Exemplo n.º 1
0
 internal CommonAccessCheckResult(string name, string type_name, AccessMask granted_access,
                                  GenericMapping generic_mapping, SecurityDescriptor sd,
                                  Type enum_type, bool is_directory, TokenInformation token_info)
 {
     Name                     = name;
     TypeName                 = type_name;
     GrantedAccess            = granted_access;
     GenericMapping           = generic_mapping;
     TokenInfo                = token_info;
     SecurityDescriptor       = sd?.ToSddl(SecurityInformation.All, false).GetResultOrDefault() ?? string.Empty;
     SecurityDescriptorBase64 = sd?.ToBase64() ?? string.Empty;
     Owner                    = sd?.Owner?.Sid.ToString() ?? string.Empty;
     IsRead                   = generic_mapping.HasRead(granted_access);
     IsWrite                  = generic_mapping.HasWrite(granted_access) ||
                                granted_access.IsAccessGranted(GenericAccessRights.WriteDac) ||
                                granted_access.IsAccessGranted(GenericAccessRights.WriteOwner) ||
                                granted_access.IsAccessGranted(GenericAccessRights.Delete);
     IsExecute                  = generic_mapping.HasExecute(granted_access);
     IsAll                      = generic_mapping.HasAll(granted_access);
     GrantedAccessString        = NtSecurity.AccessMaskToString(granted_access, enum_type, generic_mapping, false);
     GrantedGenericAccessString = NtSecurity.AccessMaskToString(granted_access, enum_type, generic_mapping, true);
     TokenId                    = token_info.TokenId.ToInt64();
     IsDirectory                = is_directory;
     if (sd != null)
     {
         HasMandatoryLabel    = sd.GetMandatoryLabel() != null;
         HasProcessTrustLabel = sd.ProcessTrustLabel != null;
     }
 }
        private void CheckAccess(TokenEntry token, NtFile file, AccessMask access_rights, SecurityDescriptor sd, SecurityDescriptor parent_sd)
        {
            NtType     type           = file.NtType;
            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);

            // Determine if the parent gives additonal rights to this file.
            if (!granted_access.IsAllAccessGranted(FileDirectoryAccessRights.ReadAttributes | FileDirectoryAccessRights.Delete) && parent_sd != null)
            {
                AccessMask parent_granted_access = NtSecurity.GetMaximumAccess(parent_sd, token.Token, type.GenericMapping);
                if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.DeleteChild))
                {
                    granted_access |= FileAccessRights.Delete;
                }
                if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.ListDirectory))
                {
                    granted_access |= FileAccessRights.ReadAttributes;
                }
            }

            if (IsAccessGranted(granted_access, access_rights))
            {
                bool is_directory = IsDirectoryNoThrow(file);
                WriteAccessCheckResult(FormatWin32Path ? file.Win32PathName : file.FullPath, type.Name, granted_access, type.GenericMapping,
                                       sd, is_directory ? typeof(FileDirectoryAccessRights) : typeof(FileAccessRights), is_directory, token.Information);
            }
        }
Exemplo n.º 3
0
        private protected SecurityInformation GetMaximumSecurityInformation(A granted_access)
        {
            SecurityInformation sec_info = SecurityInformation.AllBasic;
            AccessMask          mask     = granted_access;

            if (mask.IsAccessGranted(GenericAccessRights.ReadControl))
            {
                sec_info = SecurityInformation.AllNoSacl;
            }
            if (mask.IsAccessGranted(GenericAccessRights.AccessSystemSecurity))
            {
                sec_info |= SecurityInformation.Sacl;
            }
            return(sec_info);
        }
Exemplo n.º 4
0
 private static AccessMask AdjustThreadAccess(AccessMask granted_access)
 {
     if (granted_access.IsAccessGranted(ThreadAccessRights.QueryInformation))
     {
         granted_access |= ThreadAccessRights.QueryLimitedInformation;
     }
     if (granted_access.IsAccessGranted(ThreadAccessRights.SetInformation))
     {
         granted_access |= ThreadAccessRights.SetLimitedInformation;
     }
     if (granted_access.IsAccessGranted(ThreadAccessRights.SuspendResume))
     {
         granted_access |= ThreadAccessRights.Resume;
     }
     return(granted_access);
 }
Exemplo n.º 5
0
 private static AccessMask AdjustProcessAccess(AccessMask granted_access)
 {
     if (granted_access.IsAccessGranted(ProcessAccessRights.QueryInformation))
     {
         granted_access |= ProcessAccessRights.QueryLimitedInformation;
     }
     if (granted_access.IsAllAccessGranted(ProcessAccessRights.VmWrite | ProcessAccessRights.VmOperation))
     {
         granted_access |= ProcessAccessRights.QueryLimitedInformation;
     }
     if (granted_access.IsAccessGranted(ProcessAccessRights.SetInformation))
     {
         granted_access |= ProcessAccessRights.SetLimitedInformation;
     }
     return(granted_access);
 }
        /// <summary>
        /// Is an access mask granted to the object.
        /// </summary>
        /// <param name="access">The access to check.</param>
        /// <returns>True if all access is granted.</returns>
        public bool IsAccessMaskGranted(AccessMask access)
        {
            // We can't tell if we really have access or not, so just assume we do.
            if (_granted_access.IsAccessGranted(GenericAccessRights.MaximumAllowed))
            {
                return(true);
            }

            return(_granted_access.IsAllAccessGranted(access));
        }
Exemplo n.º 7
0
 internal AccessCheckResult(string name, string type_name, AccessMask granted_access,
                            GenericMapping generic_mapping, SecurityDescriptor sd,
                            Type enum_type, bool is_directory, TokenInformation token_info)
 {
     Name               = name;
     TypeName           = type_name;
     GrantedAccess      = granted_access;
     GenericMapping     = generic_mapping;
     TokenInfo          = token_info;
     SecurityDescriptor = sd?.ToSddl() ?? string.Empty;
     Owner              = sd?.Owner?.Sid.ToString() ?? string.Empty;
     IsRead             = generic_mapping.HasRead(granted_access);
     IsWrite            = generic_mapping.HasWrite(granted_access) ||
                          granted_access.IsAccessGranted(GenericAccessRights.WriteDac) ||
                          granted_access.IsAccessGranted(GenericAccessRights.WriteOwner) ||
                          granted_access.IsAccessGranted(GenericAccessRights.Delete);
     IsExecute                  = generic_mapping.HasExecute(granted_access);
     IsAll                      = generic_mapping.HasAll(granted_access);
     GrantedAccessString        = NtObjectUtils.GrantedAccessAsString(granted_access, generic_mapping, enum_type, false);
     GrantedGenericAccessString = NtObjectUtils.GrantedAccessAsString(granted_access, generic_mapping, enum_type, true);
     TokenId                    = token_info.TokenId.ToInt64();
     IsDirectory                = is_directory;
 }
Exemplo n.º 8
0
        private protected bool IsAccessGranted(AccessMask granted_access, AccessMask access_rights)
        {
            if (granted_access.IsEmpty)
            {
                return(AllowEmptyAccess);
            }

            if (access_rights.IsEmpty)
            {
                return(true);
            }

            if (AllowPartialAccess)
            {
                return(granted_access.IsAccessGranted(access_rights));
            }

            return(granted_access.IsAllAccessGranted(access_rights));
        }
        internal bool IsAccessGranted(AccessMask granted_access, AccessMask access_rights)
        {
            if (granted_access.IsEmpty)
            {
                return(false);
            }

            if (access_rights.IsEmpty)
            {
                return(true);
            }

            if (AllowPartialAccess)
            {
                return(granted_access.IsAccessGranted(access_rights));
            }

            return(granted_access.IsAllAccessGranted(access_rights));
        }
Exemplo n.º 10
0
 /// <summary>
 /// Process record.
 /// </summary>
 protected override void ProcessRecord()
 {
     if (Empty)
     {
         WriteObject(AccessMask.IsEmpty);
     }
     else if (ParameterSetName == "WriteRestricted")
     {
         GenericMapping std_map = NtSecurity.StandardAccessMapping;
         WriteObject((std_map.GenericWrite & ~(std_map.GenericRead | std_map.GenericExecute)
                      | WriteRestricted.GenericWrite & ~(WriteRestricted.GenericRead | WriteRestricted.GenericExecute)).IsEmpty);
     }
     else if (All)
     {
         WriteObject(AccessMask.IsAllAccessGranted(GetAccessMask()));
     }
     else
     {
         WriteObject(AccessMask.IsAccessGranted(GetAccessMask()));
     }
 }
        private protected NtResult <O> ReOpen <O, X>(NtObjectWithDuplicate <O, X> obj) where O : NtObject where X : Enum
        {
            AccessMask mask = GenericAccessRights.MaximumAllowed;

            using (var o = obj.ReOpen(mask.ToSpecificAccess <X>(), false))
            {
                if (o.IsSuccess)
                {
                    return(o.Map(x => (O)x.DuplicateObject()));
                }
            }

            AccessMask granted_mask = 0;
            AccessMask valid_access = obj.NtType.ValidAccess;
            uint       test_mask    = 1;

            while (test_mask < 0x00200000)
            {
                if (valid_access.IsAccessGranted(test_mask))
                {
                    mask = test_mask;
                    using (var o = obj.ReOpen(mask.ToSpecificAccess <X>(), false))
                    {
                        if (o.IsSuccess)
                        {
                            granted_mask |= test_mask;
                        }
                    }
                }

                test_mask <<= 1;
            }

            if (granted_mask.IsEmpty)
            {
                return(NtResult <O> .CreateResultFromError(NtStatus.STATUS_ACCESS_DENIED, false));
            }
            return(obj.ReOpen(granted_mask.ToSpecificAccess <X>(), false));
        }