public SecurityDescriptor(byte[] buffer, int offset) { Revision = ByteReader.ReadByte(buffer, ref offset); Sbz1 = ByteReader.ReadByte(buffer, ref offset); Control = (SecurityDescriptorControl)LittleEndianReader.ReadUInt16(buffer, ref offset); uint offsetOwner = LittleEndianReader.ReadUInt32(buffer, ref offset); uint offsetGroup = LittleEndianReader.ReadUInt32(buffer, ref offset); uint offsetSacl = LittleEndianReader.ReadUInt32(buffer, ref offset); uint offsetDacl = LittleEndianReader.ReadUInt32(buffer, ref offset); if (offsetOwner != 0) { OwnerSid = new SID(buffer, (int)offsetOwner); } if (offsetGroup != 0) { GroupSid = new SID(buffer, (int)offsetGroup); } if (offsetSacl != 0) { Sacl = new ACL(buffer, (int)offsetSacl); } if (offsetDacl != 0) { Dacl = new ACL(buffer, (int)offsetDacl); } }
public SecurityDescriptor( SecurityIdentifier owner, SecurityIdentifier group, AccessControlList dacl, AccessControlList sacl, SecurityDescriptorControl control) { // create security descriptor _pSd = CreateSecurityDescriptor( owner == null ? IntPtr.Zero : owner.Handle, group == null ? IntPtr.Zero : group.Handle, dacl == null ? IntPtr.Zero : dacl.Handle, sacl == null ? IntPtr.Zero : sacl.Handle, control); // query properties uint revision; uint controlFlags; if (!SecurityNative.GetSecurityDescriptorControl(_pSd, out controlFlags, out revision)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } _revision = (int)revision; _control = (SecurityDescriptorControl)controlFlags; _owner = owner; _group = group; _dacl = dacl; _sacl = sacl; }
public SecurityDescriptor( SecurityIdentifier owner, SecurityIdentifier group, AccessControlList dacl, AccessControlList sacl, SecurityDescriptorControl control) { // create security descriptor _pSd = CreateSecurityDescriptor( owner == null ? IntPtr.Zero : owner.Handle, group == null ? IntPtr.Zero : group.Handle, dacl == null ? IntPtr.Zero : dacl.Handle, sacl == null ? IntPtr.Zero : sacl.Handle, control); // query properties uint revision; uint controlFlags; if (!SecurityNative.GetSecurityDescriptorControl(_pSd, out controlFlags, out revision)) throw new Win32Exception(Marshal.GetLastWin32Error()); _revision = (int)revision; _control = (SecurityDescriptorControl)controlFlags; _owner = owner; _group = group; _dacl = dacl; _sacl = sacl; }
/// <summary> /// Returns security descriptor information /// </summary> private static void GetSecurityDescriptorInfo( IntPtr pSd, out IntPtr pOwner, out IntPtr pGroup, out IntPtr pDacl, out IntPtr pSacl, out SecurityDescriptorControl control) { // parameters validation if (pSd == IntPtr.Zero) { throw new ArgumentNullException("pSd"); } // query SIDs bool ownerDefaulted; if (!SecurityNative.GetSecurityDescriptorOwner(pSd, out pOwner, out ownerDefaulted)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } bool groupDefaulted; if (!SecurityNative.GetSecurityDescriptorGroup(pSd, out pGroup, out groupDefaulted)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // query ACLs bool daclPresent; bool daclDefaulted; if (!SecurityNative.GetSecurityDescriptorDacl(pSd, out daclPresent, out pDacl, out daclDefaulted)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } bool saclPresent; bool saclDefaulted; if (!SecurityNative.GetSecurityDescriptorSacl(pSd, out saclPresent, out pSacl, out saclDefaulted)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // query properties uint revision; uint controlFlags; if (!SecurityNative.GetSecurityDescriptorControl(pSd, out controlFlags, out revision)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } control = (SecurityDescriptorControl)controlFlags; }
