internal static void SetAccessControlInternal(string path, SafeHandle handle, ObjectSecurity objectSecurity, AccessControlSections includeSections, PathFormat pathFormat) { if (pathFormat == PathFormat.RelativePath) Path.CheckValidPath(path, true, true); if (objectSecurity == null) throw new ArgumentNullException("objectSecurity"); byte[] managedDescriptor = objectSecurity.GetSecurityDescriptorBinaryForm(); using (var safeBuffer = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length)) { string pathLp = Path.GetExtendedLengthPathInternal(null, path, pathFormat, GetFullPathOptions.RemoveTrailingDirectorySeparator | GetFullPathOptions.CheckInvalidPathChars); safeBuffer.CopyFrom(managedDescriptor, 0, managedDescriptor.Length); SecurityDescriptorControl control; uint revision; if (!Security.NativeMethods.GetSecurityDescriptorControl(safeBuffer, out control, out revision)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); PrivilegeEnabler privilegeEnabler = null; try { var securityInfo = SecurityInformation.None; IntPtr pDacl = IntPtr.Zero; if ((includeSections & AccessControlSections.Access) != 0) { bool daclDefaulted, daclPresent; if (!Security.NativeMethods.GetSecurityDescriptorDacl(safeBuffer, out daclPresent, out pDacl, out daclDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (daclPresent) { securityInfo |= SecurityInformation.Dacl; securityInfo |= (control & SecurityDescriptorControl.DaclProtected) != 0 ? SecurityInformation.ProtectedDacl : SecurityInformation.UnprotectedDacl; } } IntPtr pSacl = IntPtr.Zero; if ((includeSections & AccessControlSections.Audit) != 0) { bool saclDefaulted, saclPresent; if (!Security.NativeMethods.GetSecurityDescriptorSacl(safeBuffer, out saclPresent, out pSacl, out saclDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (saclPresent) { securityInfo |= SecurityInformation.Sacl; securityInfo |= (control & SecurityDescriptorControl.SaclProtected) != 0 ? SecurityInformation.ProtectedSacl : SecurityInformation.UnprotectedSacl; privilegeEnabler = new PrivilegeEnabler(Privilege.Security); } } IntPtr pOwner = IntPtr.Zero; if ((includeSections & AccessControlSections.Owner) != 0) { bool ownerDefaulted; if (!Security.NativeMethods.GetSecurityDescriptorOwner(safeBuffer, out pOwner, out ownerDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (pOwner != IntPtr.Zero) securityInfo |= SecurityInformation.Owner; } IntPtr pGroup = IntPtr.Zero; if ((includeSections & AccessControlSections.Group) != 0) { bool groupDefaulted; if (!Security.NativeMethods.GetSecurityDescriptorGroup(safeBuffer, out pGroup, out groupDefaulted)) NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp); if (pGroup != IntPtr.Zero) securityInfo |= SecurityInformation.Group; } uint lastError; if (!Utils.IsNullOrWhiteSpace(pathLp)) { // SetNamedSecurityInfo() // In the ANSI version of this function, the name is limited to MAX_PATH characters. // To extend this limit to 32,767 wide characters, call the Unicode version of the function and prepend "\\?\" to the path. // 2013-01-13: MSDN does not confirm LongPath usage but a Unicode version of this function exists. lastError = Security.NativeMethods.SetNamedSecurityInfo(pathLp, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl); if (lastError != Win32Errors.ERROR_SUCCESS) NativeError.ThrowException(lastError, pathLp); } else if (NativeMethods.IsValidHandle(handle)) { lastError = Security.NativeMethods.SetSecurityInfo(handle, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl); if (lastError != Win32Errors.ERROR_SUCCESS) NativeError.ThrowException((int)lastError); } } finally { if (privilegeEnabler != null) privilegeEnabler.Dispose(); } } }
