void Init(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor)
{
if (null == rawSecurityDescriptor)
{
throw new ArgumentNullException("rawSecurityDescriptor");
}
SystemAcl sacl = null;
if (null != rawSecurityDescriptor.SystemAcl)
{
sacl = new SystemAcl(isContainer, isDS, rawSecurityDescriptor.SystemAcl);
}
DiscretionaryAcl dacl = null;
if (null != rawSecurityDescriptor.DiscretionaryAcl)
{
dacl = new DiscretionaryAcl(isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl);
}
Init(isContainer, isDS,
rawSecurityDescriptor.ControlFlags,
rawSecurityDescriptor.Owner,
rawSecurityDescriptor.Group,
sacl, dacl);
}
public void PurgeAudit(SecurityIdentifier sid)
{
if (SystemAcl != null)
{
SystemAcl.Purge(sid);
}
}
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
if (systemAcl != null && systemAcl.IsContainer != isContainer)
{
throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "systemAcl");
}
if (discretionaryAcl != null && discretionaryAcl.IsContainer != isContainer)
{
throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "discretionaryAcl");
}
this._isContainer = isContainer;
if (systemAcl != null && systemAcl.IsDS != isDS)
{
throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "systemAcl");
}
if (discretionaryAcl != null && discretionaryAcl.IsDS != isDS)
{
throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "discretionaryAcl");
}
this._isDS = isDS;
this._sacl = systemAcl;
if (discretionaryAcl == null)
{
discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(this._isDS, this._isContainer);
}
this._dacl = discretionaryAcl;
ControlFlags controlFlags = flags | ControlFlags.DiscretionaryAclPresent;
this._rawSd = new RawSecurityDescriptor(systemAcl != null ? controlFlags | ControlFlags.SystemAclPresent : controlFlags& ~ControlFlags.SystemAclPresent, owner, group, systemAcl == null ? (RawAcl)null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
}
public void AddAuditObjectAceAndCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
SystemAcl sacl = new SystemAcl (false, true, 0);
sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid (), Guid.Empty);
sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual (2, sacl.Count);
CommonAce cace = (CommonAce)sacl [0];
Assert.AreEqual (1, cace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", cace.SecurityIdentifier.Value);
Assert.IsFalse (cace.IsCallback);
Assert.IsFalse (cace.IsInherited);
ObjectAce oace = (ObjectAce)sacl [1];
Assert.AreEqual (1, oace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", oace.SecurityIdentifier.Value);
Assert.IsFalse (oace.IsCallback);
Assert.IsFalse (oace.IsInherited);
sacl.AddAudit (AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual (2, sacl.Count);
CommonAce cace2 = (CommonAce)sacl [0];
Assert.AreEqual (3, cace2.AccessMask);
}
public CommonSecurityDescriptor(bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
Init(isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl);
}
public CommonSecurityDescriptor (bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
Init (isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl);
}
public void PurgeAudit(SecurityIdentifier sid)
{
ArgumentNullException.ThrowIfNull(sid);
if (SystemAcl != null)
{
SystemAcl.Purge(sid);
}
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary>
/// <param name="isContainer">true if the new security descriptor is associated with a container object.</param>
/// <param name="isDS">true if the new security descriptor is associated with a directory object.</param>
/// <param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
/// <param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
this.isContainer = isContainer;
this.isDS = isDS;
this.flags = flags;
this.owner = owner;
this.group = group;
this.systemAcl = systemAcl;
this.discretionaryAcl = discretionaryAcl;
throw new NotImplementedException();
