private void CheckBinaryConstructor (string expectedSddl, byte[] binary) { RawSecurityDescriptor sd = new RawSecurityDescriptor (binary, 0); Assert.AreEqual (sd.BinaryLength, binary.Length); Assert.AreEqual (expectedSddl, sd.GetSddlForm (AccessControlSections.All)); }
internal CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor, bool trusted) { if (rawSecurityDescriptor == null) { throw new ArgumentNullException("rawSecurityDescriptor"); } this.CreateFromParts(isContainer, isDS, rawSecurityDescriptor.ControlFlags, rawSecurityDescriptor.Owner, rawSecurityDescriptor.Group, (rawSecurityDescriptor.SystemAcl == null) ? null : new System.Security.AccessControl.SystemAcl(isContainer, isDS, rawSecurityDescriptor.SystemAcl, trusted), (rawSecurityDescriptor.DiscretionaryAcl == null) ? null : new System.Security.AccessControl.DiscretionaryAcl(isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl, trusted)); }
public static void SetProcessSecurityDescriptor(IntPtr hWnd) { RawSecurityDescriptor sd = new RawSecurityDescriptor(ControlFlags.None, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, new RawAcl(2, 0)); sd.SetFlags(ControlFlags.DiscretionaryAclPresent | ControlFlags.DiscretionaryAclDefaulted); byte[] rawSd = new byte[sd.BinaryLength]; sd.GetBinaryForm(rawSd, 0); if (!NativeMethods.Advapi32.SetKernelObjectSecurity(hWnd, (int)SecurityInfos.DiscretionaryAcl, rawSd)) Console.WriteLine("Win32Exception(): {0}", new Win32Exception().Message); }
private void CheckSddlConstructor (string sddl, byte[] expectedBinary) { RawSecurityDescriptor sd = new RawSecurityDescriptor (sddl); Assert.GreaterOrEqual (sd.BinaryLength, 0); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); Assert.AreEqual (expectedBinary, buffer); }
private void CheckRoundTrip (string sddl) { RawSecurityDescriptor sd = new RawSecurityDescriptor (sddl); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sd = new RawSecurityDescriptor (buffer, 0); Assert.AreEqual (sddl, sd.GetSddlForm (AccessControlSections.All)); }
public ACCESS_MASK ComputeAccess(RawSecurityDescriptor descriptor, IdentityReference identity) { var accessGranted = ACCESS_MASK.NONE; // Create the Resource Manager using (SafeAuthzRMHandle authzRM = InitializeResourceManager()) using (SafeAuthzContextHandle userClientCtxt = InitializeContextFromSid(authzRM, identity)) { accessGranted = AccessCheck(userClientCtxt, descriptor); } return accessGranted; }
public void AllowUserAccessToCurrentProcess() { if (originalACL == null) return; IntPtr hProcess = GetCurrentProcess(); // Read the DACL var dacl = new RawSecurityDescriptor(originalACL, 0); // Insert the new ACE SetProcessSecurityDescriptor(hProcess, dacl); originalACL = null; }
private ACCESS_MASK AccessCheck(SafeAuthzContextHandle userClientCtxt, RawSecurityDescriptor descriptor) { ACCESS_MASK accessGranted; // Prepare the Access Check request var request = new NativeMethods.AUTHZ_ACCESS_REQUEST(); request.DesiredAccess = ACCESS_MASK.MAXIMUM_ALLOWED; request.PrincipalSelfSid = null; request.ObjectTypeList = IntPtr.Zero; request.ObjectTypeListLength = 0; request.OptionalArguments = IntPtr.Zero; using (var grantedAccessBuffer = SafeAllocation.Create<ACCESS_MASK>()) using (var errorBuffer = SafeAllocation.Create<uint>()) { // Prepare the access check reply var reply = new NativeMethods.AUTHZ_ACCESS_REPLY(); reply.ResultListLength = 1; reply.SaclEvaluationResults = IntPtr.Zero; reply.GrantedAccessMask = grantedAccessBuffer.DangerousGetHandle(); reply.Error = errorBuffer.DangerousGetHandle(); var rawSD = new byte[descriptor.BinaryLength]; descriptor.GetBinaryForm(rawSD, 0); if (!NativeMethods.AuthzAccessCheck( NativeMethods.AuthzACFlags.None, userClientCtxt, ref request, IntPtr.Zero, rawSD, null, 0, ref reply, IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } accessGranted = grantedAccessBuffer.ToStructure(); } return accessGranted; }
/// <summary>Sort ACEs according to canonical form for this <see cref="ObjectSecurity"/>.</summary> /// <param name="objectSecurity">The object security whose DiscretionaryAcl will be made canonical.</param> public static void CanonicalizeAccessRules(this ObjectSecurity objectSecurity) { if (objectSecurity == null) { throw new ArgumentNullException(nameof(objectSecurity)); } if (objectSecurity.AreAccessRulesCanonical) { return; } // Get raw SD from objectSecurity and canonicalize DACL var sd = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorBinaryForm(), 0); sd.DiscretionaryAcl.Canonicalize(); // Convert SD back into objectSecurity objectSecurity.SetSecurityDescriptorBinaryForm(sd.GetBinaryForm()); }
void Init (bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor) { if (null == rawSecurityDescriptor) throw new ArgumentNullException ("rawSecurityDescriptor"); SystemAcl sacl = null; if (null != rawSecurityDescriptor.SystemAcl) sacl = new SystemAcl (isContainer, isDS, rawSecurityDescriptor.SystemAcl); DiscretionaryAcl dacl = null; if (null != rawSecurityDescriptor.DiscretionaryAcl) dacl = new DiscretionaryAcl (isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl); Init (isContainer, isDS, rawSecurityDescriptor.ControlFlags, rawSecurityDescriptor.Owner, rawSecurityDescriptor.Group, sacl, dacl); }
public void AclInheritance() { NtfsFileSystem ntfs = new FileSystemSource().NtfsFileSystem(); RawSecurityDescriptor sd = new RawSecurityDescriptor("O:BAG:BAD:(A;OICINP;GA;;;BA)"); ntfs.CreateDirectory("dir"); ntfs.SetSecurity("dir", sd); ntfs.CreateDirectory(@"dir\subdir"); RawSecurityDescriptor inheritedSd = ntfs.GetSecurity(@"dir\subdir"); Assert.NotNull(inheritedSd); Assert.AreEqual("O:BAG:BAD:(A;ID;GA;;;BA)", inheritedSd.GetSddlForm(AccessControlSections.All)); using (ntfs.OpenFile(@"dir\subdir\file", FileMode.Create, FileAccess.ReadWrite)) { } inheritedSd = ntfs.GetSecurity(@"dir\subdir\file"); Assert.NotNull(inheritedSd); Assert.AreEqual("O:BAG:BAD:", inheritedSd.GetSddlForm(AccessControlSections.All)); }
public RawSecurityDescriptor GetSecurityDescriptor() { if (string.IsNullOrEmpty(path)) { throw new ArgumentException("Path cannot be null or whitespace.", "path"); } FileSystemSecurity security; if (!TryGetFileSecurity(path, AccessSectionsNeeded, out security)) { if (!TryGetDirectorySecurity(path, AccessSectionsNeeded, out security)) { throw new ArgumentException("The path must be an existing file or directory.", path); } } var descriptorBinaryForm = security.GetSecurityDescriptorBinaryForm(); var descriptor = new RawSecurityDescriptor(descriptorBinaryForm, 0); return descriptor; }