internal static void SetSecurityInfo(SafeHandle handle, NativeMethods.SE_OBJECT_TYPE objectType, NativeObjectSecurity fileSecurity) { byte[] managedDescriptor = fileSecurity.GetSecurityDescriptorBinaryForm(); using (SafeGlobalMemoryBufferHandle hDescriptor = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length)) { hDescriptor.CopyFrom(managedDescriptor, 0, managedDescriptor.Length); NativeMethods.SECURITY_DESCRIPTOR_CONTROL control; uint revision; if (!NativeMethods.GetSecurityDescriptorControl(hDescriptor, out control, out revision)) { NativeError.ThrowException(); } IntPtr pDacl; bool daclDefaulted, daclPresent; if (!NativeMethods.GetSecurityDescriptorDacl(hDescriptor, out daclPresent, out pDacl, out daclDefaulted)) { NativeError.ThrowException(); } IntPtr pSacl; bool saclDefaulted, saclPresent; if (!NativeMethods.GetSecurityDescriptorSacl(hDescriptor, out saclPresent, out pSacl, out saclDefaulted)) { NativeError.ThrowException(); } IntPtr pOwner; bool ownerDefaulted; if (!NativeMethods.GetSecurityDescriptorOwner(hDescriptor, out pOwner, out ownerDefaulted)) { NativeError.ThrowException(); } IntPtr pGroup; bool GroupDefaulted; if (!NativeMethods.GetSecurityDescriptorGroup(hDescriptor, out pGroup, out GroupDefaulted)) { NativeError.ThrowException(); } PrivilegeEnabler privilegeEnabler = null; try { NativeMethods.SECURITY_INFORMATION info = 0; if (daclPresent) { info |= NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION; if ((control & NativeMethods.SECURITY_DESCRIPTOR_CONTROL.SE_DACL_PROTECTED) != 0) { info |= NativeMethods.SECURITY_INFORMATION.PROTECTED_DACL_SECURITY_INFORMATION; } else { info |= NativeMethods.SECURITY_INFORMATION.UNPROTECTED_DACL_SECURITY_INFORMATION; } } if (saclPresent) { info |= NativeMethods.SECURITY_INFORMATION.SACL_SECURITY_INFORMATION; if ((control & NativeMethods.SECURITY_DESCRIPTOR_CONTROL.SE_SACL_PROTECTED) != 0) { info |= NativeMethods.SECURITY_INFORMATION.PROTECTED_SACL_SECURITY_INFORMATION; } else { info |= NativeMethods.SECURITY_INFORMATION.UNPROTECTED_SACL_SECURITY_INFORMATION; } privilegeEnabler = new PrivilegeEnabler(Privilege.Security); } if (pOwner != IntPtr.Zero) { info |= NativeMethods.SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION; } if (pGroup != IntPtr.Zero) { info |= NativeMethods.SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION; } uint errorCode = NativeMethods.SetSecurityInfo(handle, objectType, info, pOwner, pGroup, pDacl, pSacl); if (errorCode != 0) { NativeError.ThrowException((int)errorCode); } } finally { if (privilegeEnabler != null) { privilegeEnabler.Dispose(); } } } }
internal static SafeFileHandle CreateFileInternal(KernelTransaction transaction, string path, ExtendedFileAttributes attributes, FileSecurity fileSecurity, FileMode fileMode, FileSystemRights fileSystemRights, FileShare fileShare, bool checkPath, PathFormat pathFormat) { if (checkPath && pathFormat == PathFormat.RelativePath) Path.CheckValidPath(path, true, true); // When isFile == null, we're working with a device. // When opening a VOLUME or removable media drive (for example, a floppy disk drive or flash memory thumb drive), // the path string should be the following form: "\\.\X:" // Do not use a trailing backslash (\), which indicates the root. string pathLp = Path.GetExtendedLengthPathInternal(transaction, path, pathFormat, GetFullPathOptions.TrimEnd | GetFullPathOptions.RemoveTrailingDirectorySeparator); PrivilegeEnabler privilegeEnabler = null; try { if (fileSecurity != null) fileSystemRights |= (FileSystemRights)0x1000000; // AccessSystemSecurity = 0x1000000 AccessSystemAcl access type. // MaximumAllowed = 0x2000000 MaximumAllowed access type. if ((fileSystemRights & (FileSystemRights)0x1000000) != 0 || (fileSystemRights & (FileSystemRights)0x2000000) != 0) privilegeEnabler = new PrivilegeEnabler(Privilege.Security); using (var securityAttributes = new Security.NativeMethods.SecurityAttributes(fileSecurity)) { SafeFileHandle handle = transaction == null || !NativeMethods.IsAtLeastWindowsVista // CreateFile() / CreateFileTransacted() // In the ANSI version of this function, the name is limited to MAX_PATH characters. // To extend this limit to 32,767 wide characters, call the Unicode version of the function and prepend "\\?\" to the path. // 2013-01-13: MSDN confirms LongPath usage. ? NativeMethods.CreateFile(pathLp, fileSystemRights, fileShare, securityAttributes, fileMode, attributes, IntPtr.Zero) : NativeMethods.CreateFileTransacted(pathLp, fileSystemRights, fileShare, securityAttributes, fileMode, attributes, IntPtr.Zero, transaction.SafeHandle, IntPtr.Zero, IntPtr.Zero); int lastError = Marshal.GetLastWin32Error(); if (handle.IsInvalid) { handle.Close(); NativeError.ThrowException(lastError, pathLp); } return handle; } } finally { if (privilegeEnabler != null) privilegeEnabler.Dispose(); } }