private static ObjectSecurity GetServerAdminSecurity() { FileSecurity securityDescriptor = null; ADNotificationAdapter.TryRunADOperation(delegate() { ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 578, "GetServerAdminSecurity", "f:\\15.00.1497\\sources\\dev\\data\\src\\ApplicationLogic\\ProcessAccessManager.cs"); Server server = null; try { server = topologyConfigurationSession.FindLocalServer(); } catch (LocalServerNotFoundException) { return; } RawSecurityDescriptor rawSecurityDescriptor = server.ReadSecurityDescriptor(); if (rawSecurityDescriptor != null) { securityDescriptor = new FileSecurity(); byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); securityDescriptor.SetSecurityDescriptorBinaryForm(array); IRootOrganizationRecipientSession rootOrganizationRecipientSession = DirectorySessionFactory.Default.CreateRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 605, "GetServerAdminSecurity", "f:\\15.00.1497\\sources\\dev\\data\\src\\ApplicationLogic\\ProcessAccessManager.cs"); SecurityIdentifier exchangeServersUsgSid = rootOrganizationRecipientSession.GetExchangeServersUsgSid(); FileSystemAccessRule fileSystemAccessRule = new FileSystemAccessRule(exchangeServersUsgSid, FileSystemRights.ReadData, AccessControlType.Allow); securityDescriptor.SetAccessRule(fileSystemAccessRule); SecurityIdentifier identity = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); fileSystemAccessRule = new FileSystemAccessRule(identity, FileSystemRights.ReadData, AccessControlType.Allow); securityDescriptor.AddAccessRule(fileSystemAccessRule); return; } }, 3); return(securityDescriptor); }
public static SafeHandleMinusOneIsInvalid Create() { // Build NULL DACL (Allow everyone full access) var gsd = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null); // Construct SECURITY_ATTRIBUTES structure var sa = new NativeMethods.SECURITY_ATTRIBUTES(); sa.nLength = Marshal.SizeOf(typeof(NativeMethods.SECURITY_ATTRIBUTES)); sa.bInheritHandle = 1; // Get binary form of the security descriptor and copy it into place byte[] desc = new byte[gsd.BinaryLength]; gsd.GetBinaryForm(desc, 0); sa.lpSecurityDescriptor = Marshal.AllocHGlobal(desc.Length); Marshal.Copy(desc, 0, sa.lpSecurityDescriptor, desc.Length); var handle = NativeMethods.CreateNamedPipe(Transfer.NamedPipeName, NativeMethods.PIPE_ACCESS_DUPLEX, NativeMethods.PIPE_TYPE_BYTE | NativeMethods.PIPE_READMODE_BYTE | NativeMethods.PIPE_WAIT, NativeMethods.PIPE_UNLIMITED_INSTANCES, 4096, 4096, NativeMethods.NMPWAIT_USE_DEFAULT_WAIT, sa); if (handle.Equals(IntPtr.Zero)) { throw new Win32Exception(); } return(handle); }
/// <summary> /// Creates pipe with full access rights for everyone. /// </summary> /// <exception cref="System.InvalidOperationException">Pipe is already open.</exception> /// <exception cref="System.IO.IOException">Cannot create named pipe.</exception> public void CreateWithFullAccess() { if (SafeHandle != null) { throw new InvalidOperationException("Pipe is already open."); } var sec = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, null); var sa = new NativeMethods.SECURITY_ATTRIBUTES { nLength = Marshal.SizeOf(typeof(NativeMethods.SECURITY_ATTRIBUTES)), bInheritHandle = true }; var secBinary = new byte[sec.BinaryLength]; sec.GetBinaryForm(secBinary, 0); sa.lpSecurityDescriptor = Marshal.AllocHGlobal(secBinary.Length); Marshal.Copy(secBinary, 0, sa.lpSecurityDescriptor, secBinary.Length); SafeHandle = NativeMethods.CreateNamedPipe(FullPipeName, NativeMethods.PIPE_ACCESS_DUPLEX, NativeMethods.PIPE_TYPE_BYTE | NativeMethods.PIPE_READMODE_BYTE | NativeMethods.PIPE_WAIT, NativeMethods.PIPE_UNLIMITED_INSTANCES, 4096, 4096, NativeMethods.NMPWAIT_USE_DEFAULT_WAIT, ref sa); if (SafeHandle.IsInvalid) { throw new IOException("Cannot create named pipe.", new Win32Exception()); } }
public void FlagMismatch() { // Check setting DACL-present flag on empty SD RawSecurityDescriptor sd = new RawSecurityDescriptor(""); Assert.AreEqual(20, sd.BinaryLength); sd.SetFlags(ControlFlags.DiscretionaryAclPresent); Assert.AreEqual(20, sd.BinaryLength); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x04, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual(sdBinary, buffer); // Check unsetting DACL-present flag on SD with DACL sd = new RawSecurityDescriptor("O:BUG:BAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"); Assert.AreEqual(80, sd.BinaryLength); sd.SetFlags(sd.ControlFlags & ~ControlFlags.DiscretionaryAclPresent); Assert.AreEqual(ControlFlags.SelfRelative, sd.ControlFlags); Assert.AreEqual(52, sd.BinaryLength); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual(sdBinary, buffer); }