// Token: 0x06001F8E RID: 8078 RVA: 0x0006E320 File Offset: 0x0006C520 private void UpdateWithNewSecurityDescriptor(RawSecurityDescriptor newOne, AccessControlSections includeSections) { if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None) { this._ownerModified = true; this._securityDescriptor.Owner = newOne.Owner; } if ((includeSections & AccessControlSections.Group) != AccessControlSections.None) { this._groupModified = true; this._securityDescriptor.Group = newOne.Group; } if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None) { this._saclModified = true; if (newOne.SystemAcl != null) { this._securityDescriptor.SystemAcl = new SystemAcl(this.IsContainer, this.IsDS, newOne.SystemAcl, true); } else { this._securityDescriptor.SystemAcl = null; } this._securityDescriptor.UpdateControlFlags(ObjectSecurity.SACL_CONTROL_FLAGS, newOne.ControlFlags & ObjectSecurity.SACL_CONTROL_FLAGS); } if ((includeSections & AccessControlSections.Access) != AccessControlSections.None) { this._daclModified = true; if (newOne.DiscretionaryAcl != null) { this._securityDescriptor.DiscretionaryAcl = new DiscretionaryAcl(this.IsContainer, this.IsDS, newOne.DiscretionaryAcl, true); } else { this._securityDescriptor.DiscretionaryAcl = null; } ControlFlags controlFlags = this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent; this._securityDescriptor.UpdateControlFlags(ObjectSecurity.DACL_CONTROL_FLAGS, (newOne.ControlFlags | controlFlags) & ObjectSecurity.DACL_CONTROL_FLAGS); } }
public static string DecodeSsdl(string ssdlStr, StringBuilder decodeBuffer, StringBuilder domainBuffer, StringBuilder usernameBuffer, ref int formatted) { try { var ssdl = new RawSecurityDescriptor(ssdlStr); ++formatted; decodeBuffer.Remove(0, decodeBuffer.Length); decodeBuffer.Append("ControlFlags=") .Append(ssdl.ControlFlags) .Append("; ResourceManagerControlBits=") .Append(ssdl.ResourceManagerControl); if (ssdl.Group != null) decodeBuffer.Append("; Group=").Append(ssdl.Group); if (ssdl.Owner != null) decodeBuffer.Append("; Owner=").Append(ssdl.Owner); if (ssdl.DiscretionaryAcl != null) { foreach (var acl in ssdl.DiscretionaryAcl) { decodeBuffer.Append("; DiscretionaryAcl"); DecodeAcl(acl, decodeBuffer, domainBuffer, usernameBuffer); } } if (ssdl.SystemAcl != null) { foreach (var acl in ssdl.SystemAcl) { decodeBuffer.Append("; SystemAcl"); DecodeAcl(acl, decodeBuffer, domainBuffer, usernameBuffer); } } return decodeBuffer.ToString(); } catch { return ssdlStr; } }
public static VirtualHardDisk Create(string filename, ulong maximumSize, VirtualStorageDeviceTypes deviceType = VirtualStorageDeviceTypes.Vhd, VirtualDiskAccessMasks mask = VirtualDiskAccessMasks.All, RawSecurityDescriptor securityDescriptor = null, CreateVirtualDiskFlags flags = CreateVirtualDiskFlags.None, uint providerSpecificFlags = 0, Guid uniqueId = default(Guid), uint blockSizeInBytes = 0, uint sectorSizeInBytes = 0, string parentPath = null, string sourcePath = null, Overlapped overlapped = null) { if () var storageType = new VirtualStorageType {DeviceId = deviceType}; var parameters = new CreateVirtualDiskParameters { Version = CreateVirtualDiskVersions.Version1, Version1 = new CreateVirtualDiskParametersVersion1 { UniqueId = uniqueId, MaximumSize = maximumSize, BlockSizeInBytes = blockSizeInBytes, SectorSizeInBytes = sectorSizeInBytes, ParentPath = parentPath, SourcePath = sourcePath } }; var handle = VirtualDiskCore.CreateVirtualDisk(storageType, filename, mask, securityDescriptor, flags, providerSpecificFlags, parameters, overlapped); var vhd = new VirtualHardDisk(filename, handle); // ReSharper disable once InvertIf if (vhd.VirtualStorageType.DeviceId == VirtualStorageDeviceTypes.Iso) { vhd.Dispose(); throw new NotSupportedException("This class does not support ISO files."); } return vhd; }
public EffectiveAccess(string path, string targetMachine, RawSecurityDescriptor shareSD, SecurityIdentifier userSid, SecurityIdentifier deviceSid, ClaimValueDictionary userClaims, ClaimValueDictionary deviceClaims, GroupsCollection userGroups, GroupsCollection deviceGroups) { if (string.IsNullOrEmpty(targetMachine) && shareSD != null) { throw new ArgumentException("targetMachine must be value when shareSD is not-empty", "targetMachine"); } handle = NativeMethods.CreateFile(path, NativeMethods.FileAccess.GenericRead, NativeMethods.FileShare.Read | NativeMethods.FileShare.Write | NativeMethods.FileShare.Delete, IntPtr.Zero, NativeMethods.FileMode.OpenExisting, NativeMethods.FileFlagAttrib.BackupSemantics, IntPtr.Zero); if (handle.IsInvalid) { throw new Win32Exception(Marshal.GetLastWin32Error()); } this.targetMachine = targetMachine; this.shareSD = shareSD; this.userSid = userSid; this.deviceSid = deviceSid; this.userClaims = userClaims; this.deviceClaims = deviceClaims; this.userGroups = userGroups; this.deviceGroups = deviceGroups; }
private void CreateFromParts(bool isContainer, bool isDS, System.Security.AccessControl.ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, System.Security.AccessControl.SystemAcl systemAcl, System.Security.AccessControl.DiscretionaryAcl discretionaryAcl) { if ((systemAcl != null) && (systemAcl.IsContainer != isContainer)) { throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "systemAcl"); } if ((discretionaryAcl != null) && (discretionaryAcl.IsContainer != isContainer)) { throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "discretionaryAcl"); } this._isContainer = isContainer; if ((systemAcl != null) && (systemAcl.IsDS != isDS)) { throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "systemAcl"); } if ((discretionaryAcl != null) && (discretionaryAcl.IsDS != isDS)) { throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "discretionaryAcl"); } this._isDS = isDS; this._sacl = systemAcl; if (discretionaryAcl == null) { discretionaryAcl = System.Security.AccessControl.DiscretionaryAcl.CreateAllowEveryoneFullAccess(this._isDS, this._isContainer); } this._dacl = discretionaryAcl; System.Security.AccessControl.ControlFlags flags2 = flags | System.Security.AccessControl.ControlFlags.DiscretionaryAclPresent; if (systemAcl == null) { flags2 &= ~System.Security.AccessControl.ControlFlags.SystemAclPresent; } else { flags2 |= System.Security.AccessControl.ControlFlags.SystemAclPresent; } this._rawSd = new RawSecurityDescriptor(flags2, owner, group, (systemAcl == null) ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl); }
public byte[] GetSecurity(SecurityInformation requestedInformation, bool wantDefault) { //FileSecurity fsec= new FileSecurity(@"c:\Test1\test.txt",~AccessControlSections.Audit); //return fsec.GetSecurityDescriptorBinaryForm(); WindowsIdentity user = WindowsIdentity.GetCurrent(); if (user != null) { int length = 0; IntPtr token = user.Token; GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out length); IntPtr TokenInformation = Marshal.AllocHGlobal((int) length); bool Result = GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, TokenInformation, (uint) length, out length); TOKEN_DEFAULT_DACL dacl = (TOKEN_DEFAULT_DACL) Marshal.PtrToStructure(TokenInformation, typeof (TOKEN_DEFAULT_DACL)); ACL acl = (ACL) Marshal.PtrToStructure(dacl.DefaultDacl, typeof (ACL)); byte[] aceArr = new byte[acl.AclSize]; Marshal.Copy(dacl.DefaultDacl, aceArr, 0, acl.AclSize); RawAcl rawAcl = new RawAcl(aceArr, 0); Marshal.FreeHGlobal(TokenInformation); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out length); TokenInformation = Marshal.AllocHGlobal((int) length); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenOwner, TokenInformation, (uint)length, out length); TOKEN_OWNER tokOwner = (TOKEN_OWNER) Marshal.PtrToStructure(TokenInformation, typeof (TOKEN_OWNER)); SecurityIdentifier ownerSID= new SecurityIdentifier(tokOwner.Owner); Marshal.FreeHGlobal(TokenInformation); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, IntPtr.Zero, 0, out length); TokenInformation = Marshal.AllocHGlobal((int)length); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, TokenInformation, (uint)length, out length); TOKEN_PRIMARY_GROUP tokGroup= (TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_PRIMARY_GROUP)); SecurityIdentifier groupSID = new SecurityIdentifier(tokGroup.PrimaryGroup); RawSecurityDescriptor rawDesc = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, ownerSID, groupSID, null, rawAcl); byte[] ret = new byte[rawDesc.BinaryLength]; rawDesc.GetBinaryForm(ret, 0); return ret; } return null; }
