/// <summary>
/// Compares two sids to see if their prefixes are the same. The sids must have the same number of subauthorities.
/// </summary>
/// <param name="sid">The sid to compare against</param>
/// <returns>True if the sids share a prefix.</returns>
public bool EqualPrefix(Sid sid)
{
using (SafeSidBufferHandle sid1 = ToSafeBuffer(), sid2 = sid.ToSafeBuffer())
{
return(NtRtl.RtlEqualPrefixSid(sid1, sid2));
}
}
/// <summary>
/// Add a SID to the boundary descriptor.
/// </summary>
/// <remarks>This SID is used in an access check when creating or deleting private namespaces.</remarks>
/// <param name="sid">The SID to add.</param>
public void AddSid(Sid sid)
{
using (SafeSidBufferHandle sid_buffer = sid.ToSafeBuffer())
{
NtRtl.RtlAddSIDToBoundaryDescriptor(ref _boundary_descriptor, sid_buffer).ToNtException();
}
}
private void AddIntegrityLevel(Sid sid)
{
using (SafeSidBufferHandle sid_buffer = sid.ToSafeBuffer())
{
NtRtl.RtlAddIntegrityLabelToBoundaryDescriptor(ref _boundary_descriptor, sid_buffer).ToNtException();
}
}
internal static SafeSidBufferHandle AddSid(this DisposableList list, Sid sid)
{
if (sid == null)
{
return(SafeSidBufferHandle.Null);
}
return(list.AddResource(sid.ToSafeBuffer()));
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="access_rights">The set of access rights to check against</param>
/// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
{
if (sd == null)
{
throw new ArgumentNullException("sd");
}
if (token == null)
{
throw new ArgumentNullException("token");
}
if (access_rights.IsEmpty)
{
return(AccessMask.Empty);
}
using (SafeBuffer sd_buffer = sd.ToSafeBuffer())
{
using (NtToken imp_token = DuplicateForAccessCheck(token))
{
using (var privs = new SafePrivilegeSetBuffer())
{
int buffer_length = privs.Length;
using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null)
{
NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights,
SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException();
if (result_status.IsSuccess())
{
return(granted_access);
}
return(AccessMask.Empty);
}
}
}
}
}
/// <summary>
/// Looks up the account name of a SID.
/// </summary>
/// <param name="sid">The SID to lookup</param>
/// <returns>The name, or null if the lookup failed</returns>
public static string LookupAccountSid(Sid sid)
{
using (SafeSidBufferHandle sid_buffer = sid.ToSafeBuffer())
{
StringBuilder name = new StringBuilder(1024);
int length = name.Capacity;
StringBuilder domain = new StringBuilder(1024);
int domain_length = domain.Capacity;
if (!Win32NativeMethods.LookupAccountSid(null, sid_buffer, name,
ref length, domain, ref domain_length, out SidNameUse name_use))
{
return(null);
}
if (domain_length == 0)
{
return(name.ToString());
}
else
{
return($@"{domain}\{name}");
}
}
}
/// <summary>
/// Looks up the account name of a SID.
/// </summary>
/// <param name="sid">The SID to lookup</param>
/// <returns>The name, or null if the lookup failed</returns>
public static string LookupAccountSid(Sid sid)
{
using (SafeSidBufferHandle sid_buffer = sid.ToSafeBuffer())
{
StringBuilder name = new StringBuilder(1024);
int length = name.Capacity;
StringBuilder domain = new StringBuilder(1024);
int domain_length = domain.Capacity;
SidNameUse name_use;
if (!LookupAccountSid(null, sid_buffer, name, ref length, domain, ref domain_length, out name_use))
{
return(null);
}
if (domain_length == 0)
{
return(name.ToString());
}
else
{
return(String.Format("{0}\\{1}", domain, name));
}
}
}
/// <summary>
/// Compares two sids to see if their prefixes are the same.
/// </summary>
/// <param name="sid">The sid to compare against</param>
/// <returns>True if the sids share a prefix.</returns>
public bool EqualPrefix(Sid sid)
{
using (SafeSidBufferHandle sid1 = ToSafeBuffer(), sid2 = sid.ToSafeBuffer())
{
return NtRtl.RtlEqualPrefixSid(sid1, sid2);
}
}