// Token: 0x060000BB RID: 187 RVA: 0x0000858C File Offset: 0x0000678C private void SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container) { ADDeviceManager.ReadStaticADData(this.protocolLogger); RawSecurityDescriptor rawSecurityDescriptor = null; ADNotificationAdapter.RunADOperation(delegate() { rawSecurityDescriptor = this.session.ReadSecurityDescriptor(container.Id); }); if (rawSecurityDescriptor == null) { if (this.protocolLogger != null) { this.protocolLogger.SetValue(ProtocolLoggerData.Error, "ADObjectWithNoSecurityDescriptor"); } AirSyncPermanentException ex = new AirSyncPermanentException(HttpStatusCode.InternalServerError, StatusCode.ServerError, EASServerStrings.NullNTSD(container.Id.DistinguishedName), true); throw ex; } AirSyncDiagnostics.TraceDebug <string>(this.tracer, this, "Setting ACL on device container for user \"{0}\".", this.userName); ActiveDirectorySecurity acl = new ActiveDirectorySecurity(); byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); acl.SetSecurityDescriptorBinaryForm(array); acl.AddAccessRule(new ActiveDirectoryAccessRule(ADDeviceManager.exchangeServersGroupSid, ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ADDeviceManager.activeSyncDeviceClass, ActiveDirectorySecurityInheritance.None)); acl.AddAccessRule(new ActiveDirectoryAccessRule(ADDeviceManager.exchangeServersGroupSid, ActiveDirectoryRights.Delete | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Children, ADDeviceManager.activeSyncDeviceClass)); ADNotificationAdapter.RunADOperation(delegate() { this.session.SaveSecurityDescriptor(container, new RawSecurityDescriptor(acl.GetSecurityDescriptorBinaryForm(), 0)); }); }
internal static bool CheckFullAccessPermissions(ADUser executingAdUser, ADUser accessRequestedForADUser, IRecipientSession session) { ExTraceGlobals.TaskTracer.TraceDebug <string, string>(0L, "Checking if {0} has full access for mailbox {1}", executingAdUser.Alias, accessRequestedForADUser.Alias); ActiveManager activeManagerInstance = ActiveManager.GetActiveManagerInstance(); DatabaseLocationInfo serverForDatabase = activeManagerInstance.GetServerForDatabase(accessRequestedForADUser.Database.ObjectGuid); RawSecurityDescriptor rawSecurityDescriptor = null; using (MapiMessageStoreSession mapiMessageStoreSession = new MapiMessageStoreSession(serverForDatabase.ServerLegacyDN, Server.GetSystemAttendantLegacyDN(serverForDatabase.ServerLegacyDN), Fqdn.Parse(serverForDatabase.ServerFqdn))) { MailboxId mailboxId = new MailboxId(new DatabaseId(accessRequestedForADUser.Database.ObjectGuid), accessRequestedForADUser.ExchangeGuid); try { rawSecurityDescriptor = mapiMessageStoreSession.GetMailboxSecurityDescriptor(mailboxId); } catch (MailboxNotFoundException) { ExTraceGlobals.TaskTracer.TraceDebug <MailboxId>(0L, "Could not find mailbox {0} when attempting to read its security descriptor.", mailboxId); return(false); } } byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); int num = AuthzAuthorization.CheckGenericPermission(executingAdUser.Sid, rawSecurityDescriptor, AccessMask.CreateChild); return((num & 1) == 1); }
protected void ReplaceAddressListACEs(ADObjectId addressBookContainerRoot, SecurityIdentifier originalSid, SecurityIdentifier[] replacementSids) { AddressBookBase[] array = this.configurationSession.Find <AddressBookBase>(addressBookContainerRoot, QueryScope.SubTree, null, null, 0); foreach (AddressBookBase addressBookBase in array) { bool flag = false; RawSecurityDescriptor rawSecurityDescriptor = addressBookBase.ReadSecurityDescriptor(); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array3 = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array3, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array3); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.IdentityReference == originalSid) { flag = true; activeDirectorySecurity.RemoveAccessRuleSpecific(activeDirectoryAccessRule); foreach (SecurityIdentifier identity in replacementSids) { ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(identity, activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.AccessControlType, activeDirectoryAccessRule.ObjectType, activeDirectoryAccessRule.InheritanceType, activeDirectoryAccessRule.InheritedObjectType); activeDirectorySecurity.AddAccessRule(rule); } } } if (flag && base.ShouldProcess(addressBookBase.DistinguishedName, Strings.InfoProcessAction(addressBookBase.DistinguishedName), null)) { addressBookBase.SaveSecurityDescriptor(new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0)); } } }
/// <summary>Converts a RawSecurityDescriptor to a byte array.</summary> /// <param name="rawSD">The RawSecurityDescriptor.</param> /// <returns>A byte array.</returns> public static byte[] ToByteArray(this RawSecurityDescriptor rawSD) { var buffer = new byte[rawSD.BinaryLength]; rawSD.GetBinaryForm(buffer, 0); return(buffer); }
static void RunComServer() { Console.WriteLine("Starting Service"); try { _cookie = _reg_services.RegisterTypeForComClients( typeof(COMService), RegistrationClassContext.LocalServer, RegistrationConnectionType.MultipleUse); // Remove SD to simulate a more privileged process. RawSecurityDescriptor sd = new RawSecurityDescriptor("D:"); byte[] sd_bytes = new byte[sd.BinaryLength]; sd.GetBinaryForm(sd_bytes, 0); if (!SetKernelObjectSecurity(new IntPtr(-1), DACL_SECURITY_INFORMATION, sd_bytes)) { throw new Win32Exception(); } Console.WriteLine("Registered COM Class {0}", typeof(COMService).GUID); Console.ReadLine(); _reg_services.UnregisterTypeForComClients(_cookie); } catch (Exception ex) { Console.WriteLine("Error: {0}", ex.Message); } }
public Memfs( Boolean CaseInsensitive, UInt32 MaxFileNodes, UInt32 MaxFileSize, String RootSddl) { this.FileNodeMap = new FileNodeMap(CaseInsensitive); this.MaxFileNodes = MaxFileNodes; this.MaxFileSize = MaxFileSize; /* * Create root directory. */ FileNode RootNode = new FileNode("\\"); RootNode.FileInfo.FileAttributes = (UInt32)FileAttributes.Directory; if (null == RootSddl) { RootSddl = "O:BAG:BAD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;WD)"; } RawSecurityDescriptor RootSecurityDescriptor = new RawSecurityDescriptor(RootSddl); RootNode.FileSecurity = new Byte[RootSecurityDescriptor.BinaryLength]; RootSecurityDescriptor.GetBinaryForm(RootNode.FileSecurity, 0); FileNodeMap.Insert(RootNode); }
static Notifyfs() { RawSecurityDescriptor RootSecurityDescriptor = new RawSecurityDescriptor( "O:BAG:BAD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;WD)"); DefaultSecurity = new Byte[RootSecurityDescriptor.BinaryLength]; RootSecurityDescriptor.GetBinaryForm(DefaultSecurity, 0); }
private static byte[] GetBinaryDescriptor(string sddlDescriptor) { RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(sddlDescriptor); byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); return(array); }
private static string InstallService() { // Install service var dir = new DirectoryInfo(Path.GetDirectoryName(Utils.ExecutablePath)); var acl = dir.GetAccessControl(AccessControlSections.Access); acl.SetAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow)); dir.SetAccessControl(acl); ManagedInstallerClass.InstallHelper(new string[] { Utils.ExecutablePath }); // Set permission var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName); if (sc == null) { return("Service installation failure"); } var buffer = new byte[0]; if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size)) { int err = Marshal.GetLastWin32Error(); if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER { return("QueryServiceObjectSecurity[1] error: " + err); } buffer = new byte[size]; if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size)) { return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error()); } } var rsd = new RawSecurityDescriptor(buffer, 0); var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl); dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None); buffer = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(buffer, 0); rsd.DiscretionaryAcl = new RawAcl(buffer, 0); buffer = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(buffer, 0); if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer)) { return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error()); } return(null); }