private void SetCurrentProcessTokenDacl(RawAcl dacl) { IntPtr hProcess = IntPtr.Zero; IntPtr hProcessToken = IntPtr.Zero; IntPtr securityDescriptorPtr = IntPtr.Zero; try { hProcess = NativeMethods.GetCurrentProcess(); if (!NativeMethods.OpenProcessToken(hProcess, NativeMethods.TOKEN_ALL_ACCESS, out hProcessToken)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); // Get security descriptor associated with the kernel object and modify it. uint returnLength; NativeMethods.GetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, IntPtr.Zero, 0, out returnLength); int lasterror = Marshal.GetLastWin32Error(); //#pragma warning disable 56523 doesnt recognize 56523 securityDescriptorPtr = Marshal.AllocCoTaskMem((int)returnLength); if (!NativeMethods.GetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, securityDescriptorPtr, returnLength, out returnLength)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); byte[] sdBytes = new byte[returnLength]; Marshal.Copy(securityDescriptorPtr, sdBytes, 0, (int)returnLength); RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(sdBytes, 0); rawSecurityDescriptor.DiscretionaryAcl = dacl; sdBytes = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(sdBytes, 0); Marshal.FreeCoTaskMem(securityDescriptorPtr); securityDescriptorPtr = Marshal.AllocCoTaskMem(rawSecurityDescriptor.BinaryLength); Marshal.Copy(sdBytes, 0, securityDescriptorPtr, rawSecurityDescriptor.BinaryLength); if (!NativeMethods.SetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, securityDescriptorPtr)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); } finally { if (hProcess != IntPtr.Zero && hProcess != (IntPtr)(-1)) if (!NativeMethods.CloseHandle(hProcess)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); if (hProcessToken != IntPtr.Zero) if (!NativeMethods.CloseHandle(hProcessToken)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); if (securityDescriptorPtr != IntPtr.Zero) Marshal.FreeCoTaskMem(securityDescriptorPtr); } }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</summary><param name="isContainer">true if the new security descriptor is associated with a container object.</param><param name="isDS">true if the new security descriptor is associated with a directory object.</param><param name="rawSecurityDescriptor">The <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object from which to create the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> public CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor) { throw new NotImplementedException(); }
public void GetSddlForm () { RawSecurityDescriptor sd = new RawSecurityDescriptor (""); Assert.AreEqual ("", sd.GetSddlForm (AccessControlSections.All)); // Ask for part of SD that isn't represented sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null); sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); Assert.AreEqual ("", sd.GetSddlForm (AccessControlSections.Access)); // Empty ACL form sd.DiscretionaryAcl = new RawAcl (2, 0); sd.SystemAcl = new RawAcl (1, 0); sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent); Assert.AreEqual ("O:BUG:BAD:S:", sd.GetSddlForm (AccessControlSections.All)); // Add an ACE to the DACL SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce (0, ace); Assert.AreEqual ("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm (AccessControlSections.All)); // Add second ACE to the DACL SecurityIdentifier randomUser = new SecurityIdentifier ("S-1-5-21-324-23423-234-334"); ace = new CommonAce (AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null); sd.DiscretionaryAcl.InsertAce (0, ace); Assert.AreEqual ("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm (AccessControlSections.Owner | AccessControlSections.Access)); // DACL & SACL flags sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited); sd.DiscretionaryAcl = new RawAcl (1, 0); ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce (0, ace); Assert.AreEqual ("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm (AccessControlSections.All)); sd.SetFlags (sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted); Assert.AreEqual ("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm (AccessControlSections.All)); }
private void DoSetSecurity(File file, RawSecurityDescriptor securityDescriptor) { NtfsStream legacyStream = file.GetStream(AttributeType.SecurityDescriptor, null); if (legacyStream != null) { SecurityDescriptor sd = new SecurityDescriptor(); sd.Descriptor = securityDescriptor; legacyStream.SetContent(sd); } else { uint id = _context.SecurityDescriptors.AddDescriptor(securityDescriptor); // Update the standard information attribute - so it reflects the actual file state NtfsStream stream = file.GetStream(AttributeType.StandardInformation, null); StandardInformation si = stream.GetContent<StandardInformation>(); si.SecurityId = id; stream.SetContent(si); // Write attribute changes back to the Master File Table file.UpdateRecordInMft(); } }
/// <summary>The SetServiceObjectSecurity function sets the security descriptor of a service object.</summary> /// <param name="hService"> /// A handle to the service. This handle is returned by the <see cref="OpenService" /> or /// <see cref="CreateService(SafeServiceHandle,string,string,ACCESS_MASK,ServiceType,ServiceStartType,ServiceErrorControl,string,string,int, string,string,string)" /> function. The access required for this handle depends on the security information /// specified in the <paramref name="dwSecurityInformation" /> parameter. /// </param> /// <param name="dwSecurityInformation"> /// Specifies the components of the security descriptor to set. This parameter can be a /// combination of the following values : <see cref="SECURITY_INFORMATION.DACL_SECURITY_INFORMATION" />, /// <see cref="SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION" />, /// <see cref="SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION" />, /// <see cref="SECURITY_INFORMATION.SACL_SECURITY_INFORMATION" />. Note that flags not handled by /// SetServiceObjectSecurity will be silently ignored. /// </param> /// <param name="lpSecurityDescriptor">The new security information.</param> public static void SetServiceObjectSecurity( SafeServiceHandle hService, SECURITY_INFORMATION dwSecurityInformation, RawSecurityDescriptor lpSecurityDescriptor) { var binaryForm = new byte[lpSecurityDescriptor.BinaryLength]; lpSecurityDescriptor.GetBinaryForm(binaryForm, 0); if (!SetServiceObjectSecurity(hService, dwSecurityInformation, binaryForm)) { throw new Win32Exception(); } }
public CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor) : this(isContainer, isDS, rawSecurityDescriptor, false) { }
public RawSecurityDescriptor(string sddlForm) : this(RawSecurityDescriptor.BinaryFormFromSddlForm(sddlForm), 0) { }
public static IEnumerable <ACL> Get_DomainObjectAcl(Args_Get_DomainObjectAcl args = null) { if (args == null) { args = new Args_Get_DomainObjectAcl(); } var SearcherArguments = new Args_Get_DomainSearcher { Properties = new[] { "samaccountname", "ntsecuritydescriptor", "distinguishedname", "objectsid" }, SecurityMasks = args.Sacl ? SecurityMasks.Sacl : SecurityMasks.Dacl, Domain = args.Domain, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var Searcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); var DomainGUIDMapArguments = new Args_Get_DomainGUIDMap { Domain = args.Domain, Server = args.Server, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Credential = args.Credential }; // get a GUID -> name mapping IDictionary <string, string> GUIDs = null; if (args.ResolveGUIDs) { GUIDs = GetDomainGUIDMap.Get_DomainGUIDMap(DomainGUIDMapArguments); } var ACLs = new List <ACL>(); if (Searcher != null) { var IdentityFilter = ""; var Filter = ""; if (args.Identity != null) { foreach (var item in args.Identity) { var IdentityInstance = item.Replace(@"(", @"\28").Replace(@")", @"\29"); if (IdentityInstance.IsRegexMatch(@"^S-1-.*")) { IdentityFilter += $@"(objectsid={IdentityInstance})"; } else if (IdentityInstance.IsRegexMatch(@"^(CN|OU|DC)=.*")) { IdentityFilter += $@"(distinguishedname={IdentityInstance})"; if (args.Domain.IsNullOrEmpty() && args.SearchBase.IsNullOrEmpty()) { // if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname // and rebuild the domain searcher var IdentityDomain = IdentityInstance.Substring(IdentityInstance.IndexOf("DC=")).Replace("DC=", "").Replace(",", "."); Logger.Write_Verbose($@"[Get-DomainObjectAcl] Extracted domain '{IdentityDomain}' from '{IdentityInstance}'"); SearcherArguments.Domain = IdentityDomain; Searcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (Searcher == null) { Logger.Write_Warning($@"[Get-DomainObjectAcl] Unable to retrieve domain searcher for '{IdentityDomain}'"); } } } else if (IdentityInstance.IsRegexMatch(@"^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$")) { var GuidByteString = string.Join(string.Empty, Guid.Parse(IdentityInstance).ToByteArray().Select(x => x.ToString(@"\X2"))); IdentityFilter += $@"(objectguid={GuidByteString})"; } else if (IdentityInstance.Contains('.')) { IdentityFilter += $@"(|(samAccountName={IdentityInstance})(name={IdentityInstance})(dnshostname={IdentityInstance}))"; } else { IdentityFilter += $@"(|(samAccountName={IdentityInstance})(name={IdentityInstance})(displayname={IdentityInstance}))"; } } } if (IdentityFilter != null && IdentityFilter.Trim() != "") { Filter += $@"(|{IdentityFilter})"; } if (args.LDAPFilter.IsNotNullOrEmpty()) { Logger.Write_Verbose($@"[Get-DomainObjectAcl] Using additional LDAP filter: {args.LDAPFilter}"); Filter += $@"{args.LDAPFilter}"; } if (Filter.IsNotNullOrEmpty()) { Searcher.Filter = $@"(&{Filter})"; } Logger.Write_Verbose($@"[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: {Searcher.Filter}"); var Results = Searcher.FindAll(); foreach (SearchResult result in Results) { var Object = result.Properties; string ObjectSid = null; if (Object["objectsid"] != null && Object["objectsid"].Count > 0 && Object["objectsid"][0] != null) { ObjectSid = new System.Security.Principal.SecurityIdentifier(Object["objectsid"][0] as byte[], 0).Value; } else { ObjectSid = null; } try { var rsd = new System.Security.AccessControl.RawSecurityDescriptor(Object["ntsecuritydescriptor"][0] as byte[], 0); var rawAcl = args.Sacl ? rsd.SystemAcl : rsd.DiscretionaryAcl; foreach (var ace in rawAcl) { var acl = new ACL { Ace = ace }; bool Continue = false; if (args.RightsFilter != null) { string GuidFilter = null; switch (args.RightsFilter.Value) { case Rights.ResetPassword: GuidFilter = "00299570-246d-11d0-a768-00aa006e0529"; break; case Rights.WriteMembers: GuidFilter = "bf9679c0-0de6-11d0-a285-00aa003049e2"; break; default: GuidFilter = "00000000-0000-0000-0000-000000000000"; break; } if (ace is System.Security.AccessControl.ObjectAccessRule) { if (string.Compare(((object)ace as System.Security.AccessControl.ObjectAccessRule).ObjectType.ToString(), GuidFilter, StringComparison.OrdinalIgnoreCase) == 0) { acl.ObjectDN = Object["distinguishedname"][0] as string; acl.ObjectSID = ObjectSid; Continue = true; } } } else { acl.ObjectDN = Object["distinguishedname"][0] as string; acl.ObjectSID = ObjectSid; Continue = true; } if (Continue) { if (ace is System.Security.AccessControl.KnownAce) { acl.ActiveDirectoryRights = (System.DirectoryServices.ActiveDirectoryRights)(ace as System.Security.AccessControl.KnownAce).AccessMask; } if (GUIDs != null) { // if we're resolving GUIDs, map them them to the resolved hash table if (ace is ObjectAce) { try { (acl.Ace as ObjectAce).ObjectAceType = new Guid(GUIDs[(ace as ObjectAce).ObjectAceType.ToString()]); } catch { } try { (acl.Ace as ObjectAce).InheritedObjectAceType = new Guid(GUIDs[(ace as ObjectAce).InheritedObjectAceType.ToString()]); } catch { } } else if (ace is ObjectAccessRule) { /*try { (acl.Ace as ObjectAccessRule).ObjectType = new Guid(GUIDs[(ace as ObjectAccessRule).ObjectType.ToString()]); } * catch { } * try { (acl.Ace as ObjectAccessRule).InheritedObjectType = new Guid(GUIDs[(ace as ObjectAccessRule).InheritedObjectType.ToString()]); } * catch { }*/ } } ACLs.Add(acl); } } } catch (Exception e) { Logger.Write_Verbose($@"[Get-DomainObjectAcl] Error: {e}"); } } } return(ACLs); }