private static void UpdateSecurityDescriptorControl(SecurityDescriptor sd, SecurityDescriptorControl control) { if (control.HasFlag(SecurityDescriptorControl.OwnerDefaulted) && sd.Owner != null) { sd.Owner.Defaulted = true; } if (control.HasFlag(SecurityDescriptorControl.GroupDefaulted) && sd.Group != null) { sd.Group.Defaulted = true; } if (sd.Dacl != null) { if (control.HasFlag(SecurityDescriptorControl.DaclDefaulted)) { sd.Dacl.Defaulted = true; } if (control.HasFlag(SecurityDescriptorControl.DaclProtected)) { sd.Dacl.Protected = true; } if (control.HasFlag(SecurityDescriptorControl.DaclAutoInherited)) { sd.Dacl.AutoInherited = true; } if (control.HasFlag(SecurityDescriptorControl.DaclAutoInheritReq)) { sd.Dacl.AutoInheritReq = true; } } if (sd.Sacl != null) { if (control.HasFlag(SecurityDescriptorControl.SaclDefaulted)) { sd.Sacl.Defaulted = true; } if (control.HasFlag(SecurityDescriptorControl.SaclProtected)) { sd.Sacl.Protected = true; } if (control.HasFlag(SecurityDescriptorControl.SaclAutoInherited)) { sd.Sacl.AutoInherited = true; } if (control.HasFlag(SecurityDescriptorControl.SaclAutoInheritReq)) { sd.Sacl.AutoInheritReq = true; } } if (control.HasFlag(SecurityDescriptorControl.ServerSecurity)) { sd.ServerSecurity = true; } if (control.HasFlag(SecurityDescriptorControl.DaclUntrusted)) { sd.DaclUntrusted = true; } }
/// <summary> /// Creates security descriptor /// </summary> private static LocalAllocHandle CreateSecurityDescriptor( IntPtr pOwner, IntPtr pGroup, IntPtr pDacl, IntPtr pSacl, SecurityDescriptorControl control) { // correct control flags if (pDacl != IntPtr.Zero) { control |= SecurityDescriptorControl.DaclPresent; } if (pSacl != IntPtr.Zero) { control |= SecurityDescriptorControl.SaclPresent; } // allocate memory for security descriptor LocalAllocHandle pSd = new LocalAllocHandle(SecurityNative.SecurityDescriptor.Size); // initialize security descriptor if (!SecurityNative.InitializeSecurityDescriptor(pSd, SecurityNative.SECURITY_DESCRIPTOR_REVISION)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // set security descriptor control if (!SecurityNative.SetSecurityDescriptorControl(pSd, (uint)SecurityDescriptorControl.InheritenceMask, (uint)(control & SecurityDescriptorControl.InheritenceMask))) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // set SIDs if (!SecurityNative.SetSecurityDescriptorOwner(pSd, pOwner, (control & SecurityDescriptorControl.OwnerDefaulted) != 0)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (!SecurityNative.SetSecurityDescriptorGroup(pSd, pGroup, (control & SecurityDescriptorControl.GroupDefaulted) != 0)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // set ACLs if (!SecurityNative.SetSecurityDescriptorDacl(pSd, (control & SecurityDescriptorControl.DaclPresent) != 0, pDacl, (control & SecurityDescriptorControl.DaclDefaulted) != 0)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (!SecurityNative.SetSecurityDescriptorSacl(pSd, (control & SecurityDescriptorControl.SaclPresent) != 0, pSacl, (control & SecurityDescriptorControl.SaclDefaulted) != 0)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(pSd); }
public bool HasFlag(SecurityDescriptorControl control) { return((control & Control) == control); }
internal static extern bool GetSecurityDescriptorControl(SafeGlobalMemoryBufferHandle pSecurityDescriptor, out SecurityDescriptorControl pControl, out uint lpdwRevision);
