private void CheckBinaryConstructor(string expectedSddl, byte[] binary) { RawSecurityDescriptor sd = new RawSecurityDescriptor(binary, 0); Assert.AreEqual(sd.BinaryLength, binary.Length); Assert.AreEqual(expectedSddl, sd.GetSddlForm(AccessControlSections.All)); }
public void Dump(TextWriter writer, string indent) { writer.WriteLine(indent + "SECURITY DESCRIPTORS"); using (Stream s = _file.OpenStream(AttributeType.Data, "$SDS", FileAccess.Read)) { byte[] buffer = Utilities.ReadFully(s, (int)s.Length); foreach (KeyValuePair <IdIndexKey, IdIndexData> entry in _idIndex.Entries) { int pos = (int)entry.Value.SdsOffset; SecurityDescriptorRecord rec = new SecurityDescriptorRecord(); if (!rec.Read(buffer, pos)) { break; } string secDescStr = "--unknown--"; if (rec.SecurityDescriptor[0] != 0) { RawSecurityDescriptor sd = new RawSecurityDescriptor(rec.SecurityDescriptor, 0); secDescStr = sd.GetSddlForm(AccessControlSections.All); } writer.WriteLine(indent + " SECURITY DESCRIPTOR RECORD"); writer.WriteLine(indent + " Hash: " + rec.Hash); writer.WriteLine(indent + " Id: " + rec.Id); writer.WriteLine(indent + " File Offset: " + rec.OffsetInFile); writer.WriteLine(indent + " Size: " + rec.EntrySize); writer.WriteLine(indent + " Value: " + secDescStr); } } }
public static FreeBusyPermissionLevel DetermineAllowedAccess(ClientContext clientContext, MailboxSession session, CalendarFolder calendarFolder, FreeBusyQuery freeBusyQuery, bool defaultFreeBusyOnly) { RawSecurityDescriptor rawSecurityDescriptor = calendarFolder.TryGetProperty(CalendarFolderSchema.FreeBusySecurityDescriptor) as RawSecurityDescriptor; if (rawSecurityDescriptor == null) { FreeBusyPermission.SecurityTracer.TraceDebug <object, CalendarFolder>(0L, "{0}: Unable to retrieve FreeBusySecurityDescriptor from folder {1}. Using None as permission level.", TraceContext.Get(), calendarFolder); return(FreeBusyPermissionLevel.None); } if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace)) { string sddlForm = rawSecurityDescriptor.GetSddlForm(AccessControlSections.All); FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of calendar folder security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm); } if (defaultFreeBusyOnly) { FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Using DefaultClientSecurityContext because of defaultFreeBusyOnly is set.", new object[] { TraceContext.Get() }); return(FreeBusyPermission.AccessCheck(rawSecurityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext)); } InternalClientContext internalClientContext = clientContext as InternalClientContext; if (internalClientContext != null) { return(FreeBusyPermission.FromInternalClient(internalClientContext, rawSecurityDescriptor, freeBusyQuery)); } ExternalClientContext externalClientContext = clientContext as ExternalClientContext; return(FreeBusyPermission.FromExternalClient(externalClientContext, session, rawSecurityDescriptor, freeBusyQuery)); }
private void CheckRoundTrip(string sddl) { RawSecurityDescriptor sd = new RawSecurityDescriptor(sddl); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); sd = new RawSecurityDescriptor(buffer, 0); Assert.AreEqual(sddl, sd.GetSddlForm(AccessControlSections.All)); }
public void AclInheritance() { NtfsFileSystem ntfs = FileSystemSource.NtfsFileSystem(); RawSecurityDescriptor sd = new RawSecurityDescriptor("O:BAG:BAD:(A;OICINP;GA;;;BA)"); ntfs.CreateDirectory("dir"); ntfs.SetSecurity("dir", sd); ntfs.CreateDirectory(@"dir\subdir"); RawSecurityDescriptor inheritedSd = ntfs.GetSecurity(@"dir\subdir"); Assert.NotNull(inheritedSd); Assert.Equal("O:BAG:BAD:(A;ID;GA;;;BA)", inheritedSd.GetSddlForm(AccessControlSections.All)); using (ntfs.OpenFile(@"dir\subdir\file", FileMode.Create, FileAccess.ReadWrite)) { } inheritedSd = ntfs.GetSecurity(@"dir\subdir\file"); Assert.NotNull(inheritedSd); Assert.Equal("O:BAG:BAD:", inheritedSd.GetSddlForm(AccessControlSections.All)); }