public static LDAPProperty Convert_LDAPProperty(System.DirectoryServices.ResultPropertyCollection Properties) { var ObjectProperties = new LDAPProperty(); foreach (string propName in Properties.PropertyNames) { if (string.Compare(propName, @"adspath", StringComparison.OrdinalIgnoreCase) != 0) { if (string.Compare(propName, @"objectsid", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"sidhistory", StringComparison.OrdinalIgnoreCase) == 0) { // convert all listed sids (i.e. if multiple are listed in sidHistory) var values = new List <string>(); foreach (var property in Properties[propName]) { var sid = new System.Security.Principal.SecurityIdentifier(property as byte[], 0); values.Add(sid.Value); } if (string.Compare(propName, @"objectsid", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.objectsid = values.ToArray(); } else { ObjectProperties.sidhistory = values.ToArray(); } } else if (string.Compare(propName, @"grouptype", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.grouptype = (GroupType)Properties[propName][0]; } else if (string.Compare(propName, @"samaccounttype", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.samaccounttype = (SamAccountType)Properties[propName][0]; } else if (string.Compare(propName, @"objectguid", StringComparison.OrdinalIgnoreCase) == 0) { // convert the GUID to a string ObjectProperties.objectguid = new Guid(Properties[propName][0] as byte[]).ToString(); } else if (string.Compare(propName, @"useraccountcontrol", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.useraccountcontrol = (UACEnumValue)Properties[propName][0]; } else if (string.Compare(propName, @"ntsecuritydescriptor", StringComparison.OrdinalIgnoreCase) == 0) { // $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 var Descriptor = new System.Security.AccessControl.RawSecurityDescriptor(Properties[propName][0] as byte[], 0); if (Descriptor.Owner != null) { ObjectProperties.Owner = Descriptor.Owner; } if (Descriptor.Group != null) { ObjectProperties.Group = Descriptor.Group; } if (Descriptor.DiscretionaryAcl != null) { ObjectProperties.DiscretionaryAcl = Descriptor.DiscretionaryAcl; } if (Descriptor.SystemAcl != null) { ObjectProperties.SystemAcl = Descriptor.SystemAcl; } } else if (string.Compare(propName, @"accountexpires", StringComparison.OrdinalIgnoreCase) == 0) { if ((long)Properties[propName][0] >= DateTime.MaxValue.Ticks) { ObjectProperties.accountexpires = "NEVER"; } else { ObjectProperties.accountexpires = DateTime.FromFileTime((long)Properties[propName][0]); } } else if (string.Compare(propName, @"lastlogon", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"lastlogontimestamp", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"pwdlastset", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"lastlogoff", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"badPasswordTime", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"whencreated", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"whenchanged", StringComparison.OrdinalIgnoreCase) == 0) { DateTime dt; // convert timestamps if (Properties[propName][0] is System.MarshalByRefObject) { // if we have a System.__ComObject var Temp = Properties[propName][0]; var High = (Int32)Temp.GetType().InvokeMember("HighPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); var Low = (Int32)Temp.GetType().InvokeMember("LowPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); dt = DateTime.FromFileTime(Int64.Parse(string.Format("0x{0:x8}{1:x8}", High, Low))); } if (Properties[propName][0] is System.DateTime) { dt = (DateTime)Properties[propName][0]; } else { // otherwise just a string dt = DateTime.FromFileTime((long)Properties[propName][0]); } if (string.Compare(propName, @"lastlogon", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.lastlogon = dt; } else if (string.Compare(propName, @"lastlogontimestamp", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.lastlogontimestamp = dt; } else if (string.Compare(propName, @"pwdlastset", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.pwdlastset = dt; } else if (string.Compare(propName, @"lastlogoff", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.lastlogoff = dt; } else if (string.Compare(propName, @"badPasswordTime", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.badPasswordTime = dt; } else if (string.Compare(propName, @"whencreated", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.whencreated = dt; } else if (string.Compare(propName, @"whenchanged", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.whenchanged = dt; } } else if (string.Compare(propName, @"name", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.name = Properties[propName][0] as string; } else if (string.Compare(propName, @"distinguishedname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.distinguishedname = Properties[propName][0] as string; } else if (string.Compare(propName, @"dnsrecord", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.dnsrecord = Properties[propName][0]; } else if (string.Compare(propName, @"samaccountname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.samaccountname = Properties[propName][0] as string; } else if (string.Compare(propName, @"member", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.member = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"memberof", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.memberof = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"cn", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.cn = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"objectclass", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.objectclass = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"managedby", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.managedby = Properties[propName][0] as string; } else if (string.Compare(propName, @"siteobject", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.siteobject = Properties[propName][0] as string; } else if (string.Compare(propName, @"ServicePrincipalName", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.ServicePrincipalName = Properties[propName][0] as string; } else if (string.Compare(propName, @"dnshostname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.dnshostname = Properties[propName][0] as string; } else if (string.Compare(propName, @"gplink", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.gplink = Properties[propName][0] as string; } else if (string.Compare(propName, @"gpoptions", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.gpoptions = (int)Properties[propName][0]; } else if (string.Compare(propName, @"displayname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.displayname = Properties[propName][0] as string; } else if (string.Compare(propName, @"path", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.path = Properties[propName][0] as string; } else if (string.Compare(propName, @"siteobjectbl", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.siteobjectbl = Properties[propName][0] as string; } else if (Properties[propName][0] is System.MarshalByRefObject) { // try to convert misc com objects var Prop = Properties[propName]; try { var Temp = Properties[propName][0]; var High = (Int32)Temp.GetType().InvokeMember("HighPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); var Low = (Int32)Temp.GetType().InvokeMember("LowPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); ObjectProperties.others.Add(propName, Int64.Parse(string.Format("0x{0:x8}{1:x8}", High, Low))); } catch (Exception e) { Logger.Write_Verbose($@"[Convert-LDAPProperty] error: {e}"); ObjectProperties.others.Add(propName, Prop[0]); } } else if (Properties[propName].Count == 1) { ObjectProperties.others.Add(propName, Properties[propName][0]); } else { ObjectProperties.others.Add(propName, Properties[propName]); } } } return(ObjectProperties); }
