity = baseObject as CommonObjectSecurity; if (commonObjectSecurity == null) { DirectoryObjectSecurity directoryObjectSecurity = baseObject as DirectoryObjectSecurity; accessRules = directoryObjectSecurity.GetAccessRules(true, true, typeof(NTAccount)); } else { accessRules = commonObjectSecurity.GetAccessRules(true, true, typeof(NTAccount)); } return(accessRules); } else { throw PSTraceSource.NewArgumentNullException("instance"); } }
private FileSystemRights GetFileSystemRights(CommonObjectSecurity objectSecurity) { AuthorizationRuleCollection accessRules = objectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); FileSystemRights fileSystemAllowRights = 0; FileSystemRights fileSystemDenyRights = 0; foreach (FileSystemAccessRule accessRule in accessRules) { IdentityReference identityReference = accessRule.IdentityReference; if (identityReference != _currentUserIdentifier && _currentUserGroups.All(reference => reference != identityReference)) { continue; } if (accessRule.AccessControlType == AccessControlType.Deny) { fileSystemDenyRights = fileSystemDenyRights | accessRule.FileSystemRights; } else { fileSystemAllowRights = fileSystemAllowRights | accessRule.FileSystemRights; } } return(fileSystemAllowRights & (~fileSystemDenyRights)); }
public SecurityAttributes(CommonObjectSecurity objectSecurity) { _length = Marshal.SizeOf(typeof(SecurityAttributes)); byte[] src = objectSecurity.GetSecurityDescriptorBinaryForm(); _securityDescriptor = Marshal.AllocHGlobal(src.Length); Marshal.Copy(src, 0, _securityDescriptor, src.Length); _inheritHandle = false; }
public SecuredObject(CommonObjectSecurity security, string objName, string displayName) { ObjectSecurity = security; ObjectName = objName; DisplayName = displayName; IsContainer = IsContainerObject(ObjectSecurity); MandatoryLabel = new SystemMandatoryLabel(ObjectSecurity); }
private static string GetPermissions(CommonObjectSecurity fileSystemSecurity) { var accessRules = fileSystemSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)) .Cast <FileSystemAccessRule>() .Where(x => x.IdentityReference == WindowsIdentity.GetCurrent().User) .ToArray(); return(GetEffectiveRights(accessRules).ToString()); }
private static bool FindMatch(CommonObjectSecurity security, FileSystemAccessRule rule) => security.GetAccessRules(true, false, typeof(SecurityIdentifier)) .OfType <FileSystemAccessRule>() .Any( ar => ar.IdentityReference.Equals(rule.IdentityReference) && ar.FileSystemRights.Equals(rule.FileSystemRights) && ar.InheritanceFlags.Equals(rule.InheritanceFlags) && ar.PropagationFlags.Equals(rule.PropagationFlags));
private static T GetEffectiveRights <T, R>(CommonObjectSecurity securityObject, WindowsIdentity windowsIdentity) where T : struct, IConvertible where R : AccessRule { if (!typeof(T).IsEnum) { throw new ArgumentException($"Type '{typeof(T).FullName}' is not an enum"); } if (windowsIdentity == null) { throw new ArgumentNullException(nameof(windowsIdentity)); } if (securityObject == null) { throw new ArgumentNullException(nameof(securityObject)); } int denyRights = 0, allowRights = 0; // get all access rules for the path - this works for a directory path as well as a file path AuthorizationRuleCollection authorizationRules = securityObject.GetAccessRules(true, true, typeof(SecurityIdentifier)); // get the user's sids List <string> sids = new List <string>(windowsIdentity.Groups.Select(g => g.Value)); sids.Insert(0, windowsIdentity.User.Value); // get the access rules filtered by the user's sids var rules = (from rule in authorizationRules.Cast <R>() where sids.Contains(rule.IdentityReference.Value) select rule); System.Reflection.PropertyInfo pi = null; foreach (var rule in rules) { if (pi == null) { pi = rule.GetType().GetProperty("AccessMask", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance, null, typeof(int), Type.EmptyTypes, null); } if (pi == null) { throw new InvalidOperationException("Unable to retrieve access mask."); } if (rule.AccessControlType == AccessControlType.Deny) { denyRights |= (int)pi.GetValue(rule, null); } else { allowRights |= (int)pi.GetValue(rule, null); } } return((T)Enum.ToObject(typeof(T), (allowRights | denyRights) ^ denyRights)); }