}
public void AddAuditMergesFlags ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
SystemAcl sacl = new SystemAcl (false, false, 0);
sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
sacl.AddAudit (AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual (AuditFlags.Success|AuditFlags.Failure, ace.AuditFlags);
}
public void PurgeAudit(SecurityIdentifier sid)
{
if (sid == null)
{
throw new ArgumentNullException(nameof(sid));
}
if (SystemAcl != null)
{
SystemAcl.Purge(sid);
}
}
public void PurgeAudit(SecurityIdentifier sid)
{
if (sid == null)
{
throw new ArgumentNullException("sid");
}
Contract.EndContractBlock();
if (SystemAcl != null)
{
SystemAcl.Purge(sid);
}
}
public void AddAuditCommonAce ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
SystemAcl sacl = new SystemAcl (false, false, 0);
sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual (AuditFlags.Success, ace.AuditFlags);
Assert.AreEqual (1, ace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse (ace.IsInherited);
}
public void SetSystemAclProtection(bool isProtected,
bool preserveInheritance)
{
if (!isProtected)
{
flags &= ~ControlFlags.SystemAclProtected;
return;
}
flags |= ControlFlags.SystemAclProtected;
if (!preserveInheritance && SystemAcl != null)
{
SystemAcl.RemoveInheritedAces();
}
}
public void AddAuditCommonAceUsingDSOverload ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
SystemAcl sacl = new SystemAcl (false, true, 0);
sacl.AddAudit (AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.NewGuid (), Guid.NewGuid ());
Assert.AreEqual (1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual (AuditFlags.Failure, ace.AuditFlags);
Assert.AreEqual (1, ace.AccessMask);
Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse (ace.IsInherited);
}
public void SetSystemAclProtection(bool isProtected, bool preserveInheritance)
{
if (!isProtected)
{
RemoveControlFlags(ControlFlags.SystemAclProtected);
}
else
{
if (!preserveInheritance && SystemAcl != null)
{
SystemAcl.RemoveInheritedAces();
}
AddControlFlags(ControlFlags.SystemAclProtected);
}
}
void Init(bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
this.flags = flags & ~ControlFlags.SystemAclPresent;
this.is_container = isContainer;
this.is_ds = isDS;
Owner = owner;
Group = group;
SystemAcl = systemAcl;
DiscretionaryAcl = discretionaryAcl;
}
public CommonSecurityDescriptor (bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
this.isContainer = isContainer;
this.isDS = isDS;
this.flags = flags;
this.owner = owner;
this.group = group;
this.systemAcl = systemAcl;
this.discretionaryAcl = discretionaryAcl;
throw new NotImplementedException ();
}
void Init (bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor)
{
if (null == rawSecurityDescriptor)
throw new ArgumentNullException ("rawSecurityDescriptor");
SystemAcl sacl = null;
if (null != rawSecurityDescriptor.SystemAcl)
sacl = new SystemAcl (isContainer, isDS, rawSecurityDescriptor.SystemAcl);
DiscretionaryAcl dacl = null;
if (null != rawSecurityDescriptor.DiscretionaryAcl)
dacl = new DiscretionaryAcl (isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl);
Init (isContainer, isDS,
rawSecurityDescriptor.ControlFlags,
rawSecurityDescriptor.Owner,
rawSecurityDescriptor.Group,
sacl, dacl);
}
public void IndexerMakesCopies ()
{
// This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
// Turns out it applies to more than just the constructor.
SecurityIdentifier worldSid = new SecurityIdentifier ("WD");
// RawAcl does not make copies.
RawAcl acl = new RawAcl (RawAcl.AclRevision, 1);
CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);
acl.InsertAce (0, ace);
Assert.AreSame (acl [0], acl [0]);
// CommonAcl does.
SystemAcl sacl = new SystemAcl (false, false, acl);
Assert.AreNotSame (sacl [0], sacl [0]);
// Make sure the copying occurs in the constructor as well as the indexer.