[HandleProcessCorruptedStateExceptions] // #endif // FEATURE_CORRUPTING_EXCEPTIONS internal static int GetSecurityInfo( ResourceType resourceType, string name, SafeHandle handle, AccessControlSections accessControlSections, out RawSecurityDescriptor resultSd ) { resultSd = null; // // Demand unmanaged code permission // The integrator layer is free to assert this permission // and, in turn, demand another permission of its caller // new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Demand(); int errorCode; IntPtr SidOwner, SidGroup, Dacl, Sacl, ByteArray; SecurityInfos SecurityInfos = 0; Privilege privilege = null; if ((accessControlSections & AccessControlSections.Owner) != 0) { SecurityInfos |= SecurityInfos.Owner; } if ((accessControlSections & AccessControlSections.Group) != 0) { SecurityInfos |= SecurityInfos.Group; } if ((accessControlSections & AccessControlSections.Access) != 0) { SecurityInfos |= SecurityInfos.DiscretionaryAcl; } if ((accessControlSections & AccessControlSections.Audit) != 0) { SecurityInfos |= SecurityInfos.SystemAcl; privilege = new Privilege(Privilege.Security); } // Ensure that the finally block will execute RuntimeHelpers.PrepareConstrainedRegions(); try { if (privilege != null) { try { privilege.Enable(); } catch (PrivilegeNotHeldException) { // we will ignore this exception and press on just in case this is a remote resource } } if (name != null) { errorCode = ( int )Win32Native.GetSecurityInfoByName(name, ( uint )resourceType, ( uint )SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray); } else if (handle != null) { if (handle.IsInvalid) { throw new ArgumentException( Environment.GetResourceString("Argument_InvalidSafeHandle"), "handle"); } else { errorCode = ( int )Win32Native.GetSecurityInfoByHandle(handle, ( uint )resourceType, ( uint )SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray); } } else { // both are null, shouldn't happen throw new SystemException(); } if (errorCode == Win32Native.ERROR_SUCCESS && IntPtr.Zero.Equals(ByteArray)) { // // This means that the object doesn't have a security descriptor. And thus we throw // a specific exception for the caller to catch and handle properly. // throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_NoSecurityDescriptor")); } else if (errorCode == Win32Native.ERROR_NOT_ALL_ASSIGNED || errorCode == Win32Native.ERROR_PRIVILEGE_NOT_HELD) { throw new PrivilegeNotHeldException(Privilege.Security); } else if (errorCode == Win32Native.ERROR_ACCESS_DENIED || errorCode == Win32Native.ERROR_CANT_OPEN_ANONYMOUS) { throw new UnauthorizedAccessException(); } if (errorCode != Win32Native.ERROR_SUCCESS) { goto Error; } } catch { // protection against exception filter-based luring attacks if (privilege != null) { privilege.Revert(); } throw; } finally { if (privilege != null) { privilege.Revert(); } } // // Extract data from the returned pointer // uint Length = Win32Native.GetSecurityDescriptorLength(ByteArray); byte[] BinaryForm = new byte[Length]; Marshal.Copy(ByteArray, BinaryForm, 0, ( int )Length); Win32Native.LocalFree(ByteArray); resultSd = new RawSecurityDescriptor(BinaryForm, 0); return(Win32Native.ERROR_SUCCESS); Error: if (errorCode == Win32Native.ERROR_NOT_ENOUGH_MEMORY) { throw new OutOfMemoryException(); } return(errorCode); }
private void UpdateWithNewSecurityDescriptor( RawSecurityDescriptor newOne, AccessControlSections includeSections ) { Contract.Assert( newOne != null, "Must not supply a null parameter here" ); if (( includeSections & AccessControlSections.Owner ) != 0 ) { _ownerModified = true; _securityDescriptor.Owner = newOne.Owner; } if (( includeSections & AccessControlSections.Group ) != 0 ) { _groupModified = true; _securityDescriptor.Group = newOne.Group; } if (( includeSections & AccessControlSections.Audit ) != 0 ) { _saclModified = true; if ( newOne.SystemAcl != null ) { _securityDescriptor.SystemAcl = new SystemAcl( IsContainer, IsDS, newOne.SystemAcl, true ); } else { _securityDescriptor.SystemAcl = null; } // carry forward the SACL related control flags _securityDescriptor.UpdateControlFlags(SACL_CONTROL_FLAGS, (ControlFlags)(newOne.ControlFlags & SACL_CONTROL_FLAGS)); } if (( includeSections & AccessControlSections.Access ) != 0 ) { _daclModified = true; if ( newOne.DiscretionaryAcl != null ) { _securityDescriptor.DiscretionaryAcl = new DiscretionaryAcl( IsContainer, IsDS, newOne.DiscretionaryAcl, true ); } else { _securityDescriptor.DiscretionaryAcl = null; } // by the following property set, the _securityDescriptor's control flags // may contains DACL present flag. That needs to be carried forward! Therefore, we OR // the current _securityDescriptor.s DACL present flag. ControlFlags daclFlag = (_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent); _securityDescriptor.UpdateControlFlags(DACL_CONTROL_FLAGS, (ControlFlags)((newOne.ControlFlags | daclFlag) & DACL_CONTROL_FLAGS)); } }
internal CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor, bool trusted) { if (rawSecurityDescriptor == null) { throw new ArgumentNullException(nameof(rawSecurityDescriptor)); } Contract.EndContractBlock(); CreateFromParts( isContainer, isDS, rawSecurityDescriptor.ControlFlags, rawSecurityDescriptor.Owner, rawSecurityDescriptor.Group, rawSecurityDescriptor.SystemAcl == null ? null : new SystemAcl(isContainer, isDS, rawSecurityDescriptor.SystemAcl, trusted), rawSecurityDescriptor.DiscretionaryAcl == null ? null : new DiscretionaryAcl(isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl, trusted)); }
/// <summary> /// Sets the security descriptor associated with the file or directory. /// </summary> /// <param name="path">The file or directory to change.</param> /// <param name="securityDescriptor">The new security descriptor.</param> public void SetSecurity(string path, RawSecurityDescriptor securityDescriptor) { using (new NtfsTransaction()) { DirectoryEntry dirEntry = GetDirectoryEntry(path); if (dirEntry == null) { throw new FileNotFoundException("File not found", path); } else { File file = GetFile(dirEntry.Reference); DoSetSecurity(file, securityDescriptor); // Update the directory entry used to open the file dirEntry.UpdateFrom(file); } } }
private static void CanonicalizeDacl(NativeObjectSecurity objectSecurity) { if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); } if (objectSecurity.AreAccessRulesCanonical) { return; } // A canonical ACL must have ACES sorted according to the following order: // 1. Access-denied on the object // 2. Access-denied on a child or property // 3. Access-allowed on the object // 4. Access-allowed on a child or property // 5. All inherited ACEs RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access)); List<CommonAce> implicitDenyDacl = new List<CommonAce>(); List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>(); List<CommonAce> inheritedDacl = new List<CommonAce>(); List<CommonAce> implicitAllowDacl = new List<CommonAce>(); List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>(); foreach (CommonAce ace in descriptor.DiscretionaryAcl) { if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); } else { switch (ace.AceType) { case AceType.AccessAllowed: implicitAllowDacl.Add(ace); break; case AceType.AccessDenied: implicitDenyDacl.Add(ace); break; case AceType.AccessAllowedObject: implicitAllowObjectDacl.Add(ace); break; case AceType.AccessDeniedObject: implicitDenyObjectDacl.Add(ace); break; } } } Int32 aceIndex = 0; RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count); implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); if (aceIndex != descriptor.DiscretionaryAcl.Count) { System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information"); return; } descriptor.DiscretionaryAcl = newDacl; objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access); }