private static bool ModifyACL(string user, FileSystemRights rights, CommonObjectSecurity security) { var rule = GetAccessRule(user, rights); if (FindMatch(security, rule)) { return(false); } bool modified; security.ModifyAccessRule(AccessControlModification.Add, rule, out modified); return(modified); }
public List <SecurityIdentifier> SearchObjectSecurity(CommonObjectSecurity security) { List <SecurityIdentifier> retval = new List <SecurityIdentifier>(); string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All); foreach (SecurityIdentifier sid in SearchList) { if (sddl.Contains(sid.ToString())) { retval.Add(sid); } } return(retval); }
private static void ShowSecurity(CommonObjectSecurity security) { AuthorizationRuleCollection coll = security.GetAccessRules(true, true, typeof(NTAccount)); foreach (FileSystemAccessRule rule in coll) { Console.WriteLine("IdentityReference: {0}", rule.IdentityReference); Console.WriteLine("Access control type: {0}", rule.AccessControlType); Console.WriteLine("Rights: {0}", rule.FileSystemRights); Console.WriteLine("Inherited? {0}", rule.IsInherited); Console.WriteLine(); } }
public static object GetAccessMask(CommonObjectSecurity acl, AuthorizationRule rule) { if (rule.GetType() == acl.AccessRuleType || rule.GetType() == acl.AuditRuleType) { Type accRightType = acl.AccessRightType; foreach (var pi in rule.GetType().GetProperties()) { if (pi.PropertyType == accRightType) { return(Enum.ToObject(accRightType, pi.GetValue(rule, null))); } } } throw new ArgumentException(); }
/// <summary> /// Identities the has accces. /// </summary> /// <param name="identity">The identity.</param> /// <param name="security">The security.</param> /// <param name="fileSystemRights">The file system rights.</param> /// <returns> /// <c>true</c> if [has identity accces] [the specified identity]; otherwise, <c>false</c>. /// </returns> private static bool HasIdentityAccces(WindowsIdentity identity, CommonObjectSecurity security, FileSystemRights fileSystemRights) { var allReference = GetAllReference(identity); var authorizationRuleCollection = security.GetAccessRules(true, true, domain); foreach (FileSystemAccessRule fileSystemAccessRule in authorizationRuleCollection) { if (AccessControlType.Allow == fileSystemAccessRule.AccessControlType && fileSystemRights == (fileSystemAccessRule.FileSystemRights & fileSystemRights) && allReference.Contains(fileSystemAccessRule.IdentityReference) ) { return(true); } } return(false); }
public SystemMandatoryLabel(CommonObjectSecurity sec) { Policy = SystemMandatoryLabelPolicy.None; Level = SystemMandatoryLabelLevel.None; try { var sd = new RawSecurityDescriptor(sec.GetSecurityDescriptorBinaryForm(), 0); if (sd.SystemAcl != null) { foreach (var ace in sd.SystemAcl) { if ((int)ace.AceType == 0x11) { byte[] aceBytes = new byte[ace.BinaryLength]; ace.GetBinaryForm(aceBytes, 0); //_policy = new IntegrityPolicy(aceBytes, 4); //_level = new IntegrityLevel(aceBytes, 8); } } } } catch { } /*byte[] saclBinaryForm = new byte[sd.SystemAcl.BinaryLength]; * sd.SystemAcl.GetBinaryForm(saclBinaryForm, 0); * GenericAce ace = null; * if (null != saclBinaryForm) * { * RawAcl aclRaw = new RawAcl(saclBinaryForm, 0); * if (0 >= aclRaw.Count) throw new ArgumentException("No ACEs in ACL", "saclBinaryForm"); * ace = aclRaw[0]; * if (Win32.SYSTEM_MANDATORY_LABEL_ACE_TYPE != (int)ace.AceType) * throw new ArgumentException("No Mandatory Integrity Label in ACL", "saclBinaryForm"); * byte[] aceBytes = new byte[ace.BinaryLength]; * ace.GetBinaryForm(aceBytes, 0); * _policy = new IntegrityPolicy(aceBytes, 4); * _level = new IntegrityLevel(aceBytes, 8); * return; * } * throw new ArgumentNullException("saclBinaryForm");*/ }