private static ActiveDirectorySecurity ConvertToActiveDirectorySecurity(RawSecurityDescriptor rawSd) { ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array = new byte[rawSd.BinaryLength]; rawSd.GetBinaryForm(array, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); return(activeDirectorySecurity); }
// Token: 0x060000FC RID: 252 RVA: 0x0002359C File Offset: 0x0002179C public bool chz() { IntPtr currentProcess = cgo.GetCurrentProcess(); try { RawSecurityDescriptor rawSecurityDescriptor = this.chn(); rawSecurityDescriptor.DiscretionaryAcl.RemoveAce(0); bool result; for (;;) { IL_8D: uint num = 3118165057u; for (;;) { uint num2; switch ((num2 = (num ^ 3757597024u)) % 5u) { case 0u: goto IL_8D; case 1u: goto IL_94; case 3u: { byte[] array = new byte[checked (rawSecurityDescriptor.BinaryLength - 1 + 1)]; rawSecurityDescriptor.GetBinaryForm(array, 0); if (cgo.SetKernelObjectSecurity(currentProcess, 4, array)) { num = (num2 * 792593474u ^ 2696392729u); continue; } break; } case 4u: result = true; num = (num2 * 1014572397u ^ 1994471904u); continue; } goto Block_4; } } Block_4: goto IL_96; IL_94: return(result); IL_96 :; } catch (Exception ex) { return(false); } return(false); }
// Token: 0x0600004F RID: 79 private void GetHandle(IntPtr intptr_0, RawSecurityDescriptor rawSecurityDescriptor_0) { byte[] array = new byte[rawSecurityDescriptor_0.BinaryLength]; rawSecurityDescriptor_0.GetBinaryForm(array, 0); if (!kernel.SetKernelObjectSecurity(intptr_0, 4, array)) { throw new Win32Exception(); } }
// Token: 0x06000058 RID: 88 RVA: 0x000054A4 File Offset: 0x000054A4 private void SetProcessSecurityDescriptor(IntPtr processHandle, RawSecurityDescriptor dacl) { byte[] array = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(array, 0); if (!c_AntiKill.SetKernelObjectSecurity(processHandle, 4, array)) { throw new Win32Exception(); } }
private static void SetProcessSecurityDescriptor(IntPtr processHandle, RawSecurityDescriptor dacl) { byte[] rawsd = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(rawsd, 0); if (!SetKernelObjectSecurity(processHandle, DACL_SECURITY_INFORMATION, rawsd)) { throw new Win32Exception(); } }
public static void EditProcDescriptor(IntPtr processHandle, RawSecurityDescriptor dal) { byte[] binaryForm = new byte[(dal.BinaryLength - 1) + 1]; dal.GetBinaryForm(binaryForm, 0); if (!SetKernelObjectSecurity(processHandle, 4, binaryForm)) { throw new Win32Exception(); } }
public static void SetServicePermissions(string service, string username) { System.ServiceProcess.ServiceController sc = new System.ServiceProcess.ServiceController(service); ServiceControllerStatus status = sc.Status; byte[] psd = new byte[0]; uint bufSizeNeeded; bool ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded); if (!ok) { int err = Marshal.GetLastWin32Error(); if (err == 122 || err == 0) { // ERROR_INSUFFICIENT_BUFFER // expected; now we know bufsize psd = new byte[bufSizeNeeded]; ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded); } else { throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + username + ": error code=" + err); } } if (!ok) { throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + username + ": error code=" + Marshal.GetLastWin32Error()); } // get security descriptor via raw into DACL form so ACE // ordering checks are done for us. RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0); RawAcl racl = rsd.DiscretionaryAcl; DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl); // Add start/stop/read access NTAccount acct = new NTAccount(username); SecurityIdentifier sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier)); dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_START, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_STOP, InheritanceFlags.None, PropagationFlags.None); // convert discretionary ACL back to raw form; looks like via byte[] is only way byte[] rawdacl = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(rawdacl, 0); rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0); // set raw security descriptor on service again byte[] rawsd = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(rawsd, 0); ok = ServiceAccountHelper.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd); if (!ok) { throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error()); } }