ace.AceFlags = AceFlags.FailedAccess;
Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags);
}
public void PurgeAudit(SecurityIdentifier sid)
{
ArgumentNullException.ThrowIfNull(sid);
SystemAcl?.Purge(sid);
}
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
base.WriteLock();
try
{
SecurityInfos securityInformation = 0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if (((includeSections & AccessControlSections.Owner) != AccessControlSections.None) && (base._securityDescriptor.Owner != null))
{
securityInformation |= SecurityInfos.Owner;
owner = base._securityDescriptor.Owner;
}
if (((includeSections & AccessControlSections.Group) != AccessControlSections.None) && (base._securityDescriptor.Group != null))
{
securityInformation |= SecurityInfos.Group;
group = base._securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInformation |= SecurityInfos.SystemAcl;
if ((base._securityDescriptor.IsSystemAclPresent && (base._securityDescriptor.SystemAcl != null)) && (base._securityDescriptor.SystemAcl.Count > 0))
{
sacl = base._securityDescriptor.SystemAcl;
}
else
{
sacl = null;
}
if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None)
{
securityInformation |= (SecurityInfos)this.ProtectedSystemAcl;
}
else
{
securityInformation |= (SecurityInfos)this.UnprotectedSystemAcl;
}
}
if (((includeSections & AccessControlSections.Access) != AccessControlSections.None) && base._securityDescriptor.IsDiscretionaryAclPresent)
{
securityInformation |= SecurityInfos.DiscretionaryAcl;
if (base._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = null;
}
else
{
dacl = base._securityDescriptor.DiscretionaryAcl;
}
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None)
{
securityInformation |= (SecurityInfos)this.ProtectedDiscretionaryAcl;
}
else
{
securityInformation |= (SecurityInfos)this.UnprotectedDiscretionaryAcl;
}
}
if (securityInformation == 0)
{
return;
}
int errorCode = System.Security.AccessControl.Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, sacl, dacl);
if (errorCode == 0)
{
goto Label_0249;
}
Exception exception = null;
if (this._exceptionFromErrorCode != null)
{
exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext);
}
if (exception == null)
{
switch (errorCode)
{
case 5:
exception = new UnauthorizedAccessException();
goto Label_0246;
case 0x51b:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
goto Label_0246;
case 0x51c:
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
goto Label_0246;
case 0x7b:
exception = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
goto Label_0246;
case 6:
exception = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
goto Label_0246;
case 2:
exception = new FileNotFoundException();
goto Label_0246;
case 0x546:
exception = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
goto Label_0246;
}
exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { errorCode }));
}
Label_0246:
throw exception;
Label_0249:
base.OwnerModified = false;
base.GroupModified = false;
base.AccessRulesModified = false;
base.AuditRulesModified = false;
}
finally
{
base.WriteUnlock();
}
}
public byte[] ToSaclBytes()
{
SystemAcl sacl = new SystemAcl(false, false, 0);
byte[] bytes = new byte[sacl.BinaryLength];
sacl.GetBinaryForm(bytes, 0);
return bytes;
}
internal static void SetAccessControlExtracted(FileSystemSecurity security, string name)
{
//security.WriteLock();
AccessControlSections includeSections = AccessControlSections.Audit | AccessControlSections.Owner | AccessControlSections.Group;
SecurityInfos securityInfo = (SecurityInfos)0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None)
{
owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier));
if (owner != null)
{
securityInfo = securityInfo | SecurityInfos.Owner;
}
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None)
{
@group = (SecurityIdentifier)security.GetGroup(typeof(SecurityIdentifier));
if (@group != null)
{
securityInfo = securityInfo | SecurityInfos.Group;
}
}
var securityDescriptorBinaryForm = security.GetSecurityDescriptorBinaryForm();
RawSecurityDescriptor rawSecurityDescriptor = null;
bool isDiscretionaryAclPresent = false;
if (securityDescriptorBinaryForm != null)
{
rawSecurityDescriptor = new RawSecurityDescriptor(securityDescriptorBinaryForm, 0);
isDiscretionaryAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInfo = securityInfo | SecurityInfos.SystemAcl;
sacl = null;
if (rawSecurityDescriptor != null)
{
var isSystemAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None;
if (isSystemAclPresent && rawSecurityDescriptor.SystemAcl != null && rawSecurityDescriptor.SystemAcl.Count > 0)
{
// are all system acls on a file not a container?
const bool notAContainer = false;
const bool notADirectoryObjectACL = false;
sacl = new SystemAcl(notAContainer, notADirectoryObjectACL,
rawSecurityDescriptor.SystemAcl);
}
securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ?
(uint)securityInfo | UnprotectedSystemAcl : (uint)securityInfo | ProtectedSystemAcl));
}
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && isDiscretionaryAclPresent)
{
securityInfo = securityInfo | SecurityInfos.DiscretionaryAcl;
dacl = null;
if (rawSecurityDescriptor != null)
{
//if (!this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = new DiscretionaryAcl(false, false, rawSecurityDescriptor.DiscretionaryAcl);
}
securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ?
