public PurgeAccessControl ( System.Security.Principal.SecurityIdentifier sid ) : void | ||
sid | System.Security.Principal.SecurityIdentifier | |
return | void |
public virtual void PurgeAccessRules(IdentityReference identity) { if (null == identity) { throw new ArgumentNullException("identity"); } WriteLock(); try { descriptor.PurgeAccessControl(SidFromIR(identity)); } finally { WriteUnlock(); } }
public virtual void PurgeAccessRules(IdentityReference identity) { if (identity == null) { throw new ArgumentNullException(nameof(identity)); } WriteLock(); try { _securityDescriptor.PurgeAccessControl(identity.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier); _daclModified = true; } finally { WriteUnlock(); } }
/// <summary> /// Builds a session SDDL based on the provided configuration hashtable. /// Retrieves RequiredGroups information to add conditional group membership restrictions to SDDL. /// Retrieves RoleDefinitions information to include role user accounts. /// </summary> /// <param name="configTable"></param> /// <param name="accessMode"></param> /// <param name="error"></param> /// <returns>SDDL</returns> internal static string ComputeSDDLFromConfiguration( Hashtable configTable, PSSessionConfigurationAccessMode accessMode, out ErrorRecord error) { Dbg.Assert(configTable != null, "configTable input parameter cannot be null."); string sddl = string.Empty; error = null; // RoleDefinitions if (configTable.ContainsKey(ConfigFileConstants.RoleDefinitions)) { // Start with known good security descriptor. if (accessMode == PSSessionConfigurationAccessMode.Local) { sddl = PSSessionConfigurationCommandBase.GetLocalSddl(); } else if (accessMode == PSSessionConfigurationAccessMode.Remote) { sddl = PSSessionConfigurationCommandBase.GetRemoteSddl(); } CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, sddl); // Purge all existing access rules so that only role definition principals are granted access. List<SecurityIdentifier> sidsToRemove = new List<SecurityIdentifier>(); foreach (CommonAce ace in descriptor.DiscretionaryAcl) { sidsToRemove.Add(ace.SecurityIdentifier); } foreach (var sidToRemove in sidsToRemove) { descriptor.PurgeAccessControl(sidToRemove); } Hashtable roleNamesHash = configTable[ConfigFileConstants.RoleDefinitions] as Hashtable; foreach (object roleName in roleNamesHash.Keys) { string roleNameValue = roleName.ToString(); try { NTAccount ntAccount = new NTAccount(roleNameValue); SecurityIdentifier accountSid = (SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier)); // AccessMask = 268435456 == 0x10000000 == GR == Generic Read descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, accountSid, 268435456, InheritanceFlags.None, PropagationFlags.None); } catch (IdentityNotMappedException e) { string message = StringUtil.Format(RemotingErrorIdStrings.CouldNotResolveRoleDefinitionPrincipal, roleNameValue, e.Message); InvalidOperationException ioe = new InvalidOperationException(message, e); error = new ErrorRecord(ioe, "CouldNotResolveRoleDefinitionPrincipal", ErrorCategory.ObjectNotFound, roleNameValue); } } if (descriptor.DiscretionaryAcl.Count > 0) { sddl = descriptor.GetSddlForm(AccessControlSections.All); // RequiredGroups string conditionalGroupACE = CreateConditionalACEFromConfig(configTable); if (conditionalGroupACE != null) { sddl = UpdateSDDLUsersWithGroupConditional(sddl, conditionalGroupACE); } } } return sddl; }
public void PurgeDefaultDacl () { SecurityIdentifier userSid = new SecurityIdentifier ("SY"); SecurityIdentifier groupSid = new SecurityIdentifier ("BA"); SecurityIdentifier everyoneSid = new SecurityIdentifier ("WD"); CommonSecurityDescriptor csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, null, null); DiscretionaryAcl dacl = csd.DiscretionaryAcl; Assert.AreEqual (1, dacl.Count); csd.PurgeAccessControl (userSid); Assert.AreEqual (1, dacl.Count); csd.PurgeAccessControl (everyoneSid); Assert.AreEqual (0, dacl.Count); }