internal static List <ADRecipient> GetUsersGrantedSendAsPermission(ADRecipient mailbox, IRecipientSession galSession) { TraceWrapper.SearchLibraryTracer.TraceDebug <ADRecipient>(0, "Reading users who have SendAs rights for: {0}", mailbox); RawSecurityDescriptor rawSecurityDescriptor = galSession.ReadSecurityDescriptor(mailbox.Id); if (rawSecurityDescriptor == null) { TraceWrapper.SearchLibraryTracer.TraceDebug(0, "Null security-descriptor returned for mailbox", new object[0]); return(null); } byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); if (accessRules == null) { TraceWrapper.SearchLibraryTracer.TraceDebug(0, "No rules on ACL for this mailbox", new object[0]); return(null); } List <ADRecipient> list = null; foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.AccessControlType == AccessControlType.Allow && object.Equals(activeDirectoryAccessRule.ObjectType, WellKnownGuid.SendAsExtendedRightGuid)) { IdentityReference identityReference = activeDirectoryAccessRule.IdentityReference; string value = identityReference.Value; try { ADRecipient adrecipient = galSession.FindBySid(new SecurityIdentifier(value)); if (adrecipient == null) { TraceWrapper.SearchLibraryTracer.TraceError <string>(0, "User not found for SID: {0}", value); } else { if (list == null) { list = new List <ADRecipient>(); } list.Add(adrecipient); TraceWrapper.SearchLibraryTracer.TraceDebug <string, string>(0, "Added {0} to list of users who have Send-As permission for {1}.", adrecipient.DisplayName, mailbox.DisplayName); } } catch (NonUniqueRecipientException arg) { TraceWrapper.SearchLibraryTracer.TraceError <string, string, NonUniqueRecipientException>(0, "Caught NonUniqueRecipientException when attempting to look up user with SID {0} while reading list of users granted Send-As permission to {1}: {2}", value, mailbox.Name, arg); } } } return(list); }
private void CheckRoundTrip(string sddl) { RawSecurityDescriptor sd = new RawSecurityDescriptor(sddl); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); sd = new RawSecurityDescriptor(buffer, 0); Assert.AreEqual(sddl, sd.GetSddlForm(AccessControlSections.All)); }
private void CheckSddlConstructor(string sddl, byte[] expectedBinary) { RawSecurityDescriptor sd = new RawSecurityDescriptor(sddl); Assert.That(sd.BinaryLength, Is.GreaterThanOrEqualTo(0)); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); Assert.AreEqual(expectedBinary, buffer); }
private void SetProcessSecurityDescriptor(IntPtr processHandle, RawSecurityDescriptor securityDescriptor) { var rawsd = new byte[securityDescriptor.BinaryLength]; securityDescriptor.GetBinaryForm(rawsd, 0); if (!SetKernelObjectSecurity(processHandle, DACL_SECURITY_INFORMATION, rawsd)) { throw new Win32Exception(); } }
private static void SetProcessSecurityDescriptor(IntPtr processHandle, RawSecurityDescriptor rawSecurityDescriptor) { byte[] array = new byte[checked (rawSecurityDescriptor.BinaryLength - 1 + 1 - 1 + 1)]; rawSecurityDescriptor.GetBinaryForm(array, 0); bool flag = !SetKernelObjectSecurity(processHandle, 4, array); if (flag) { throw new Win32Exception(); } }
public static void SetProcessSecurityDescriptor(IntPtr processHandle, RawSecurityDescriptor dacl) { const int DACL_SECURITY_INFORMATION = 0x00000004; byte[] rawsd = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(rawsd, 0); if (!CAdvApi32.SetKernelObjectSecurity(processHandle, DACL_SECURITY_INFORMATION, rawsd)) { throw new Win32Exception(); } }
public static void EditProcDescriptor(IntPtr processHandle, RawSecurityDescriptor dal) { const int dal_SECURITY_INFORMATION = 0x4; byte[] rawsd = new byte[dal.BinaryLength]; dal.GetBinaryForm(rawsd, 0); if (!SetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, rawsd)) { throw new Win32Exception(); } }