(uint)securityInfo | UnprotectedDiscretionaryAcl : (uint)securityInfo | ProtectedDiscretionaryAcl));
}
}
if (securityInfo == 0) return;
int errorNum = SetSecurityInfo(ResourceType.FileObject, name, null, securityInfo, owner, @group, sacl, dacl);
if (errorNum != 0)
{
Exception exception = GetExceptionFromWin32Error(errorNum, name);
if (exception == null)
{
if (errorNum == NativeMethods.ERROR_ACCESS_DENIED)
{
exception = new UnauthorizedAccessException();
}
else if (errorNum == NativeMethods.ERROR_INVALID_OWNER)
{
exception = new InvalidOperationException("Invalid owner");
}
else if (errorNum == NativeMethods.ERROR_INVALID_PRIMARY_GROUP)
{
exception = new InvalidOperationException("Invalid group");
}
else if (errorNum == NativeMethods.ERROR_INVALID_NAME)
{
exception = new ArgumentException("Invalid name", "name");
}
else if (errorNum == NativeMethods.ERROR_INVALID_HANDLE)
{
exception = new NotSupportedException("Invalid Handle");
}
else if (errorNum == NativeMethods.ERROR_FILE_NOT_FOUND)
{
exception = new FileNotFoundException();
}
else if (errorNum != NativeMethods.ERROR_NO_SECURITY_ON_OBJECT)
{
exception = new InvalidOperationException("Unexpected error");
}
else
{
exception = new NotSupportedException("No associated security");
}
}
throw exception;
}
//finally
//{
//security.WriteLUnlck();
//}
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary><param name="isContainer">true if the new security descriptor is associated with a container object.</param><param name="isDS">true if the new security descriptor is associated with a directory object.</param><param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param>
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
throw new NotImplementedException();
}
void RemoveSpecificBegin (SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags)
{
SecurityIdentifier otherSid = new SecurityIdentifier ("BU");
sacl.AddAudit (AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
sacl.RemoveAuditSpecific (AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
sacl.RemoveAuditSpecific (AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
Assert.AreEqual (3, ((CommonAce)sacl [0]).AccessMask);
sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3,
inheritanceFlags ^ InheritanceFlags.ContainerInherit,
PropagationFlags.None);
Assert.AreEqual (1, sacl.Count);
}
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
if (systemAcl != null &&
systemAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(systemAcl));
}
if (discretionaryAcl != null &&
discretionaryAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(discretionaryAcl));
}
_isContainer = isContainer;
if (systemAcl != null &&
systemAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(systemAcl));
}
if (discretionaryAcl != null &&
discretionaryAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(discretionaryAcl));
}
_isDS = isDS;
_sacl = systemAcl;
//
// Replace null DACL with an allow-all for everyone DACL
//
if (discretionaryAcl == null)
{
//
// to conform to native behavior, we will add allow everyone ace for DACL
//
discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer);
}
_dacl = discretionaryAcl;
//
// DACL is never null. So always set the flag bit on
//
ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent;
//
// Keep SACL and the flag bit in sync.
