/// <summary>
/// Computes effective access rights upon acquiring the necessary security information such as Share's security,
/// Central Policy and Resource's security as maybe applicable.
/// </summary>
public void Evaluate()
{
using (TokenPrivilege seSecurityPrivilege = new TokenPrivilege(TokenPrivilege.Security))
{
try
{
//
// SeSecurityPrivilege is required for querying the Central Policy ID (Scope information) from the
// file's SD
//
seSecurityPrivilege.Enable();
var securityObjects = new Dictionary <string, FileSecurityObject>();
//
// First include the Share's SD if available. If the share denies a permission, anything else that
// denies a permission is of lesser consequence.
//
if (shareSD != null)
{
securityObjects.Add("Share", new FileSecurityObject(shareSD));
}
SecurityIdentifier capId = null;
{
RawSecurityDescriptor scopeSD = GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Scope);
if (scopeSD != null)
{
if (scopeSD.SystemAcl != null)
{
foreach (GenericAce ace in scopeSD.SystemAcl)
{
//
// Scoped Policy ID ACE not yet part of System.Security.AccessControl.AceType
//
// Since SYSTEM_SCOPED_POLICY_ID_ACE essentially has a SID which is the identifier
// for a Central Policy, extract it explicitly.
//
byte[] rawAce = new byte[ace.BinaryLength];
ace.GetBinaryForm(rawAce, 0);
if ((ace.AceFlags & AceFlags.InheritOnly) == 0)
{
long sidOffset = (long)Marshal.OffsetOf(
typeof(NativeMethods.SYSTEM_SCOPED_POLICY_ID_ACE),
"SidStart");
if (sidOffset < ace.BinaryLength)
{
capId = new SecurityIdentifier(rawAce, (int)sidOffset);
//
// The first Central Policy is the only one honored when there are multiple
// in a Security Descriptor. Ignore everything else.
//
break;
}
}
}
}
}
}
//
// Obtain file SD
//
RawSecurityDescriptor fileSD = GetFileSecInfoSD(
handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Dacl
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute);
if (capId != null)
{
var availableCaps = new AvailableCentralPolicies(targetMachine);
Dictionary <string, CentralAccessRule> CARs = availableCaps.FetchCentralAccessRules(capId);
if (CARs == null || CARs.Count == 0)
{
//
// If the Central Policy or any of its Central Access Rules could not be retrieved, fall
// back to just the granularity of Central Policy. For this, use the file's SD with the
// CAP ID.
//
securityObjects.Add("Central Policy",
new FileSecurityObject(
GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute
| NativeMethods.SecurityInformationClass.Scope)));
}
else
{
//
// The merged security descriptor for each Central Access Rule is generated as follows:
// Owner + Group + SACL (all from resource's SD) + DACL from Central Access Rule
//
// If the AppliesTo predicate is present, then we do the following:
// Owned + Group + SACL (all from resource's SD)
// + A fabricated DACL with an allowed callback ACE containingn the selected user
// principal and the AppliesTo predicate appended.
//
foreach (var rule in CARs)
{
var sd = new RawSecurityDescriptor(fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
rule.Value.EffectivePolicy.DiscretionaryAcl);
if (!string.IsNullOrEmpty(rule.Value.AppliesToCondition))
{
string appliesToSDDL = "D:(XA;;FR;;;" + userSid.ToString() + ";" +
rule.Value.AppliesToCondition + ")";
var appliesToSD = new RawSecurityDescriptor(
fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
(new RawSecurityDescriptor(appliesToSDDL)).DiscretionaryAcl);
securityObjects.Add(rule.Key, new FileSecurityObject(sd, appliesToSD));
}
else
{
securityObjects.Add(rule.Key, new FileSecurityObject(sd));
}
}
}
}
securityObjects.Add("File permissions", new FileSecurityObject(fileSD));
results = ComputeEffectiveAccessResult(targetMachine, securityObjects);
}
finally
{
seSecurityPrivilege.Revert();
}
}
}
/// <summary>
/// Computes effective access rights upon acquiring the necessary security information such as Share's security,
/// Central Policy and Resource's security as maybe applicable.
