private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections) { var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE(); byte[] securityDescriptorBinary = null; try { // Get the binary form of the descriptor. PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); securityDescriptorBinary = sd.GetSecurityDescriptorBinaryForm(); } finally { PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); } try { PlatformInvokes.EnableTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState); // Transfer it to the new file / directory. // We keep these two code branches so that we can have more // granular information when we ouput the object type via // WriteSecurityDescriptorObject. if (Directory.Exists(path)) { DirectorySecurity newDescriptor = new DirectorySecurity(); newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections); new DirectoryInfo(path).SetAccessControl(newDescriptor); WriteSecurityDescriptorObject(newDescriptor, path); } else { FileSecurity newDescriptor = new FileSecurity(); newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections); new FileInfo(path).SetAccessControl(newDescriptor); WriteSecurityDescriptorObject(newDescriptor, path); } } finally { PlatformInvokes.RestoreTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState); } }
/// <summary> /// Gets the SecurityDescriptor at the specified path, including only the specified /// AccessControlSections. /// </summary> /// <param name="path"> /// The path of the item to retrieve. It may be a drive or provider-qualified path and may include. /// glob characters. /// </param> /// <param name="sections"> /// The sections of the security descriptor to include. /// </param> /// <returns> /// Nothing. An object that represents the security descriptor for the item /// specified by path is written to the context's pipeline. /// </returns> /// <exception cref="System.ArgumentException"> /// path is null or empty. /// path doesn't exist /// sections is not valid. /// </exception> public void GetSecurityDescriptor(string path, AccessControlSections sections) { ObjectSecurity sd = null; path = NormalizePath(path); if (string.IsNullOrEmpty(path)) { throw PSTraceSource.NewArgumentNullException("path"); } if ((sections & ~AccessControlSections.All) != 0) { throw PSTraceSource.NewArgumentException("sections"); } var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE(); try { PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); if (Directory.Exists(path)) { sd = new DirectorySecurity(path, sections); } else { sd = new FileSecurity(path, sections); } } catch (System.Security.SecurityException e) { WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path)); } finally { PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); } WriteSecurityDescriptorObject(sd, path); }