public void PSIDTest()
{
var sb = new SafeByteArray(WindowsIdentity.GetCurrent().User.GetBytes());
var sid = new PSID(sb.DangerousGetHandle(), false);
Assert.That(!sid.IsInvalid);
Assert.That(sid.IsValidSid);
Assert.That(sid.ToString(), Does.StartWith("S-1-5"));
var sidc = PSID.CreateFromPtr(sb.DangerousGetHandle());
Assert.That((IntPtr)sidc, Is.Not.EqualTo(sb.DangerousGetHandle()));
Assert.That(sidc.IsValidSid);
var sid2 = new PSID(sid);
Assert.That(!sid2.IsInvalid);
Assert.That(sid2.ToString(), Is.EqualTo(sid.ToString()));
var sid3 = new PSID("S-1-1-0");
var id2 = new SecurityIdentifier((IntPtr)sid3);
Assert.That(id2.IsWellKnown(WellKnownSidType.WorldSid));
var sid4 = new PSID(100);
Assert.That(!sid4.IsClosed);
Assert.That(!sid4.IsValidSid);
Assert.That(sid4.Size, Is.EqualTo(100));
sid4.Dispose();
Assert.That(sid4.IsClosed);
Assert.That(sid4.Size, Is.EqualTo(0));
var sid5 = new PSID();
Assert.That(!sid5.IsClosed);
Assert.That(sid5.IsInvalid);
Assert.That(!sid5.IsValidSid);
Assert.That(sid5.Size, Is.EqualTo(0));
Assert.That(sid.Equals(sidc));
Assert.That(sidc.Equals(sb.DangerousGetHandle()));
Assert.That(sid.Equals("X"), Is.False);
Assert.That(sid.Equals(sid3), Is.False);
}
public void SetNamedSecurityInfoTest()
{
using (var pSD = GetSD(fn))
{
Assert.That(GetSecurityDescriptorOwner(pSD, out var pOwner, out var def));
Assert.That(pOwner, Is.Not.EqualTo(IntPtr.Zero));
var owner = PSID.CreateFromPtr(pOwner);
var admins = new PSID("S-1-5-32-544");
var err = SetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION, admins, PSID.Null, IntPtr.Zero, IntPtr.Zero);
if (err.Failed)
{
TestContext.WriteLine($"SetNamedSecurityInfo failed: {err}");
}
Assert.That(err.Succeeded);
err = SetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION, owner, PSID.Null, IntPtr.Zero, IntPtr.Zero);
if (err.Failed)
{
TestContext.WriteLine($"SetNamedSecurityInfo failed: {err}");
}
Assert.That(err.Succeeded);
}
}
/// <summary>
/// The LsaEnumerateAccountsWithUserRight function returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a
/// specified privilege. The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership
/// to a group.
/// </summary>
/// <param name="PolicyHandle">
/// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more information, see
/// Opening a Policy Object Handle.
/// </param>
/// <param name="UserRights">
/// A string that specifies the name of a privilege. For a list of privileges, see Privilege Constants and Account Rights Constants.
/// <para>If this parameter is NULL, the function enumerates all accounts in the LSA database of the system associated with the Policy object.</para>
/// </param>
/// <returns>An enumeration of security identifiers (SID) of accounts that holds the specified privilege.</returns>
public static IEnumerable <PSID> LsaEnumerateAccountsWithUserRight(SafeLsaPolicyHandle PolicyHandle, string UserRights)
{
var ret = LsaEnumerateAccountsWithUserRight(PolicyHandle, UserRights, out SafeLsaMemoryHandle mem, out int cnt);
if (ret == NTStatus.STATUS_NO_MORE_ENTRIES)
{
return(new PSID[0]);
}
var wret = LsaNtStatusToWinError(ret);
wret.ThrowIfFailed();
return(mem.DangerousGetHandle().ToIEnum <LSA_ENUMERATION_INFORMATION>(cnt).Select(u => PSID.CreateFromPtr(u.Sid)));
}