public unsafe static extern BOOL AddAccessAllowedAceEx(
ACL *pAcl,
uint dwAceRevision,
// This is AceInheritence
uint AceFlags,
ACCESS_MASK AccessMask,
SID *pSid);
protected unsafe static extern bool AddAccessAllowedAceEx(
[In, Out] ACL *pAcl,
uint dwAceRevision,
uint AceFlags,
uint AccessMask,
SID *pSid
);
// Get User's SID from UserName
protected unsafe SID *getUserSid(string szUserName)
{
string szDomain = null;
uint cbDomain = 0;
uint cbUserSID = 0;
SID * pUserSID = null;
SID_NAME_USE snuType;
int fAPISuccess = LookupAccountName(null, szUserName,
pUserSID, &cbUserSID, szDomain, &cbDomain, &snuType);
if (fAPISuccess != 0)
{
// It worked. There is no way this will happen.
return(pUserSID);
}
pUserSID = (SID *)LocalAlloc(0, cbUserSID);
if (pUserSID == null)
{
throw new Exception();
}
szDomain = new String('a', (int)cbDomain);
LookupAccountName(null, szUserName, pUserSID, &cbUserSID, szDomain, &cbDomain, &snuType);
if (IsValidSid(pUserSID) == 0)
{
throw new Exception();
}
return(pUserSID);
}
/// <summary>
/// Use this to copy from a native buffer, as the defined SID will likely not have a full set of SubAuthorities.
/// </summary>
public unsafe SID(SID *native)
{
this = default;
Revision = native->Revision;
SubAuthorityCount = native->SubAuthorityCount;
IdentifierAuthority = native->IdentifierAuthority;
_subAuthorities.CopyAuthorities(in native->_subAuthorities, SubAuthorityCount);
}
protected unsafe static extern bool AllocateAndInitializeSid(
SID_IDENTIFIER_AUTHORITY *pIdentifierAuthority,
byte nSubAuthorityCount,
uint dwSubAuthority0,
uint dwSubAuthority1,
uint dwSubAuthority2,
uint dwSubAuthority3,
uint dwSubAuthority4,
uint dwSubAuthority5,
uint dwSubAuthority6,
uint dwSubAuthority8,
out SID *pSid
);
public unsafe void PassedAsInDoesNotCopy()
{
SID sid = new SID();
SID *sp = &sid;
void CheckSid(in SID insid, SID *insp)
{
fixed(SID *pinsid = &insid)
{
(pinsid == insp).Should().BeTrue();
}
}
CheckSid(sid, sp);
}
/// <summary>
/// Use this to copy from a native buffer, as the defined SID will likely not have
/// a full set of SubAuthorities.
/// </summary>
public unsafe static void CopyFromNative(SID *native, out SID copy)
{
copy = new SID
{
Revision = native->Revision,
SubAuthorityCount = native->SubAuthorityCount,
IdentifierAuthority = native->IdentifierAuthority
};
if (copy.SubAuthorityCount != 0)
{
ReadOnlySpan <uint> source = new ReadOnlySpan <uint>(native->SubAuthority, copy.SubAuthorityCount);
fixed(uint *c = copy.SubAuthority)
{
Span <uint> destination = new Span <uint>(c, copy.SubAuthorityCount);
source.CopyTo(destination);
}
}
}
public TRUSTEE(SID *sid)
{
this = default;
TrusteeForm = TrusteeForm.Sid;
pstrName = sid;
}
public unsafe static extern BOOL CopySid(
uint nDestinationSidLength,
out SID pDestinationSid,
SID *pSourceSid);
public unsafe static extern BOOL CreateWellKnownSid(
WELL_KNOWN_SID_TYPE WellKnownSidType,
SID *DomainSid,
SID *pSid,
ref uint cbSid);
protected unsafe static extern int IsValidSid(SID *pSid);
internal SecurityACL(string username)
{
// Get SID for user
puserSID = getUserSid(username);
}
protected unsafe ACL *insertAccessAllowedAce(ACL *pdaclOld, uint grfMask, uint grfInherit, SID *psid)