/// <summary> /// Convert security descriptor to a byte array /// </summary> /// <returns>The binary security descriptor</returns> public byte[] ToByteArray() { SafeStructureInOutBuffer <SecurityDescriptorStructure> sd_buffer = null; SafeHGlobalBuffer dacl_buffer = null; SafeHGlobalBuffer sacl_buffer = null; SafeSidBufferHandle owner_buffer = null; SafeSidBufferHandle group_buffer = null; try { sd_buffer = new SafeStructureInOutBuffer <SecurityDescriptorStructure>(); NtRtl.RtlCreateSecurityDescriptor(sd_buffer, Revision).ToNtException(); SecurityDescriptorControl control = Control & SecurityDescriptorControl.ValidControlSetMask; NtRtl.RtlSetControlSecurityDescriptor(sd_buffer, control, control).ToNtException(); if (Dacl != null) { if (!Dacl.NullAcl) { dacl_buffer = new SafeHGlobalBuffer(Dacl.ToByteArray()); } else { dacl_buffer = new SafeHGlobalBuffer(IntPtr.Zero, 0, false); } NtRtl.RtlSetDaclSecurityDescriptor(sd_buffer, true, dacl_buffer.DangerousGetHandle(), Dacl.Defaulted).ToNtException(); } if (Sacl != null) { if (!Sacl.NullAcl) { sacl_buffer = new SafeHGlobalBuffer(Sacl.ToByteArray()); } else { sacl_buffer = new SafeHGlobalBuffer(IntPtr.Zero, 0, false); } NtRtl.RtlSetSaclSecurityDescriptor(sd_buffer, true, sacl_buffer.DangerousGetHandle(), Sacl.Defaulted).ToNtException(); } if (Owner != null) { owner_buffer = Owner.Sid.ToSafeBuffer(); NtRtl.RtlSetOwnerSecurityDescriptor(sd_buffer, owner_buffer.DangerousGetHandle(), Owner.Defaulted); } if (Group != null) { group_buffer = Group.Sid.ToSafeBuffer(); NtRtl.RtlSetGroupSecurityDescriptor(sd_buffer, group_buffer.DangerousGetHandle(), Group.Defaulted); } int total_length = 0; NtStatus status = NtRtl.RtlAbsoluteToSelfRelativeSD(sd_buffer, new SafeHGlobalBuffer(IntPtr.Zero, 0, false), ref total_length); if (status != NtStatus.STATUS_BUFFER_TOO_SMALL) { status.ToNtException(); } using (SafeHGlobalBuffer relative_sd = new SafeHGlobalBuffer(total_length)) { NtRtl.RtlAbsoluteToSelfRelativeSD(sd_buffer, relative_sd, ref total_length).ToNtException(); return(relative_sd.ToArray()); } } finally { sd_buffer?.Close(); dacl_buffer?.Close(); sacl_buffer?.Close(); owner_buffer?.Close(); group_buffer?.Close(); } }
static extern bool GetSecurityDescriptorControl(byte[] pSecurityDescriptor, ref SecurityDescriptorControl pControl, ref int lpdwRevision);
private NtResult <SafeHGlobalBuffer> CreateAbsoluteSecurityDescriptor(bool throw_on_error) { byte[] dacl = Dacl?.ToByteArray(); byte[] sacl = Sacl?.ToByteArray(); byte[] owner = Owner?.Sid.ToArray(); byte[] group = Group?.Sid.ToArray(); int total_size = GetLength(dacl) + GetLength(sacl) + GetLength(owner) + GetLength(group); using (var sd_buffer = new SafeStructureInOutBuffer <SecurityDescriptorStructure>(total_size, true)) { NtStatus status = NtRtl.RtlCreateSecurityDescriptor(sd_buffer, Revision); if (!status.IsSuccess()) { return(status.CreateResultFromError <SafeHGlobalBuffer>(throw_on_error)); } SecurityDescriptorControl control = Control & SecurityDescriptorControl.ValidControlSetMask; status = NtRtl.RtlSetControlSecurityDescriptor(sd_buffer, control, control); if (!status.IsSuccess()) { return(status.CreateResultFromError <SafeHGlobalBuffer>(throw_on_error)); } int current_ofs = 0; if (Dacl != null) { IntPtr ptr = UpdateBuffer(sd_buffer, Dacl.NullAcl ? null : dacl, ref current_ofs); status = NtRtl.RtlSetDaclSecurityDescriptor(sd_buffer, true, ptr, Dacl.Defaulted); if (!status.IsSuccess()) { return(status.CreateResultFromError <SafeHGlobalBuffer>(throw_on_error)); } } if (Sacl != null) { IntPtr ptr = UpdateBuffer(sd_buffer, Sacl.NullAcl ? null : sacl, ref current_ofs); status = NtRtl.RtlSetSaclSecurityDescriptor(sd_buffer, true, ptr, Sacl.Defaulted); if (!status.IsSuccess()) { return(status.CreateResultFromError <SafeHGlobalBuffer>(throw_on_error)); } } if (Owner != null) { IntPtr ptr = UpdateBuffer(sd_buffer, owner, ref current_ofs); status = NtRtl.RtlSetOwnerSecurityDescriptor(sd_buffer, ptr, Owner.Defaulted); if (!status.IsSuccess()) { return(status.CreateResultFromError <SafeHGlobalBuffer>(throw_on_error)); } } if (Group != null) { IntPtr ptr = UpdateBuffer(sd_buffer, group, ref current_ofs); status = NtRtl.RtlSetGroupSecurityDescriptor(sd_buffer, ptr, Group.Defaulted); if (!status.IsSuccess()) { return(status.CreateResultFromError <SafeHGlobalBuffer>(throw_on_error)); } } return(status.CreateResult <SafeHGlobalBuffer>(throw_on_error, () => sd_buffer.Detach())); } }
internal static extern bool GetSecurityDescriptorControl(SafeGlobalMemoryBufferHandle pSecurityDescriptor, out SecurityDescriptorControl pControl, out uint lpdwRevision);
/// <summary> /// Returns security descriptor information /// </summary> private static void GetSecurityDescriptorInfo( IntPtr pSd, out IntPtr pOwner, out IntPtr pGroup, out IntPtr pDacl, out IntPtr pSacl, out SecurityDescriptorControl control) { // parameters validation if (pSd == IntPtr.Zero) throw new ArgumentNullException("pSd"); // query SIDs bool ownerDefaulted; if (!SecurityNative.GetSecurityDescriptorOwner(pSd, out pOwner, out ownerDefaulted)) throw new Win32Exception(Marshal.GetLastWin32Error()); bool groupDefaulted; if (!SecurityNative.GetSecurityDescriptorGroup(pSd, out pGroup, out groupDefaulted)) throw new Win32Exception(Marshal.GetLastWin32Error()); // query ACLs bool daclPresent; bool daclDefaulted; if (!SecurityNative.GetSecurityDescriptorDacl(pSd, out daclPresent, out pDacl, out daclDefaulted)) throw new Win32Exception(Marshal.GetLastWin32Error()); bool saclPresent; bool saclDefaulted; if (!SecurityNative.GetSecurityDescriptorSacl(pSd, out saclPresent, out pSacl, out saclDefaulted)) throw new Win32Exception(Marshal.GetLastWin32Error()); // query properties uint revision; uint controlFlags; if (!SecurityNative.GetSecurityDescriptorControl(pSd, out controlFlags, out revision)) throw new Win32Exception(Marshal.GetLastWin32Error()); control = (SecurityDescriptorControl)controlFlags; }
/// <summary> /// Creates security descriptor /// </summary> private static LocalAllocHandle CreateSecurityDescriptor( IntPtr pOwner, IntPtr pGroup, IntPtr pDacl, IntPtr pSacl, SecurityDescriptorControl control) { // correct control flags if (pDacl != IntPtr.Zero) control |= SecurityDescriptorControl.DaclPresent; if (pSacl != IntPtr.Zero) control |= SecurityDescriptorControl.SaclPresent; // allocate memory for security descriptor LocalAllocHandle pSd = new LocalAllocHandle(SecurityNative.SecurityDescriptor.Size); // initialize security descriptor if (!SecurityNative.InitializeSecurityDescriptor(pSd, SecurityNative.SECURITY_DESCRIPTOR_REVISION)) throw new Win32Exception(Marshal.GetLastWin32Error()); // set security descriptor control if (!SecurityNative.SetSecurityDescriptorControl(pSd, (uint)SecurityDescriptorControl.InheritenceMask, (uint)(control & SecurityDescriptorControl.InheritenceMask))) throw new Win32Exception(Marshal.GetLastWin32Error()); // set SIDs if (!SecurityNative.SetSecurityDescriptorOwner(pSd, pOwner, (control & SecurityDescriptorControl.OwnerDefaulted) != 0)) throw new Win32Exception(Marshal.GetLastWin32Error()); if (!SecurityNative.SetSecurityDescriptorGroup(pSd, pGroup, (control & SecurityDescriptorControl.GroupDefaulted) != 0)) throw new Win32Exception(Marshal.GetLastWin32Error()); // set ACLs if (!SecurityNative.SetSecurityDescriptorDacl(pSd, (control & SecurityDescriptorControl.DaclPresent) != 0, pDacl, (control & SecurityDescriptorControl.DaclDefaulted) != 0)) throw new Win32Exception(Marshal.GetLastWin32Error()); if (!SecurityNative.SetSecurityDescriptorSacl(pSd, (control & SecurityDescriptorControl.SaclPresent) != 0, pSacl, (control & SecurityDescriptorControl.SaclDefaulted) != 0)) throw new Win32Exception(Marshal.GetLastWin32Error()); return pSd; }
internal SecurityDescriptor(IntPtr pSd, bool copy) { // get security descriptor information IntPtr pOwner; IntPtr pGroup; IntPtr pDacl; IntPtr pSacl; SecurityDescriptorControl control; GetSecurityDescriptorInfo( pSd, out pOwner, out pGroup, out pDacl, out pSacl, out control); bool copyStructs; if (copy) { // create security descriptor _pSd = CreateSecurityDescriptor(pOwner, pGroup, pDacl, pSacl, control); copyStructs = true; } else { // store pointer _pSd = new LocalAllocHandle(pSd); copyStructs = (control & SecurityDescriptorControl.SelfRelative) != 0; } // query properties uint revision; uint controlFlags; if (!SecurityNative.GetSecurityDescriptorControl(_pSd, out controlFlags, out revision)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } _revision = (int)revision; _control = (SecurityDescriptorControl)controlFlags; if (pOwner != IntPtr.Zero) { _owner = new SecurityIdentifier(pOwner, copyStructs); } if (pGroup != IntPtr.Zero) { _group = new SecurityIdentifier(pGroup, copyStructs); } if (pDacl != IntPtr.Zero) { _dacl = new AccessControlList(pDacl, copyStructs); } if (pSacl != IntPtr.Zero) { _sacl = new AccessControlList(pSacl, copyStructs); } }
public static extern NtStatus RtlGetControlSecurityDescriptor(SafeBuffer SecurityDescriptor, out SecurityDescriptorControl Control, out uint Revision);
public static extern NtStatus RtlSetControlSecurityDescriptor(SafeBuffer SecurityDescriptor, SecurityDescriptorControl Control, SecurityDescriptorControl ControlMask);
internal SecurityDescriptor(IntPtr pSd, bool copy) { // get security descriptor information IntPtr pOwner; IntPtr pGroup; IntPtr pDacl; IntPtr pSacl; SecurityDescriptorControl control; GetSecurityDescriptorInfo( pSd, out pOwner, out pGroup, out pDacl, out pSacl, out control); bool copyStructs; if (copy) { // create security descriptor _pSd = CreateSecurityDescriptor(pOwner, pGroup, pDacl, pSacl, control); copyStructs = true; } else { // store pointer _pSd = new LocalAllocHandle(pSd); copyStructs = (control & SecurityDescriptorControl.SelfRelative) != 0; } // query properties uint revision; uint controlFlags; if (!SecurityNative.GetSecurityDescriptorControl(_pSd, out controlFlags, out revision)) throw new Win32Exception(Marshal.GetLastWin32Error()); _revision = (int)revision; _control = (SecurityDescriptorControl)controlFlags; if (pOwner != IntPtr.Zero) _owner = new SecurityIdentifier(pOwner, copyStructs); if (pGroup != IntPtr.Zero) _group = new SecurityIdentifier(pGroup, copyStructs); if (pDacl != IntPtr.Zero) _dacl = new AccessControlList(pDacl, copyStructs); if (pSacl != IntPtr.Zero) _sacl = new AccessControlList(pSacl, copyStructs); }