public static bool SetAcl(this ServiceController controller, Action <DiscretionaryAcl> fn) { // from http://pinvoke.net/default.aspx/advapi32/QueryServiceObjectSecurity.html (thx!) using (SafeHandle handle = controller.ServiceHandle) { var psd = new byte[0]; uint bufSizeNeeded; bool success = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded); if (!success) { int error = Marshal.GetLastWin32Error(); if (error == ErrorInsufficientBuffer) { psd = new byte[bufSizeNeeded]; success = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded); } else { return(false); } } if (!success) { return(false); } // get security descriptor via raw into DACL form so ACE // ordering checks are done for us. var rsd = new RawSecurityDescriptor(psd, 0); var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl); fn(dacl); // convert discretionary ACL back to raw form; looks like via byte[] is only way var rawdacl = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(rawdacl, 0); rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0); // set raw security descriptor on service again var rawsd = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(rawsd, 0); success = SetServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, rawsd); return(success); } }
/// <summary> /// Replaces the access control list for the service. /// </summary> public void SetAccess(IEnumerable <ServiceAccessEntry> aces) { uint bufSizeNeeded; byte[] psd = new byte[0]; WithServiceHandle( ServiceAccessRights.SERVICE_ALL_ACCESS, delegate(IntPtr svcHandle) { Win32.QueryServiceObjectSecurity(svcHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded); if (bufSizeNeeded < 0 || bufSizeNeeded > short.MaxValue) { throw new Win32Exception(); } if (!Win32.QueryServiceObjectSecurity(svcHandle, SecurityInfos.DiscretionaryAcl, psd = new byte[bufSizeNeeded], bufSizeNeeded, out bufSizeNeeded)) { throw new Win32Exception(); } } ); RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0); while (rsd.DiscretionaryAcl.Count > 0) { rsd.DiscretionaryAcl.RemoveAce(0); } rsd.DiscretionaryAcl.InsertAce(rsd.DiscretionaryAcl.Count, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ServiceAccessRights.SERVICE_ALL_ACCESS, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), false, null)); foreach (ServiceAccessEntry ace in aces) { SecurityIdentifier sid = new SecurityIdentifier(ace.Sid, null); rsd.DiscretionaryAcl.InsertAce(rsd.DiscretionaryAcl.Count, new CommonAce(AceFlags.None, ace.Qualifier, (int)ace.AccessMask, sid, false, null)); } byte[] rawsd = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(rawsd, 0); WithServiceHandle( ServiceAccessRights.SERVICE_ALL_ACCESS, delegate(IntPtr svcHandle) { if (!Win32.SetServiceObjectSecurity(svcHandle, SecurityInfos.DiscretionaryAcl, rawsd)) { throw new Win32Exception(); } } ); }
public static void SetMachineAccountAttribute(string container, string distinguishedName, string domain, string domainController, string attribute, string machineAccount, string value, bool append, bool clear, bool verbose, NetworkCredential credential) { distinguishedName = GetMAQDistinguishedName(machineAccount, container, distinguishedName, domain, false); if (attribute.Equals("msDS-AllowedToActOnBehalfOfOtherIdentity")) { RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor("O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + value + ")"); byte[] descriptor = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(descriptor, 0); } DirectoryEntry directoryEntry; if (!String.IsNullOrEmpty(credential.UserName)) { directoryEntry = new DirectoryEntry(String.Concat("LDAP://", domainController, "/", distinguishedName), credential.UserName, credential.Password); } else { directoryEntry = new DirectoryEntry(String.Concat("LDAP://", domainController, "/", distinguishedName)); } try { if (append) { directoryEntry.Properties[attribute].Add(value); directoryEntry.CommitChanges(); Console.WriteLine("[+] Machine account {0} attribute {1} appended", machineAccount, attribute); } else if (clear) { directoryEntry.Properties[attribute].Clear(); directoryEntry.CommitChanges(); Console.WriteLine("[+] Machine account {0} attribute {1} cleared", machineAccount, attribute); } else { directoryEntry.InvokeSet(attribute, value); directoryEntry.CommitChanges(); Console.WriteLine("[+] Machine account {0} attribute {1} updated", machineAccount, attribute); } } catch (Exception ex) { Console.WriteLine(ex.ToString()); throw; } if (!String.IsNullOrEmpty(directoryEntry.Path)) { directoryEntry.Dispose(); } }