/// <summary> /// Parse an ldap object from byte array to string /// </summary> /// <param name="ldapSyntax">The ldap syntax.</param> /// <param name="buffer">The byte array object.</param> /// <returns>Result in string format.</returns> /// <exception cref="System.NotSupportedException">Thrown when the ldapSyntax is not supported.</exception> public static string Parse(AdtsLdapSyntax ldapSyntax, byte[] buffer) { string result; switch (ldapSyntax) { case AdtsLdapSyntax.Boolean: case AdtsLdapSyntax.Enumeration: case AdtsLdapSyntax.Integer: case AdtsLdapSyntax.LargeInteger: case AdtsLdapSyntax.ObjectForAccessPoint: case AdtsLdapSyntax.ObjectForDNString: case AdtsLdapSyntax.ObjectForORName: case AdtsLdapSyntax.ObjectForDNBinary: case AdtsLdapSyntax.ObjectForDSDN: case AdtsLdapSyntax.ObjectForPresentationAddress: case AdtsLdapSyntax.StringForCase: case AdtsLdapSyntax.StringForIA5: case AdtsLdapSyntax.StringForObjectIdentifier: case AdtsLdapSyntax.StringForPrintable: case AdtsLdapSyntax.ObjectForReplicaLink: case AdtsLdapSyntax.StringForOctet: case AdtsLdapSyntax.StringForNumeric: case AdtsLdapSyntax.StringForTeletex: case AdtsLdapSyntax.StringForUnicode: case AdtsLdapSyntax.StringForUTCTime: case AdtsLdapSyntax.StringForGeneralizedTime: result = Encoding.UTF8.GetString(buffer); break; case AdtsLdapSyntax.StringForNTSecDesc: RawSecurityDescriptor ntSecurityDescriptor = new RawSecurityDescriptor(buffer, 0); result = ntSecurityDescriptor.GetSddlForm(AccessControlSections.All); break; case AdtsLdapSyntax.StringForSid: _SID sid = TypeMarshal.ToStruct <_SID>(buffer); result = DtypUtility.ToSddlString(sid); break; default: throw new NotSupportedException("The specified syntax is not supported."); } return(result); }
private static void CanonicalizeAcl(ActiveDirectorySecurity ads) { ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); foreach (object obj in ads.GetAccessRules(true, true, typeof(SecurityIdentifier))) { ActiveDirectoryAccessRule rule = (ActiveDirectoryAccessRule)obj; activeDirectorySecurity.AddAccessRule(rule); } RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access)); RawSecurityDescriptor rawSecurityDescriptor2 = new RawSecurityDescriptor(ads.GetSecurityDescriptorSddlForm(AccessControlSections.Access)) { DiscretionaryAcl = rawSecurityDescriptor.DiscretionaryAcl }; ads.SetSecurityDescriptorSddlForm(rawSecurityDescriptor2.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access); }
private static bool CallerHasFullPermission(ClientSecurityContext clientSecurityContext, FreeBusyQuery freeBusyQuery) { SecurityIdentifier sid = freeBusyQuery.RecipientData.Sid; SecurityIdentifier masterAccountSid = freeBusyQuery.RecipientData.MasterAccountSid; bool flag = (sid != null && sid.Equals(clientSecurityContext.UserSid)) || (masterAccountSid != null && masterAccountSid.Equals(clientSecurityContext.UserSid)); if (flag) { FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Caller {1} is owner of mailbox {2}, mailbox user SID {3}, master account SID {4}.", new object[] { TraceContext.Get(), clientSecurityContext, freeBusyQuery.Email, sid, masterAccountSid }); return(true); } RawSecurityDescriptor exchangeSecurityDescriptor = freeBusyQuery.RecipientData.ExchangeSecurityDescriptor; if (exchangeSecurityDescriptor != null) { if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace)) { string sddlForm = exchangeSecurityDescriptor.GetSddlForm(AccessControlSections.All); FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of mailbox security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm); } if (clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.CreateChild) == 1 || clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.List) == 4) { FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email); return(true); } } else { FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: User does not have an ExchangeSecurityDescriptor.", TraceContext.Get(), freeBusyQuery.Email); } FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does NOT have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email); return(false); }
public void GetSddlForm() { RawSecurityDescriptor sd = new RawSecurityDescriptor(""); Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.All)); // Ask for part of SD that isn't represented sd.Owner = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null); sd.Group = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.Access)); // Empty ACL form sd.DiscretionaryAcl = new RawAcl(2, 0); sd.SystemAcl = new RawAcl(1, 0); sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent); Assert.AreEqual("O:BUG:BAD:S:", sd.GetSddlForm(AccessControlSections.All)); // Add an ACE to the DACL SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce(0, ace); Assert.AreEqual("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm(AccessControlSections.All)); // Add second ACE to the DACL SecurityIdentifier randomUser = new