public static void SetProcessSecurityDescriptor(IntPtr hWnd) { RawSecurityDescriptor sd = new RawSecurityDescriptor(ControlFlags.None, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, new RawAcl(2, 0)); sd.SetFlags(ControlFlags.DiscretionaryAclPresent | ControlFlags.DiscretionaryAclDefaulted); byte[] rawSd = new byte[sd.BinaryLength]; sd.GetBinaryForm(rawSd, 0); if (!NativeMethods.Advapi32.SetKernelObjectSecurity(hWnd, (int)SecurityInfos.DiscretionaryAcl, rawSd)) Console.WriteLine("Win32Exception(): {0}", new Win32Exception().Message); }
internal void UpdateControlFlags(ControlFlags flagsToUpdate, ControlFlags newFlags) { ControlFlags finalFlags = newFlags | (_rawSd.ControlFlags & (~flagsToUpdate)); _rawSd.SetFlags(finalFlags); }
public void GetSddlForm () { RawSecurityDescriptor sd = new RawSecurityDescriptor (""); Assert.AreEqual ("", sd.GetSddlForm (AccessControlSections.All)); // Ask for part of SD that isn't represented sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null); sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); Assert.AreEqual ("", sd.GetSddlForm (AccessControlSections.Access)); // Empty ACL form sd.DiscretionaryAcl = new RawAcl (2, 0); sd.SystemAcl = new RawAcl (1, 0); sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent); Assert.AreEqual ("O:BUG:BAD:S:", sd.GetSddlForm (AccessControlSections.All)); // Add an ACE to the DACL SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce (0, ace); Assert.AreEqual ("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm (AccessControlSections.All)); // Add second ACE to the DACL SecurityIdentifier randomUser = new SecurityIdentifier ("S-1-5-21-324-23423-234-334"); ace = new CommonAce (AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null); sd.DiscretionaryAcl.InsertAce (0, ace); Assert.AreEqual ("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm (AccessControlSections.Owner | AccessControlSections.Access)); // DACL & SACL flags sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited); sd.DiscretionaryAcl = new RawAcl (1, 0); ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce (0, ace); Assert.AreEqual ("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm (AccessControlSections.All)); sd.SetFlags (sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted); Assert.AreEqual ("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm (AccessControlSections.All)); }
public void GetBinaryForm () { RawSecurityDescriptor sd = new RawSecurityDescriptor (""); sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null); sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); sd.DiscretionaryAcl = new RawAcl (1, 0); sd.SystemAcl = new RawAcl (1, 0); sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent); // Empty ACL form byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); // Add an ACE to the DACL SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce (0, ace); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); // This time with an Object ACE ObjectAce objectAce = new ObjectAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 0x12345678, builtInAdmins, ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent, new Guid ("189c0dc7-b849-4dea-93a5-6d4cb8857a5c"), new Guid ("53b4a3d4-fe39-468b-bc60-b4fcba772fa5"), false, null); sd.DiscretionaryAcl = new RawAcl (2, 0); sd.DiscretionaryAcl.InsertAce (0, objectAce); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x44, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x10, 0x3C, 0x00, 0x78, 0x56, 0x34, 0x12, 0x03, 0x00, 0x00, 0x00, 0xC7, 0x0D, 0x9C, 0x18, 0x49, 0xB8, 0xEA, 0x4D, 0x93, 0xA5, 0x6D, 0x4C, 0xB8, 0x85, 0x7A, 0x5C, 0xD4, 0xA3, 0xB4, 0x53, 0x39, 0xFE, 0x8B, 0x46, 0xBC, 0x60, 0xB4, 0xFC, 0xBA, 0x77, 0x2F, 0xA5, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); }
public void FlagMismatch () { // Check setting DACL-present flag on empty SD RawSecurityDescriptor sd = new RawSecurityDescriptor (""); Assert.AreEqual (20, sd.BinaryLength); sd.SetFlags (ControlFlags.DiscretionaryAclPresent); Assert.AreEqual (20, sd.BinaryLength); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x04, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); // Check unsetting DACL-present flag on SD with DACL sd = new RawSecurityDescriptor ("O:BUG:BAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"); Assert.AreEqual (80, sd.BinaryLength); sd.SetFlags (sd.ControlFlags & ~ControlFlags.DiscretionaryAclPresent); Assert.AreEqual (ControlFlags.SelfRelative, sd.ControlFlags); Assert.AreEqual (52, sd.BinaryLength); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); }