/// </summary>
public void Evaluate()
{
using (TokenPrivilege seSecurityPrivilege = new TokenPrivilege(TokenPrivilege.Security))
{
try
{
//
// SeSecurityPrivilege is required for querying the Central Policy ID (Scope information) from the
// file's SD
//
seSecurityPrivilege.Enable();
var securityObjects = new Dictionary<string, FileSecurityObject>();
//
// First include the Share's SD if available. If the share denies a permission, anything else that
// denies a permission is of lesser consequence.
//
if (shareSD != null)
{
securityObjects.Add("Share", new FileSecurityObject(shareSD));
}
SecurityIdentifier capId = null;
{
RawSecurityDescriptor scopeSD = GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Scope);
if (scopeSD != null)
{
if (scopeSD.SystemAcl != null)
{
foreach (GenericAce ace in scopeSD.SystemAcl)
{
//
// Scoped Policy ID ACE not yet part of System.Security.AccessControl.AceType
//
// Since SYSTEM_SCOPED_POLICY_ID_ACE essentially has a SID which is the identifier
// for a Central Policy, extract it explicitly.
//
byte[] rawAce = new byte[ace.BinaryLength];
ace.GetBinaryForm(rawAce, 0);
if ((ace.AceFlags & AceFlags.InheritOnly) == 0)
{
long sidOffset = (long)Marshal.OffsetOf(
typeof(NativeMethods.SYSTEM_SCOPED_POLICY_ID_ACE),
"SidStart");
if (sidOffset < ace.BinaryLength)
{
capId = new SecurityIdentifier(rawAce, (int)sidOffset);
//
// The first Central Policy is the only one honored when there are multiple
// in a Security Descriptor. Ignore everything else.
//
break;
}
}
}
}
}
}
//
// Obtain file SD
//
RawSecurityDescriptor fileSD = GetFileSecInfoSD(
handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Dacl
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute);
if (capId != null)
{
var availableCaps = new AvailableCentralPolicies(targetMachine);
Dictionary<string, CentralAccessRule> CARs = availableCaps.FetchCentralAccessRules(capId);
if (CARs == null || CARs.Count == 0)
{
//
// If the Central Policy or any of its Central Access Rules could not be retrieved, fall
// back to just the granularity of Central Policy. For this, use the file's SD with the
// CAP ID.
//
securityObjects.Add("Central Policy",
new FileSecurityObject(
GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute
| NativeMethods.SecurityInformationClass.Scope)));
}
else
{
//
// The merged security descriptor for each Central Access Rule is generated as follows:
// Owner + Group + SACL (all from resource's SD) + DACL from Central Access Rule
//
// If the AppliesTo predicate is present, then we do the following:
// Owned + Group + SACL (all from resource's SD)
// + A fabricated DACL with an allowed callback ACE containingn the selected user
// principal and the AppliesTo predicate appended.
//
foreach (var rule in CARs)
{
var sd = new RawSecurityDescriptor(fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
rule.Value.EffectivePolicy.DiscretionaryAcl);
if (!string.IsNullOrEmpty(rule.Value.AppliesToCondition))
{
string appliesToSDDL = "D:(XA;;FR;;;" + userSid.ToString() + ";" +
rule.Value.AppliesToCondition + ")";
var appliesToSD = new RawSecurityDescriptor(
fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
(new RawSecurityDescriptor(appliesToSDDL)).DiscretionaryAcl);
securityObjects.Add(rule.Key, new FileSecurityObject(sd, appliesToSD));
}
else
{
securityObjects.Add(rule.Key, new FileSecurityObject(sd));
}
}
}
}
securityObjects.Add("File permissions", new FileSecurityObject(fileSD));
results = ComputeEffectiveAccessResult(targetMachine, securityObjects);
}
finally
{
seSecurityPrivilege.Revert();
}
}
}