SecurityIdentifier("S-1-5-21-324-23423-234-334"); ace = new CommonAce(AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null); sd.DiscretionaryAcl.InsertAce(0, ace); Assert.AreEqual("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm(AccessControlSections.Owner | AccessControlSections.Access)); // DACL & SACL flags sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited); sd.DiscretionaryAcl = new RawAcl(1, 0); ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce(0, ace); Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All)); sd.SetFlags(sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted); Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All)); }
public void Dump(TextWriter writer, string indent) { writer.WriteLine(indent + "Descriptor: " + _securityDescriptor.GetSddlForm(AccessControlSections.All)); }
/// <summary> /// Canonicalize the Dacl /// </summary> /// <param name="objectSecurity"></param> public static void CanonicalizeDacl(NativeObjectSecurity objectSecurity) { if (objectSecurity.AreAccessRulesCanonical) { return; } // A canonical ACL must have ACES sorted according to the following order: // 1. Access-denied on the object // 2. Access-denied on a child or property // 3. Access-allowed on the object // 4. Access-allowed on a child or property // 5. All inherited ACEs RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access)); var explicitDenyDacl = new List <CommonAce>(); var explicitDenyObjectDacl = new List <CommonAce>(); var inheritedDacl = new List <CommonAce>(); var explicitAllowDacl = new List <CommonAce>(); var explicitAllowObjectDacl = new List <CommonAce>(); foreach (CommonAce ace in descriptor.DiscretionaryAcl) { if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); } else { switch (ace.AceType) { case AceType.AccessAllowed: explicitAllowDacl.Add(ace); break; case AceType.AccessDenied: explicitDenyDacl.Add(ace); break; case AceType.AccessAllowedObject: explicitAllowObjectDacl.Add(ace); break; case AceType.AccessDeniedObject: explicitDenyObjectDacl.Add(ace); break; } } } int aceIndex = 0; var newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count); explicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); if (aceIndex != descriptor.DiscretionaryAcl.Count) { throw new InvalidOperationException("The Dacl cannot be canonicalized since it would potentially result in a loss of information"); } descriptor.DiscretionaryAcl = newDacl; objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access); }
public override PropertyConstraintViolationError Validate(object value, PropertyDefinition propertyDefinition, IPropertyBag propertyBag) { RawSecurityDescriptor rawSecurityDescriptor = (RawSecurityDescriptor)value; if (rawSecurityDescriptor == null) { return(null); } foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl) { if ((byte)(genericAce.AceFlags & AceFlags.Inherited) == 16) { return(new PropertyConstraintViolationError(DataStrings.ConstraintViolationSecurityDescriptorContainsInheritedACEs(rawSecurityDescriptor.GetSddlForm(AccessControlSections.All)), propertyDefinition, value, this)); } } return(null); }
private static List <AclTableEntry> BuildAclTableFromSecurityDescriptor(RawSecurityDescriptor securityDescriptor, RawSecurityDescriptor freeBusySecurityDescriptor, LazilyInitialized <ExternalUserCollection> lazilyInitializedExternalUserCollection, IRecipientSession recipientSession, AclTableIdMap aclTableIdMap, out bool isCanonical, out string canonicalErrorInformation) { FolderSecurity.AnnotatedAceList annotatedAceList = new FolderSecurity.AnnotatedAceList(securityDescriptor, freeBusySecurityDescriptor, (SecurityIdentifier securityIdentifier) => AclModifyTable.GetSecurityIdentifierType(recipientSession, securityIdentifier)); isCanonical = annotatedAceList.IsCanonical(out canonicalErrorInformation); IList <FolderSecurity.SecurityIdentifierAndFolderRights> list; if (isCanonical) { list = annotatedAceList.GetSecurityIdentifierAndRightsList(); } else { ExTraceGlobals.StorageTracer.TraceWarning <string, string>(0L, "Got non canonical SD: {0}, ErrorInfo: ", securityDescriptor.GetSddlForm(AccessControlSections.All), canonicalErrorInformation); list = Array <FolderSecurity.SecurityIdentifierAndFolderRights> .Empty; } List <AclTableEntry> list2 = new List <AclTableEntry>(list.Count + 1); foreach (FolderSecurity.SecurityIdentifierAndFolderRights securityIdentifierAndFolderRights in list) { MemberRights memberRights = (MemberRights)(securityIdentifierAndFolderRights.AllowRights & ~(MemberRights)securityIdentifierAndFolderRights.DenyRights); bool flag = false; bool flag2 = false; byte[] entryId; string text; List <SecurityIdentifier> list3; SecurityIdentifier securityIdentifier; if (securityIdentifierAndFolderRights.SecurityIdentifier.IsWellKnown(WellKnownSidType.WorldSid)) { entryId = Array <byte> .Empty; text = string.Empty; string legacyDN = string.Empty; securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier; list3 = null; flag2 = true; } else if (securityIdentifierAndFolderRights.