{
ACL_SIZE_INFORMATION si;
uint size = (uint)sizeof(ACL_SIZE_INFORMATION);
if (GetAclInformation(pdaclOld, out si, size, ACL_INFORMATION_CLASS.AclSizeInformation) == 0)
{
throw new Exception();
}
uint cb = si.AclBytesInUse + _maxVersion2AceSize;
ACL *pdaclNew = (ACL *)LocalAlloc(0, cb);
InitializeAcl(ref (*pdaclNew), cb, ACL_REVISION);
if (!AddAccessAllowedAceEx(pdaclNew, ACL_REVISION, grfInherit, grfMask, ref *psid))
{
throw new Exception();
}
for (uint i = 0; i < si.AceCount; ++i)
{
ACE_HEADER *pace;
GetAce(pdaclOld, i, out pace);
AddAce(pdaclNew, ACL_REVISION, MAXDWORD, pace, (uint)pace->AceSize);
}
return(pdaclNew);
}
public unsafe static extern Boolean32 CreateWellKnownSid(
WellKnownSID WellKnownSidType,
SID *DomainSid,
SID *pSid,
ref uint cbSid);
protected unsafe static extern bool IsValidSid(SID *pSid);
// ACLQueue:
// - Local System - Full Control
// - Administrators - Full Control
internal unsafe static bool ACLQueue(string messageQueue)
{
messageQueue = @messageQueue;
ACL_SIZE_INFORMATION si = new ACL_SIZE_INFORMATION();
uint size = (uint)sizeof(ACL_SIZE_INFORMATION);
uint cb = si.AclBytesInUse + _maxVersion2AceSize;
// Files and Folders inherit all ACE's
uint grfInherit = OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE;
SID * pAdminSID = null;
SID * pSystemSID = null;
ACL * pdacl = null;
void *pSD = null;
try
{
SID_IDENTIFIER_AUTHORITY SIDAuthNT = new SID_IDENTIFIER_AUTHORITY();
// Defined in winnt.h
(&SIDAuthNT.Value_6)[0] = 0;
(&SIDAuthNT.Value_6)[1] = 0;
(&SIDAuthNT.Value_6)[2] = 0;
(&SIDAuthNT.Value_6)[3] = 0;
(&SIDAuthNT.Value_6)[4] = 0;
(&SIDAuthNT.Value_6)[5] = 5;
uint SECURITY_BUILTIN_DOMAIN_RID = 0x00000020; //defined in winnt.h
uint DOMAIN_ALIAS_RID_ADMINS = 0x00000220; // defined in winnt.h
uint SECURITY_LOCAL_SYSTEM_RID = 0x00000012; // defined in winnt.h
ACL *pdaclNew = (ACL *)LocalAlloc(0, cb);
InitializeAcl(ref (*pdaclNew), cb, ACL_REVISION);
// Administrators Full Control
if (AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, out pAdminSID))
{
if (IsValidSid(pAdminSID))
{
if (!AddAccessAllowedAceEx(pdaclNew, ACL_REVISION, grfInherit, MQSEC_QUEUE_GENERIC_ALL, pAdminSID))
{
throw new Exception();
}
}
}
// Local System Full Control
if (AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, out pSystemSID))
{
if (IsValidSid(pSystemSID))
{
if (!AddAccessAllowedAceEx(pdaclNew, ACL_REVISION, grfInherit, MQSEC_QUEUE_GENERIC_ALL, pSystemSID))
{
throw new Exception();
}
}
}
pSD = (void *)LocalAlloc(0, 200);
if (!InitializeSecurityDescriptor(pSD, 1))
{
throw new Exception();
}
if (!SetSecurityDescriptorDacl(pSD, true, pdaclNew, false))
{
throw new Exception();
}
if (!IsValidSecurityDescriptor(pSD))
{
throw new Exception();
}
MessageQueue mq = new MessageQueue(messageQueue);
if (MQSetQueueSecurity(mq.FormatName, DACL_SECURITY_INFORMATION, pSD) != 0)
{
throw new Exception();
}
}
catch
{
return(false);
}
finally
{
if (pSD != null)
{
LocalFree(pSD);
}
if (pdacl != null)
{
LocalFree(pdacl);
}
if (pAdminSID != null)
{
LocalFree(pAdminSID);
}
if (pSystemSID != null)
{
LocalFree(pSystemSID);
}
}
return(true);
}