public void FlagMismatch () { // Check setting DACL-present flag on empty SD RawSecurityDescriptor sd = new RawSecurityDescriptor (""); Assert.AreEqual (20, sd.BinaryLength); sd.SetFlags (ControlFlags.DiscretionaryAclPresent); Assert.AreEqual (20, sd.BinaryLength); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x04, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); // Check unsetting DACL-present flag on SD with DACL sd = new RawSecurityDescriptor ("O:BUG:BAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"); Assert.AreEqual (80, sd.BinaryLength); sd.SetFlags (sd.ControlFlags & ~ControlFlags.DiscretionaryAclPresent); Assert.AreEqual (ControlFlags.SelfRelative, sd.ControlFlags); Assert.AreEqual (52, sd.BinaryLength); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); }
internal static int GetSecurityInfo(ResourceType resourceType, string name, SafeHandle handle, AccessControlSections accessControlSections, out RawSecurityDescriptor resultSd) { resultSd = null; new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Demand(); SecurityInfos securityInfos = (SecurityInfos)0; Privilege privilege = null; if ((accessControlSections & AccessControlSections.Owner) != AccessControlSections.None) { securityInfos |= SecurityInfos.Owner; } if ((accessControlSections & AccessControlSections.Group) != AccessControlSections.None) { securityInfos |= SecurityInfos.Group; } if ((accessControlSections & AccessControlSections.Access) != AccessControlSections.None) { securityInfos |= SecurityInfos.DiscretionaryAcl; } if ((accessControlSections & AccessControlSections.Audit) != AccessControlSections.None) { securityInfos |= SecurityInfos.SystemAcl; privilege = new Privilege("SeSecurityPrivilege"); } RuntimeHelpers.PrepareConstrainedRegions(); IntPtr intPtr5; int num; try { if (privilege != null) { try { privilege.Enable(); } catch (PrivilegeNotHeldException) { } } if (name != null) { IntPtr intPtr; IntPtr intPtr2; IntPtr intPtr3; IntPtr intPtr4; num = (int)Win32Native.GetSecurityInfoByName(name, (uint)resourceType, (uint)securityInfos, out intPtr, out intPtr2, out intPtr3, out intPtr4, out intPtr5); } else { if (handle == null) { throw new SystemException(); } if (handle.IsInvalid) { throw new ArgumentException(Environment.GetResourceString("Argument_InvalidSafeHandle"), "handle"); } IntPtr intPtr; IntPtr intPtr2; IntPtr intPtr3; IntPtr intPtr4; num = (int)Win32Native.GetSecurityInfoByHandle(handle, (uint)resourceType, (uint)securityInfos, out intPtr, out intPtr2, out intPtr3, out intPtr4, out intPtr5); } if (num == 0 && IntPtr.Zero.Equals(intPtr5)) { throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_NoSecurityDescriptor")); } if (num == 1300 || num == 1314) { throw new PrivilegeNotHeldException("SeSecurityPrivilege"); } if (num == 5 || num == 1347) { throw new UnauthorizedAccessException(); } if (num != 0) { goto IL_162; } } catch { if (privilege != null) { privilege.Revert(); } throw; } finally { if (privilege != null) { privilege.Revert(); } } uint securityDescriptorLength = Win32Native.GetSecurityDescriptorLength(intPtr5); byte[] array = new byte[securityDescriptorLength]; Marshal.Copy(intPtr5, array, 0, (int)securityDescriptorLength); Win32Native.LocalFree(intPtr5); resultSd = new RawSecurityDescriptor(array, 0); return(0); IL_162: if (num == 8) { throw new OutOfMemoryException(); } return(num); }
public void GetBinaryForm () { RawSecurityDescriptor sd = new RawSecurityDescriptor (""); sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null); sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); sd.DiscretionaryAcl = new RawAcl (1, 0); sd.SystemAcl = new RawAcl (1, 0); sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent); // Empty ACL form byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); // Add an ACE to the DACL SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); sd.DiscretionaryAcl.InsertAce (0, ace); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); // This time with an Object ACE ObjectAce objectAce = new ObjectAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 0x12345678, builtInAdmins, ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent, new Guid ("189c0dc7-b849-4dea-93a5-6d4cb8857a5c"), new Guid ("53b4a3d4-fe39-468b-bc60-b4fcba772fa5"), false, null); sd.DiscretionaryAcl = new RawAcl (2, 0); sd.DiscretionaryAcl.InsertAce (0, objectAce); buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x44, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x10, 0x3C, 0x00, 0x78, 0x56, 0x34, 0x12, 0x03, 0x00, 0x00, 0x00, 0xC7, 0x0D, 0x9C, 0x18, 0x49, 0xB8, 0xEA, 0x4D, 0x93, 0xA5, 0x6D, 0x4C, 0xB8, 0x85, 0x7A, 0x5C, 0xD4, 0xA3, 0xB4, 0x53, 0x39, 0xFE, 0x8B, 0x46, 0xBC, 0x60, 0xB4, 0xFC, 0xBA, 0x77, 0x2F, 0xA5, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); }
public CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor) { }
// // Wrapper around advapi32.GetSecurityInfo // internal static int GetSecurityInfo( ResourceType resourceType, string name, SafeHandle handle, AccessControlSections accessControlSections, out RawSecurityDescriptor resultSd ) { resultSd = null; int errorCode; IntPtr SidOwner, SidGroup, Dacl, Sacl, ByteArray; SecurityInfos SecurityInfos = 0; Privilege privilege = null; if ((accessControlSections & AccessControlSections.Owner) != 0) { SecurityInfos |= SecurityInfos.Owner; } if ((accessControlSections & AccessControlSections.Group) != 0) { SecurityInfos |= SecurityInfos.Group; } if ((accessControlSections & AccessControlSections.Access) != 0) { SecurityInfos |= SecurityInfos.DiscretionaryAcl; } if ((accessControlSections & AccessControlSections.Audit) != 0) { SecurityInfos |= SecurityInfos.SystemAcl; privilege = new Privilege(Privilege.Security); } try { if (privilege != null) { try { privilege.Enable(); } catch (PrivilegeNotHeldException) { // we will ignore this exception and press on just in case this is a remote resource } } if (name != null) { errorCode = (int)Interop.mincore.GetSecurityInfoByName(name, (uint)resourceType, (uint)SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray); } else if (handle != null) { if (handle.IsInvalid) { throw new ArgumentException( SR.Argument_InvalidSafeHandle, nameof(handle)); } else { errorCode = (int)Interop.mincore.GetSecurityInfoByHandle(handle, (uint)resourceType, (uint)SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray); } } else { // both are null, shouldn't happen // Changing from SystemException to ArgumentException as this code path is indicative of a null name argument // as well as an