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid)) { entryId = Array <byte> .Empty; text = "Anonymous"; securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier; list3 = null; } else if (ExternalUser.IsExternalUserSid(securityIdentifierAndFolderRights.SecurityIdentifier)) { ExternalUser externalUser = AclHelper.TryGetExternalUser(securityIdentifierAndFolderRights.SecurityIdentifier, lazilyInitializedExternalUserCollection); if (externalUser == null) { ExTraceGlobals.StorageTracer.TraceWarning <SecurityIdentifier>(0L, "Cannot find external user with SID {0}, build entry from information we have", securityIdentifierAndFolderRights.SecurityIdentifier); string text2 = AclHelper.CreateLocalUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier); text = text2; } else { text = externalUser.Name; string legacyDN = externalUser.LegacyDn; } entryId = AddressBookEntryId.MakeAddressBookEntryIDFromLocalDirectorySid(securityIdentifierAndFolderRights.SecurityIdentifier); securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier; list3 = null; } else { MiniRecipient miniRecipient = recipientSession.FindMiniRecipientBySid <MiniRecipient>(securityIdentifierAndFolderRights.SecurityIdentifier, Array <PropertyDefinition> .Empty); string legacyDN; if (miniRecipient == null) { ExTraceGlobals.StorageTracer.TraceWarning <SecurityIdentifier>(0L, "Cannot find recipient with SID {0}, build entry from the information we have", securityIdentifierAndFolderRights.SecurityIdentifier); flag = (securityIdentifierAndFolderRights.SecurityIdentifierType == FolderSecurity.SecurityIdentifierType.Group); string text3 = AclHelper.CreateNTUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier); text = text3; legacyDN = text3; securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier; list3 = null; } else { flag = AclHelper.IsGroupRecipientType(miniRecipient.RecipientType); if (string.IsNullOrEmpty(miniRecipient.DisplayName)) { text = AclHelper.CreateNTUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier); } else { text = miniRecipient.DisplayName; } if (string.IsNullOrEmpty(miniRecipient.LegacyExchangeDN)) { legacyDN = text; } else { legacyDN = miniRecipient.LegacyExchangeDN; } SecurityIdentifier masterAccountSid = miniRecipient.MasterAccountSid; if (masterAccountSid != null && !masterAccountSid.IsWellKnown(WellKnownSidType.SelfSid)) { securityIdentifier = masterAccountSid; list3 = null; } else { securityIdentifier = miniRecipient.Sid; MultiValuedProperty <SecurityIdentifier> sidHistory = miniRecipient.SidHistory; if (sidHistory != null && sidHistory.Count != 0) { list3 = new List <SecurityIdentifier>(sidHistory); } else { list3 = null; } } } entryId = AddressBookEntryId.MakeAddressBookEntryID(legacyDN, flag); } AclTableEntry aclTableEntry = list2.Find((AclTableEntry entry) => entry.SecurityIdentifier == securityIdentifier); if (aclTableEntry == null && list3 != null) { using (List <SecurityIdentifier> .Enumerator enumerator2 = list3.GetEnumerator()) { while (enumerator2.MoveNext()) { SecurityIdentifier sid = enumerator2.Current; aclTableEntry = list2.Find((AclTableEntry entry) => entry.SecurityIdentifier == sid); if (aclTableEntry != null) { break; } } } } if (aclTableEntry == null) { aclTableEntry = new AclTableEntry(AclModifyTable.GetIdForSecurityIdentifier(securityIdentifier, list3, aclTableIdMap), entryId, text, memberRights); aclTableEntry.SetSecurityIdentifier(securityIdentifier, flag); if (flag2) { list2.Insert(0, aclTableEntry); } else { list2.Add(aclTableEntry); } } else { aclTableEntry.MemberRights &= memberRights; if (aclTableEntry.IsGroup != flag) { throw new NonCanonicalACLException(annotatedAceList.CreateErrorInformation((LID)35788U, new int[0])); } aclTableEntry.SetSecurityIdentifier(securityIdentifier, flag); } } return(list2); }