private void VerifyAccessSecurity(CommonObjectSecurity expectedSecurity, CommonObjectSecurity actualSecurity) { Assert.Equal(typeof(FileSystemRights), expectedSecurity.AccessRightType); Assert.Equal(typeof(FileSystemRights), actualSecurity.AccessRightType); List <FileSystemAccessRule> expectedAccessRules = expectedSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier)) .Cast <FileSystemAccessRule>().ToList(); List <FileSystemAccessRule> actualAccessRules = actualSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier)) .Cast <FileSystemAccessRule>().ToList(); Assert.Equal(expectedAccessRules.Count, actualAccessRules.Count); if (expectedAccessRules.Count > 0) { Assert.All(expectedAccessRules, actualAccessRule => { int count = expectedAccessRules.Count(expectedAccessRule => AreAccessRulesEqual(expectedAccessRule, actualAccessRule)); Assert.True(count > 0); }); } }
public static ResourceType GetResourceType(CommonObjectSecurity sec) { switch (sec.GetType().Name) { case "FileSecurity": case "DirectorySecurity": case "CryptoKeySecurity": return(ResourceType.FileObject); case "PipeSecurity": case "EventWaitHandleSecurity": case "MutexSecurity": case "MemoryMappedFileSecurity": case "SemaphoreSecurity": return(ResourceType.KernelObject); case "RegistrySecurity": return(ResourceType.RegistryKey); case "TaskSecurity": return(Community.Windows.Forms.AccessControlEditorDialog.TaskResourceType); } return(ResourceType.Unknown); }
/// <summary>Initializes the dialog with the specified <see cref="CommonObjectSecurity"/> value and names.</summary> /// <param name="objSecurity">The object security.</param> /// <param name="objName">Name of the object.</param> /// <param name="displayName">The display name.</param> public void Initialize(CommonObjectSecurity objSecurity, string objName, string displayName) { Initialize(new SecuredObject(objSecurity, objName, displayName)); }
private FileSystemObjectProperties GetFileSystemObjectProperties(FileSystemInfo info, CommonObjectSecurity objectSecurity) { IdentityReference owner = objectSecurity.GetOwner(typeof(NTAccount)); string objectOwner = owner != null ? owner.Value : "Unknown"; return(new FileSystemObjectProperties { Name = info.Name, CreationTime = info.CreationTime, LastWriteTime = info.LastWriteTime, LastAccessTime = info.LastAccessTime, Attributes = info.Attributes, FileSystemRights = GetFileSystemRights(objectSecurity), Owner = objectOwner }); }
public static bool IsContainerObject(CommonObjectSecurity sec) { var secTypeName = sec.GetType().Name; return(!Array.Exists(nonContainerTypes, s => secTypeName == s)); }
private static bool IsFileSystemAccessRuleSet(FileSystemRights rights, CommonObjectSecurity commonObjectSecurity, AccessControlType accessControlType) { AuthorizationRuleCollection rules = commonObjectSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); return(rules.OfType <FileSystemAccessRule>().Any(fs => fs.FileSystemRights.HasFlag(rights) && fs.AccessControlType == accessControlType)); }
public static bool IsContainerObject(CommonObjectSecurity sec) { string secTypeName = sec.GetType().Name; return(!Array.Exists <string>(nonContainerTypes, delegate(string s) { return secTypeName == s; })); }