accessControlSections argument with an audit flag throw new ArgumentException(); } if (errorCode == Interop.mincore.Errors.ERROR_SUCCESS && IntPtr.Zero.Equals(ByteArray)) { // // This means that the object doesn't have a security descriptor. And thus we throw // a specific exception for the caller to catch and handle properly. // throw new InvalidOperationException(SR.InvalidOperation_NoSecurityDescriptor); } else if (errorCode == Interop.mincore.Errors.ERROR_NOT_ALL_ASSIGNED || errorCode == Interop.mincore.Errors.ERROR_PRIVILEGE_NOT_HELD) { throw new PrivilegeNotHeldException(Privilege.Security); } else if (errorCode == Interop.mincore.Errors.ERROR_ACCESS_DENIED || errorCode == Interop.mincore.Errors.ERROR_CANT_OPEN_ANONYMOUS) { throw new UnauthorizedAccessException(); } if (errorCode != Interop.mincore.Errors.ERROR_SUCCESS) { goto Error; } } catch { // protection against exception filter-based luring attacks if (privilege != null) { privilege.Revert(); } throw; } finally { if (privilege != null) { privilege.Revert(); } } // // Extract data from the returned pointer // uint Length = Interop.mincore.GetSecurityDescriptorLength(ByteArray); byte[] BinaryForm = new byte[Length]; Marshal.Copy(ByteArray, BinaryForm, 0, (int)Length); Interop.mincore_obsolete.LocalFree(ByteArray); resultSd = new RawSecurityDescriptor(BinaryForm, 0); return Interop.mincore.Errors.ERROR_SUCCESS; Error: if (errorCode == Interop.mincore.Errors.ERROR_NOT_ENOUGH_MEMORY) { throw new OutOfMemoryException(); } return errorCode; }
// // Wrapper around advapi32.GetSecurityInfo // internal static int GetSecurityInfo( ResourceType resourceType, string name, SafeHandle handle, AccessControlSections accessControlSections, out RawSecurityDescriptor resultSd ) { resultSd = null; int errorCode; IntPtr SidOwner, SidGroup, Dacl, Sacl, ByteArray; SecurityInfos SecurityInfos = 0; Privilege privilege = null; if ((accessControlSections & AccessControlSections.Owner) != 0) { SecurityInfos |= SecurityInfos.Owner; } if ((accessControlSections & AccessControlSections.Group) != 0) { SecurityInfos |= SecurityInfos.Group; } if ((accessControlSections & AccessControlSections.Access) != 0) { SecurityInfos |= SecurityInfos.DiscretionaryAcl; } if ((accessControlSections & AccessControlSections.Audit) != 0) { SecurityInfos |= SecurityInfos.SystemAcl; privilege = new Privilege(Privilege.Security); } try { if (privilege != null) { try { privilege.Enable(); } catch (PrivilegeNotHeldException) { // we will ignore this exception and press on just in case this is a remote resource } } if (name != null) { errorCode = (int)Interop.mincore.GetSecurityInfoByName(name, (uint)resourceType, (uint)SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray); } else if (handle != null) { if (handle.IsInvalid) { throw new ArgumentException( SR.Argument_InvalidSafeHandle, nameof(handle)); } else { errorCode = (int)Interop.mincore.GetSecurityInfoByHandle(handle, (uint)resourceType, (uint)SecurityInfos, out SidOwner, out SidGroup, out Dacl, out Sacl, out ByteArray); } } else { // both are null, shouldn't happen // Changing from SystemException to ArgumentException as this code path is indicative of a null name argument // as well as an accessControlSections argument with an audit flag throw new ArgumentException(); } if (errorCode == Interop.mincore.Errors.ERROR_SUCCESS && IntPtr.Zero.Equals(ByteArray)) { // // This means that the object doesn't have a security descriptor. And thus we throw // a specific exception for the caller to catch and handle properly. // throw new InvalidOperationException(SR.InvalidOperation_NoSecurityDescriptor); } else if (errorCode == Interop.mincore.Errors.ERROR_NOT_ALL_ASSIGNED || errorCode == Interop.mincore.Errors.ERROR_PRIVILEGE_NOT_HELD) { throw new PrivilegeNotHeldException(Privilege.Security); } else if (errorCode == Interop.mincore.Errors.ERROR_ACCESS_DENIED || errorCode == Interop.mincore.Errors.ERROR_CANT_OPEN_ANONYMOUS) { throw new UnauthorizedAccessException(); } if (errorCode != Interop.mincore.Errors.ERROR_SUCCESS) { goto Error; } } catch { // protection against exception filter-based luring attacks if (privilege != null) { privilege.Revert(); } throw; } finally { if (privilege != null) { privilege.Revert(); } } // // Extract data from the returned pointer // uint Length = Interop.mincore.GetSecurityDescriptorLength(ByteArray); byte[] BinaryForm = new byte[Length]; Marshal.Copy(ByteArray, BinaryForm, 0, (int)Length); Interop.mincore_obsolete.LocalFree(ByteArray); resultSd = new RawSecurityDescriptor(BinaryForm, 0); return(Interop.mincore.Errors.ERROR_SUCCESS); Error: if (errorCode == Interop.mincore.Errors.ERROR_NOT_ENOUGH_MEMORY) { throw new OutOfMemoryException(); } return(errorCode); }
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { if (systemAcl != null && systemAcl.IsContainer != isContainer) { throw new ArgumentException( isContainer ? SR.AccessControl_MustSpecifyContainerAcl : SR.AccessControl_MustSpecifyLeafObjectAcl, nameof(systemAcl)); } if (discretionaryAcl != null && discretionaryAcl.IsContainer != isContainer) { throw new ArgumentException( isContainer ? SR.AccessControl_MustSpecifyContainerAcl : SR.AccessControl_MustSpecifyLeafObjectAcl, nameof(discretionaryAcl)); } _isContainer = isContainer; if (systemAcl != null && systemAcl.IsDS != isDS) { throw new ArgumentException( isDS ? SR.AccessControl_MustSpecifyDirectoryObjectAcl : SR.AccessControl_MustSpecifyNonDirectoryObjectAcl, nameof(systemAcl)); } if (discretionaryAcl != null && discretionaryAcl.IsDS != isDS) { throw new ArgumentException( isDS ? SR.AccessControl_MustSpecifyDirectoryObjectAcl : SR.AccessControl_MustSpecifyNonDirectoryObjectAcl, nameof(discretionaryAcl)); } _isDS = isDS; _sacl = systemAcl; // // Replace null DACL with an allow-all for everyone DACL // if (discretionaryAcl == null) { // // to conform to native behavior, we will add allow everyone ace for DACL // discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer); } _dacl = discretionaryAcl; // // DACL is never null. So always set the flag bit on // ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent; // // Keep SACL and the flag bit in sync. // if (systemAcl == null) { unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); } } else { actualFlags |= (ControlFlags.SystemAclPresent); } _rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl); }
// Summary: // Initializes a new instance of the System.Security.AccessControl.CommonSecurityDescriptor // class from the specified System.Security.AccessControl.RawSecurityDescriptor // object. // // Parameters: // isContainer: // true if the new security descriptor is associated with a container object. // // isDS: // true if the new security descriptor is associated with a directory object. // // rawSecurityDescriptor: // The System.Security.AccessControl.RawSecurityDescriptor object from which // to create the new System.Security.AccessControl.CommonSecurityDescriptor // object. extern public CommonSecurityDescriptor(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor);