private static bool TestAddAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
        {
            bool result = true;
            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            discretionaryAcl.AddAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
            if (discretionaryAcl.Count == rawAcl.Count &&
                discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
            {

                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                    result = false;

                //redundant index check

                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {

                        result = false;
                        break;
                    }
                }
            }
            else
                result = false;

            return result;
        }
Exemplo n.º 2
0
        public byte[] ToDaclBytes()
        {
            DiscretionaryAcl dacl = getDacl(this._securityIdentifiers);

            byte[] bytes = new byte[dacl.BinaryLength];
            dacl.GetBinaryForm(bytes, 0);
            return(bytes);
        }
Exemplo n.º 3
0
    // Token: 0x06000146 RID: 326 RVA: 0x00008600 File Offset: 0x00006800
    private static RawSecurityDescriptor smethod_3()
    {
        DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, 0);

        byte[] binaryForm = new byte[discretionaryAcl.BinaryLength - 1 + 1];
        discretionaryAcl.GetBinaryForm(binaryForm, 0);
        return(new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, new RawAcl(binaryForm, 0)));
    }
Exemplo n.º 4
0
        internal byte[] ToDaclBytes()
        {
            DiscretionaryAcl dacl = getDacl(_securityIdentifiers);
            var bytes             = new byte[dacl.BinaryLength];

            dacl.GetBinaryForm(bytes, 0);
            return(bytes);
        }
Exemplo n.º 5
0
        private static string InstallService()
        {
            // Install service
            var dir = new DirectoryInfo(Path.GetDirectoryName(Utils.ExecutablePath));

            var acl = dir.GetAccessControl(AccessControlSections.Access);

            acl.SetAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow));

            dir.SetAccessControl(acl);

            ManagedInstallerClass.InstallHelper(new string[] { Utils.ExecutablePath });

            // Set permission
            var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName);

            if (sc == null)
            {
                return("Service installation failure");
            }

            var buffer = new byte[0];

            if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size))
            {
                int err = Marshal.GetLastWin32Error();
                if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER
                {
                    return("QueryServiceObjectSecurity[1] error: " + err);
                }
                buffer = new byte[size];
                if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size))
                {
                    return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error());
                }
            }

            var rsd = new RawSecurityDescriptor(buffer, 0);

            var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);

            dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None);

            buffer = new byte[dacl.BinaryLength];
            dacl.GetBinaryForm(buffer, 0);

            rsd.DiscretionaryAcl = new RawAcl(buffer, 0);

            buffer = new byte[rsd.BinaryLength];
            rsd.GetBinaryForm(buffer, 0);

            if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer))
            {
                return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error());
            }
            return(null);
        }
Exemplo n.º 6
0
        public static void SetServicePermissions(string service, string username)
        {
            System.ServiceProcess.ServiceController sc = new System.ServiceProcess.ServiceController(service);
            ServiceControllerStatus status             = sc.Status;

            byte[] psd = new byte[0];
            uint   bufSizeNeeded;
            bool   ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);

            if (!ok)
            {
                int err = Marshal.GetLastWin32Error();
                if (err == 122 || err == 0)
                { // ERROR_INSUFFICIENT_BUFFER
                  // expected; now we know bufsize
                    psd = new byte[bufSizeNeeded];
                    ok  = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
                }
                else
                {
                    throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + username + ": error code=" + err);
                }
            }
            if (!ok)
            {
                throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + username + ": error code=" + Marshal.GetLastWin32Error());
            }

            // get security descriptor via raw into DACL form so ACE
            // ordering checks are done for us.
            RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
            RawAcl           racl     = rsd.DiscretionaryAcl;
            DiscretionaryAcl dacl     = new DiscretionaryAcl(false, false, racl);

            // Add start/stop/read access
            NTAccount acct = new NTAccount(username);

            SecurityIdentifier sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier));

            dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_START, InheritanceFlags.None, PropagationFlags.None);
            dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_STOP, InheritanceFlags.None, PropagationFlags.None);

            // convert discretionary ACL back to raw form; looks like via byte[] is only way
            byte[] rawdacl = new byte[dacl.BinaryLength];
            dacl.GetBinaryForm(rawdacl, 0);
            rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);

            // set raw security descriptor on service again
            byte[] rawsd = new byte[rsd.BinaryLength];
            rsd.GetBinaryForm(rawsd, 0);
            ok = ServiceAccountHelper.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
            if (!ok)
            {
                throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
            }
        }
Exemplo n.º 7
0
        public static bool SetAcl(this ServiceController controller, Action <DiscretionaryAcl> fn)
        {
            // from http://pinvoke.net/default.aspx/advapi32/QueryServiceObjectSecurity.html (thx!)

            using (SafeHandle handle = controller.ServiceHandle)
            {
                var  psd = new byte[0];
                uint bufSizeNeeded;

                bool success = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0,
                                                          out bufSizeNeeded);

                if (!success)
                {
                    int error = Marshal.GetLastWin32Error();

                    if (error == ErrorInsufficientBuffer)
                    {
                        psd     = new byte[bufSizeNeeded];
                        success = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded,
                                                             out bufSizeNeeded);
                    }
                    else
                    {
                        return(false);
                    }
                }

                if (!success)
                {
                    return(false);
                }

                // get security descriptor via raw into DACL form so ACE
                // ordering checks are done for us.
                var rsd  = new RawSecurityDescriptor(psd, 0);
                var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);

                fn(dacl);

                // convert discretionary ACL back to raw form; looks like via byte[] is only way
                var rawdacl = new byte[dacl.BinaryLength];
                dacl.GetBinaryForm(rawdacl, 0);
                rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);

                // set raw security descriptor on service again
                var rawsd = new byte[rsd.BinaryLength];
                rsd.GetBinaryForm(rawsd, 0);

                success = SetServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, rawsd);

                return(success);
            }
        }
Exemplo n.º 8
0
        public void EmptyBinaryFormDSOK()
        {
            DiscretionaryAcl dacl = new DiscretionaryAcl(false, true, 0);

            byte[] buffer = new byte[8];
            dacl.GetBinaryForm(buffer, 0);

            Assert.AreEqual(4, buffer [0]);              // Revision
            Assert.AreEqual(8, ToUInt16(buffer, 2));     // ACL Size
            Assert.AreEqual(0, ToUInt16(buffer, 4));     // ACE Count
        }
Exemplo n.º 9
0
        internal static void EnsureServiceAclsCorrect()
        {
            var  psd = new byte[0];
            uint bufSizeNeeded;
            var  ok = Advapi32.QueryServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);

            if (!ok)
            {
                int err = Marshal.GetLastWin32Error();
                if (err == 122)
                {
                    // ERROR_INSUFFICIENT_BUFFER
                    // expected; now we know bufsize
                    psd = new byte[bufSizeNeeded];
                    ok  = Advapi32.QueryServiceObjectSecurity(
                        Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
                }
                else
                {
                    throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for Service: error code=" + err);
                }
            }
            if (!ok)
            {
                throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for Service: error code=" + Marshal.GetLastWin32Error());
            }

            // get security descriptor via raw into DACL form so ACE
            // ordering checks are done for us.
            var rsd  = new RawSecurityDescriptor(psd, 0);
            var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);

            dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)ServiceAccess.ServiceCoapp, InheritanceFlags.None, PropagationFlags.None);

            // convert discretionary ACL back to raw form; looks like via byte[] is only way
            var rawdacl = new byte[dacl.BinaryLength];

            dacl.GetBinaryForm(rawdacl, 0);
            rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);

            // set raw security descriptor on service again
            var rawsd = new byte[rsd.BinaryLength];

            rsd.GetBinaryForm(rawsd, 0);

            ok = Advapi32.SetServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
            if (!ok)
            {
                throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
            }
        }
Exemplo n.º 10
0
        public static bool Constructor2(bool isContainer, bool isDS, byte revision, int capacity)
        {
            bool result = true;

            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            RawAcl rawAcl = null;

            DiscretionaryAcl discretionaryAcl = null;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, revision, capacity);
            rawAcl           = new RawAcl(revision, capacity);

            if (isContainer == discretionaryAcl.IsContainer &&
                isDS == discretionaryAcl.IsDS &&
                revision == discretionaryAcl.Revision &&
                0 == discretionaryAcl.Count &&
                8 == discretionaryAcl.BinaryLength &&
                true == discretionaryAcl.IsCanonical)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                {
                    result = false;
                }

                //redundant index check
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }
                }
            }
            else
            {
                result = false;
            }
            Assert.True(result);
            return(result);
        }
Exemplo n.º 11
0
        public static string SetServicePermission()
        {
            var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName);

            if (sc == null)
            {
                return("Service not found");
            }

            var buffer = new byte[0];

            if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size))
            {
                int err = Marshal.GetLastWin32Error();
                if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER
                {
                    return("QueryServiceObjectSecurity[1] error: " + err);
                }
                buffer = new byte[size];
                if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size))
                {
                    return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error());
                }
            }

            var rsd = new RawSecurityDescriptor(buffer, 0);

            var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);

            dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None);

            buffer = new byte[dacl.BinaryLength];
            dacl.GetBinaryForm(buffer, 0);

            rsd.DiscretionaryAcl = new RawAcl(buffer, 0);

            buffer = new byte[rsd.BinaryLength];
            rsd.GetBinaryForm(buffer, 0);

            if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer))
            {
                return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error());
            }
            return(null);
        }
Exemplo n.º 12
0
        public static bool Constructor1(bool isContainer, bool isDS, int capacity)
        {
            bool result = true;
            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            RawAcl rawAcl = null;

            DiscretionaryAcl discretionaryAcl = null;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, capacity);
            rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, capacity);

            if (isContainer == discretionaryAcl.IsContainer &&
                isDS == discretionaryAcl.IsDS &&
                (isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision) == discretionaryAcl.Revision &&
                0 == discretionaryAcl.Count &&
                8 == discretionaryAcl.BinaryLength &&
                true == discretionaryAcl.IsCanonical)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                    result = false;

                //redundant index check
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }
                }
            }
            else
            {
                result = false;
            }
            Assert.True(result);
            return result;
        }
Exemplo n.º 13
0
        private static RawSecurityDescriptor UpdateMailboxSecurityDescriptor(SecurityIdentifier userSid, ADUser userToConnect, MapiAdministrationSession mapiAdministrationSession, MailboxDatabase database, Guid deletedMailboxGuid, string parameterSetName, Task.TaskVerboseLoggingDelegate verboseLogger)
        {
            RawSecurityDescriptor rawSecurityDescriptor = null;

            try
            {
                rawSecurityDescriptor = mapiAdministrationSession.GetMailboxSecurityDescriptor(new MailboxId(MapiTaskHelper.ConvertDatabaseADObjectToDatabaseId(database), deletedMailboxGuid));
            }
            catch (Microsoft.Exchange.Data.Mapi.Common.MailboxNotFoundException)
            {
                rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclDefaulted | ControlFlags.SystemAclDefaulted | ControlFlags.SelfRelative, WindowsIdentity.GetCurrent().User, WindowsIdentity.GetCurrent().User, null, null);
                DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, true, 0);
                byte[]           binaryForm       = new byte[discretionaryAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(binaryForm, 0);
                rawSecurityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
            }
            bool flag = false;

            foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
            {
                KnownAce knownAce = (KnownAce)genericAce;
                if (knownAce.SecurityIdentifier.IsWellKnown(WellKnownSidType.SelfSid))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag)
            {
                CommonAce ace = new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 131073, new SecurityIdentifier(WellKnownSidType.SelfSid, null), false, null);
                rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
            }
            rawSecurityDescriptor.SetFlags(rawSecurityDescriptor.ControlFlags | ControlFlags.SelfRelative);
            if ("Linked" == parameterSetName || "Shared" == parameterSetName || "Room" == parameterSetName || "Equipment" == parameterSetName)
            {
                RawSecurityDescriptor sd = userToConnect.ReadSecurityDescriptor();
                MailboxTaskHelper.GrantPermissionToLinkedUserAccount(userToConnect.MasterAccountSid, ref rawSecurityDescriptor, ref sd);
                verboseLogger(Strings.VerboseSaveADSecurityDescriptor(userToConnect.Id.ToString()));
                userToConnect.SaveSecurityDescriptor(sd);
            }
            mapiAdministrationSession.Administration.PurgeCachedMailboxObject(deletedMailboxGuid);
            return(rawSecurityDescriptor);
        }
Exemplo n.º 14
0
        public static ServiceAccessRights GetEffectiveAccessRights([NotNull] this ServiceController thisValue, [NotNull] SecurityIdentifier sid)
        {
            Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, null, 0u, out uint len);
            int errCode = Marshal.GetLastWin32Error();

            if (errCode != ResultWin32.ERROR_INSUFFICIENT_BUFFER)
            {
                return(errCode == 0
                                                        ? (ServiceAccessRights)0
                                                        : throw new Win32Exception(errCode));
            }

            byte[] buffer = new byte[len];
            if (!Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, len, out len))
            {
                throw new Win32Exception(Marshal.GetLastWin32Error());
            }

            RawSecurityDescriptor rsd = new RawSecurityDescriptor(buffer, 0);
            RawAcl           racl     = rsd.DiscretionaryAcl;
            DiscretionaryAcl dacl     = new DiscretionaryAcl(false, false, racl);

            byte[] daclBuffer = new byte[dacl.BinaryLength];
            dacl.GetBinaryForm(daclBuffer, 0);

            byte[] sidBuffer = new byte[sid.BinaryLength];
            sid.GetBinaryForm(sidBuffer, 0);

            TRUSTEE trustee = new TRUSTEE();

            Win32.BuildTrusteeWithSid(ref trustee, sidBuffer);

            uint access = 0u;
            int  hr     = (int)Win32.GetEffectiveRightsFromAcl(daclBuffer, ref trustee, ref access);

            Marshal.Release(trustee.ptstrName);
            if (hr != ResultWin32.ERROR_SUCCESS)
            {
                throw Marshal.GetExceptionForHR(hr);
            }
            return((ServiceAccessRights)access);
        }
Exemplo n.º 15
0
        public static void SetServicePermissions(string serviceName)
        {
            Logger.Info("{0} {1}", (object)MethodBase.GetCurrentMethod().Name, (object)serviceName);
            using (ServiceController serviceController = new ServiceController(serviceName, "."))
            {
                int    status    = (int)serviceController.Status;
                byte[] numArray1 = new byte[0];
                uint   bufSizeNeeded;
                bool   flag = ServiceManager.QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray1, 0U, out bufSizeNeeded);
                if (!flag)
                {
                    int lastWin32Error = Marshal.GetLastWin32Error();
                    switch (lastWin32Error)
                    {
                    case 0:
                    case 122:
                        numArray1 = new byte[(int)bufSizeNeeded];
                        flag      = ServiceManager.QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray1, bufSizeNeeded, out bufSizeNeeded);
                        break;

                    default:
                        throw new Exception("error calling QueryServiceObjectSecurity() to get DACL : error code=" + lastWin32Error.ToString());
                    }
                }
                if (!flag)
                {
                    throw new Exception("error calling QueryServiceObjectSecurity(2) to get DACL : error code=" + Marshal.GetLastWin32Error().ToString());
                }
                RawSecurityDescriptor securityDescriptor = new RawSecurityDescriptor(numArray1, 0);
                DiscretionaryAcl      discretionaryAcl   = new DiscretionaryAcl(false, false, securityDescriptor.DiscretionaryAcl);
                discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.InteractiveSid, (SecurityIdentifier)null), 983551, InheritanceFlags.None, PropagationFlags.None);
                byte[] binaryForm = new byte[discretionaryAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(binaryForm, 0);
                securityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
                byte[] numArray2 = new byte[securityDescriptor.BinaryLength];
                securityDescriptor.GetBinaryForm(numArray2, 0);
                if (!ServiceManager.SetServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray2))
                {
                    throw new Exception("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error().ToString());
                }
            }
        }
Exemplo n.º 16
0
        public void BinaryRoundtrip()
        {
            RawAcl acl = GetRemovesMeaninglessAcesAcl();

            DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, acl);

            byte[] binaryForm1 = new byte[dacl1.BinaryLength];
            dacl1.GetBinaryForm(binaryForm1, 0);

            DiscretionaryAcl dacl2 = new DiscretionaryAcl(false, false, new RawAcl(binaryForm1, 0));

            byte[] binaryForm2 = new byte[dacl2.BinaryLength];
            dacl2.GetBinaryForm(binaryForm2, 0);

            Assert.AreEqual(binaryForm1.Length, binaryForm2.Length);
            for (int i = 0; i < binaryForm1.Length; i++)
            {
                Assert.AreEqual(binaryForm1 [i], binaryForm2 [i]);
            }
        }
Exemplo n.º 17
0
        //verify the dacl is crafted with one Allow Everyone Everything ACE

        public static bool VerifyDaclWithCraftedAce(bool isContainer, bool isDS, DiscretionaryAcl dacl)
        {
            byte[] craftedBForm;
            byte[] binaryForm;

            DiscretionaryAcl craftedDacl = new DiscretionaryAcl(isContainer, isDS, 1);

            craftedDacl.AddAccess(AccessControlType.Allow,
                                  new SecurityIdentifier("S-1-1-0"),
                                  -1,
                                  isContainer ? InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit : InheritanceFlags.None,
                                  PropagationFlags.None);
            craftedBForm = new byte[craftedDacl.BinaryLength];
            binaryForm   = new byte[dacl.BinaryLength];
            Assert.False(craftedBForm == null || binaryForm == null);
            craftedDacl.GetBinaryForm(craftedBForm, 0);
            dacl.GetBinaryForm(binaryForm, 0);

            return(Utils.IsBinaryFormEqual(craftedBForm, binaryForm));
        }
Exemplo n.º 18
0
        private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl)
        {
            bool result = true;

            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            if (discretionaryAcl.IsContainer == isContainer &&
                discretionaryAcl.IsDS == isDS &&
                discretionaryAcl.Revision == rawAcl.Revision &&
                discretionaryAcl.Count == rawAcl.Count &&
                discretionaryAcl.BinaryLength == rawAcl.BinaryLength &&
                discretionaryAcl.IsCanonical == wasCanonicalInitially)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                {
                    result = false;
                }

                //redundant index check
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }
                }
            }
            else
            {
                result = false;
            }

            return(result);
        }
Exemplo n.º 19
0
        private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl)
        {
            bool result = true;
            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            if (discretionaryAcl.IsContainer == isContainer &&
                discretionaryAcl.IsDS == isDS &&
                discretionaryAcl.Revision == rawAcl.Revision &&
                discretionaryAcl.Count == rawAcl.Count &&
                discretionaryAcl.BinaryLength == rawAcl.BinaryLength &&
                discretionaryAcl.IsCanonical == wasCanonicalInitially)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                    result = false;

                //redundant index check
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }

                }
            }
            else
            {

                result = false;
            }

            return result;
        }
Exemplo n.º 20
0
        private static void SetServiceSecurity(SafeHandle service)
        {
            byte[] buf = Array.Empty <byte>();
            if (!QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, null, 0, out var bufSize))
            {
                if (Marshal.GetLastWin32Error() != Errors.InsufficientBuffer)
                {
                    throw new Exception("Could not query service object security size.", new Win32Exception());
                }

                buf = new byte[bufSize];
                if (!QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, buf, bufSize, out bufSize))
                {
                    throw new Exception("Could not query service object security.", new Win32Exception());
                }
            }

            var securityDescriptor = new RawSecurityDescriptor(buf, 0);
            var rawAcl             = securityDescriptor.DiscretionaryAcl;
            var acl = new DiscretionaryAcl(false, false, rawAcl);

            var userSid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
            const ServiceAccess accessMask = ServiceAccess.GenericRead | ServiceAccess.GenericExecute;

            acl.SetAccess(AccessControlType.Allow, userSid, (int)accessMask, InheritanceFlags.None,
                          PropagationFlags.None);

            buf = new byte[acl.BinaryLength];
            acl.GetBinaryForm(buf, 0);

            securityDescriptor.DiscretionaryAcl = new RawAcl(buf, 0);
            buf = new byte[securityDescriptor.BinaryLength];
            securityDescriptor.GetBinaryForm(buf, 0);

            if (!SetServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, buf))
            {
                throw new Exception("Could not set object security.", new Win32Exception());
            }
        }
Exemplo n.º 21
0
        private static bool TestSetAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
        {
            bool result = true;

            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            discretionaryAcl.SetAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
            if (discretionaryAcl.Count == rawAcl.Count &&
                discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                {
                    result = false;
                }

                //redundant index check

                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }
                }
            }
            else
            {
                result = false;
            }

            return(result);
        }
        public static void GetBinaryForm_BasicValidationTestCases()
        {
            DiscretionaryAcl dAcl = null;
            RawAcl rAcl = null;
            GenericAce gAce = null;
            byte[] binaryForm = null;

            //Case 1, array binaryForm is null
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);

            Assert.Throws<ArgumentNullException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, 0);

            });


            //Case 2, offset is negative
            binaryForm = new byte[100];
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, -1);
            });


            //Case 3, offset is equal to binaryForm length
            binaryForm = new byte[100];
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, binaryForm.Length);
            });

            //Case 4, offset is a big possitive number
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);
            binaryForm = new byte[dAcl.BinaryLength + 10000];

            dAcl.GetBinaryForm(binaryForm, 10000);
            //get the binaryForm of the original RawAcl
            byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
            rAcl.GetBinaryForm(verifierBinaryForm, 0);
            Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));

            //Case 5, binaryForm array's size is insufficient
            binaryForm = new byte[4];
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, 0);

            });



        }
Exemplo n.º 23
0
        //verify the dacl is crafted with one Allow Everyone Everything ACE

        public static bool VerifyDaclWithCraftedAce(bool isContainer, bool isDS, DiscretionaryAcl dacl)
        {
            byte[] craftedBForm;
            byte[] binaryForm;

            DiscretionaryAcl craftedDacl = new DiscretionaryAcl(isContainer, isDS, 1);
            craftedDacl.AddAccess(AccessControlType.Allow,
                new SecurityIdentifier("S-1-1-0"),
                -1,
                isContainer ? InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit : InheritanceFlags.None,
                PropagationFlags.None);
            craftedBForm = new byte[craftedDacl.BinaryLength];
            binaryForm = new byte[dacl.BinaryLength];
            Assert.False(craftedBForm == null || binaryForm == null);
            craftedDacl.GetBinaryForm(craftedBForm, 0);
            dacl.GetBinaryForm(binaryForm, 0);

            return Utils.IsBinaryFormEqual(craftedBForm, binaryForm);

        }
Exemplo n.º 24
0
        public static void GetBinaryForm_BasicValidationTestCases()
        {
            DiscretionaryAcl dAcl = null;
            RawAcl           rAcl = null;
            GenericAce       gAce = null;

            byte[] binaryForm = null;

            //Case 1, array binaryForm is null
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);

            Assert.Throws <ArgumentNullException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, 0);
            });


            //Case 2, offset is negative
            binaryForm = new byte[100];
            rAcl       = new RawAcl(GenericAcl.AclRevision, 1);
            gAce       = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                       new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);

            Assert.Throws <ArgumentOutOfRangeException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, -1);
            });


            //Case 3, offset is equal to binaryForm length
            binaryForm = new byte[100];
            rAcl       = new RawAcl(GenericAcl.AclRevision, 1);
            gAce       = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                       new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);
            Assert.Throws <ArgumentOutOfRangeException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, binaryForm.Length);
            });

            //Case 4, offset is a big possitive number
            rAcl = new RawAcl(GenericAcl.AclRevision, 1);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl       = new DiscretionaryAcl(true, false, rAcl);
            binaryForm = new byte[dAcl.BinaryLength + 10000];

            dAcl.GetBinaryForm(binaryForm, 10000);
            //get the binaryForm of the original RawAcl
            byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
            rAcl.GetBinaryForm(verifierBinaryForm, 0);
            Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));

            //Case 5, binaryForm array's size is insufficient
            binaryForm = new byte[4];
            rAcl       = new RawAcl(GenericAcl.AclRevision, 1);
            gAce       = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                       new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            dAcl = new DiscretionaryAcl(true, false, rAcl);

            Assert.Throws <ArgumentOutOfRangeException>(() =>
            {
                dAcl.GetBinaryForm(binaryForm, 0);
            });
        }