//
if (systemAcl == null)
{
unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); }
}
else
{
actualFlags |= (ControlFlags.SystemAclPresent);
}
_rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
}
public void AddSystemAcl(byte revision, int trusted)
{
SystemAcl = new SystemAcl (IsContainer, IsDS, revision, trusted);
flags |= ControlFlags.SystemAclPresent;
}
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
}
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
}
public void AddSystemAcl(byte revision, int trusted)
{
SystemAcl = new SystemAcl(IsContainer, IsDS, revision, trusted);
flags |= ControlFlags.SystemAclPresent;
}
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
base.WriteLock();
try
{
SecurityInfos securityInfos = (SecurityInfos)0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != null)
{
securityInfos |= SecurityInfos.Owner;
owner = this._securityDescriptor.Owner;
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != null)
{
securityInfos |= SecurityInfos.Group;
group = this._securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInfos |= SecurityInfos.SystemAcl;
if (this._securityDescriptor.IsSystemAclPresent && this._securityDescriptor.SystemAcl != null && this._securityDescriptor.SystemAcl.Count > 0)
{
sacl = this._securityDescriptor.SystemAcl;
}
else
{
sacl = null;
}
if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None)
{
securityInfos |= (SecurityInfos)this.ProtectedSystemAcl;
}
else
{
securityInfos |= (SecurityInfos)this.UnprotectedSystemAcl;
}
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent)
{
securityInfos |= SecurityInfos.DiscretionaryAcl;
if (this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = null;
}
else
{
dacl = this._securityDescriptor.DiscretionaryAcl;
}
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None)
{
securityInfos |= (SecurityInfos)this.ProtectedDiscretionaryAcl;
}
else
{
securityInfos |= (SecurityInfos)this.UnprotectedDiscretionaryAcl;
}
}
if (securityInfos != (SecurityInfos)0)
{
int num = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInfos, owner, group, sacl, dacl);
if (num != 0)
{
Exception ex = null;
if (this._exceptionFromErrorCode != null)
{
ex = this._exceptionFromErrorCode(num, name, handle, exceptionContext);
}
if (ex == null)
{
if (num == 5)
{
ex = new UnauthorizedAccessException();
}
else if (num == 1307)
{
ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
}
else if (num == 1308)
{
ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
}
else if (num == 123)
{
ex = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
}
else if (num == 6)
{
ex = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
}
else if (num == 2)
{
ex = new FileNotFoundException();
}
else if (num == 1350)
{
ex = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
}
else
{
ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[]
{
num
}));
}
}
throw ex;
}
base.OwnerModified = false;
base.GroupModified = false;
base.AccessRulesModified = false;
base.AuditRulesModified = false;
}
}
finally
{
base.WriteUnlock();
}
}
public void SetAudit ()
{
SecurityIdentifier adminSid = new SecurityIdentifier ("BA"); // S-1-5-32-544
SecurityIdentifier userSid = new SecurityIdentifier ("BU"); // S-1-5-32-545
SystemAcl sacl = new SystemAcl (true, false, 0);
sacl.SetAudit (AuditFlags.Success, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None);
sacl.SetAudit (AuditFlags.Success, userSid, 2, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (2, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual (adminSid, ace.SecurityIdentifier);
Assert.AreEqual (1, ace.AccessMask);
sacl.SetAudit (AuditFlags.Success, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreNotEqual (4, ace.AccessMask);
ace = (CommonAce)sacl [0];
Assert.AreEqual (4, ace.AccessMask);
sacl.SetAudit (AuditFlags.Failure, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreEqual (2, sacl.Count);
ace = (CommonAce)sacl [0];
Assert.AreEqual (AuditFlags.Failure, ace.AuditFlags);
Assert.AreEqual (adminSid, ace.SecurityIdentifier);
ace = (CommonAce)sacl [1];
Assert.AreEqual (AuditFlags.Success, ace.AuditFlags);
Assert.AreEqual (userSid, ace.SecurityIdentifier);
}
public void RemoveSpecific ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
SystemAcl sacl = new SystemAcl (false, false, 0);
RemoveSpecificBegin (sid, sacl, InheritanceFlags.None);
sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (0, sacl.Count);
}
public void SaclPresent ()
{
SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
SystemAcl sacl = new SystemAcl (false, false, 0);
CommonSecurityDescriptor csd;
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
Assert.IsNull (csd.SystemAcl);
Assert.IsTrue (csd.IsSystemAclCanonical);
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.SystemAclPresent, userSid, groupSid, null, null);
Assert.IsNull (csd.SystemAcl);
Assert.IsTrue (csd.IsSystemAclCanonical);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags);
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, sacl, null);
Assert.AreSame (sacl, csd.SystemAcl);
Assert.IsTrue (csd.IsSystemAclCanonical);
Assert.AreEqual (0, csd.SystemAcl.Count);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SystemAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
csd.SystemAcl = null;
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
}
void Init (bool isContainer, bool isDS,
ControlFlags flags,
SecurityIdentifier owner,
SecurityIdentifier group,
SystemAcl systemAcl,
DiscretionaryAcl discretionaryAcl)
{
this.flags = flags & ~ControlFlags.SystemAclPresent;
this.is_container = isContainer;
this.is_ds = isDS;
Owner = owner;
Group = group;
SystemAcl = systemAcl;
DiscretionaryAcl = discretionaryAcl;
}
public void RemoveSpecificUsingDSOverload ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BA");
SystemAcl sacl = new SystemAcl (false, true, 0);
RemoveSpecificBegin (sid, sacl, InheritanceFlags.None);
sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty);
Assert.AreEqual (1, sacl.Count);
sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual (0, sacl.Count);
}
//
// Attempts to persist the security descriptor onto the object
//
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
WriteLock();
try
{
int error;
SecurityInfos securityInfo = 0;
SecurityIdentifier owner = null, group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != 0 && _securityDescriptor.Owner != null)
{
securityInfo |= SecurityInfos.Owner;
owner = _securityDescriptor.Owner;
}
if ((includeSections & AccessControlSections.Group) != 0 && _securityDescriptor.Group != null)
{
securityInfo |= SecurityInfos.Group;
group = _securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != 0)
{
securityInfo |= SecurityInfos.SystemAcl;
if (_securityDescriptor.IsSystemAclPresent &&
_securityDescriptor.SystemAcl != null &&
_securityDescriptor.SystemAcl.Count > 0)
{
sacl = _securityDescriptor.SystemAcl;
}
else
{
sacl = null;
}
if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != 0)
{
securityInfo = (SecurityInfos)((uint)securityInfo | ProtectedSystemAcl);
}
else
{
securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedSystemAcl);
}
}
if ((includeSections & AccessControlSections.Access) != 0 && _securityDescriptor.IsDiscretionaryAclPresent)
{
securityInfo |= SecurityInfos.DiscretionaryAcl;
// if the DACL is in fact a crafted replaced for NULL replacement, then we will persist it as NULL
if (_securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = null;
}
else
{
dacl = _securityDescriptor.DiscretionaryAcl;
}
if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != 0)
{
securityInfo = unchecked ((SecurityInfos)((uint)securityInfo | ProtectedDiscretionaryAcl));
}
else
{
securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedDiscretionaryAcl);
}
}
if (securityInfo == 0)
{
//
// Nothing to persist
//
return;
}
error = Win32.SetSecurityInfo(_resourceType, name, handle, securityInfo, owner, group, sacl, dacl);
if (error != Interop.Errors.ERROR_SUCCESS)
{
System.Exception exception = null;
if (_exceptionFromErrorCode != null)
{
exception = _exceptionFromErrorCode(error, name, handle, exceptionContext);
}
if (exception == null)
{
if (error == Interop.Errors.ERROR_ACCESS_DENIED)
{
exception = new UnauthorizedAccessException();
}
else if (error == Interop.Errors.ERROR_INVALID_OWNER)
{
exception = new InvalidOperationException(SR.AccessControl_InvalidOwner);
}
else if (error == Interop.Errors.ERROR_INVALID_PRIMARY_GROUP)
{
exception = new InvalidOperationException(SR.AccessControl_InvalidGroup);
}
else if (error == Interop.Errors.ERROR_INVALID_NAME)
{
exception = new ArgumentException(SR.Argument_InvalidName, nameof(name));
}
else if (error == Interop.Errors.ERROR_INVALID_HANDLE)
{
exception = new NotSupportedException(SR.AccessControl_InvalidHandle);
}
else if (error == Interop.Errors.ERROR_FILE_NOT_FOUND)
{
exception = new FileNotFoundException();
}
else if (error == Interop.Errors.ERROR_NO_SECURITY_ON_OBJECT)
{
exception = new NotSupportedException(SR.AccessControl_NoAssociatedSecurity);
}
else
{
Debug.Fail($"Unexpected error code {error}");
exception = new InvalidOperationException(SR.Format(SR.AccessControl_UnexpectedError, error));
}
}
throw exception;
}
//
// Everything goes well, let us clean the modified flags.
// We are in proper write lock, so just go ahead
//
this.OwnerModified = false;
this.GroupModified = false;
this.AccessRulesModified = false;
this.AuditRulesModified = false;
}
finally
{
WriteUnlock();
}
}
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext)
{
this.WriteLock();
try
{
SecurityInfos securityInformation = (SecurityInfos)0;
SecurityIdentifier owner = (SecurityIdentifier)null;
SecurityIdentifier group = (SecurityIdentifier)null;
SystemAcl systemAcl = (SystemAcl)null;
DiscretionaryAcl discretionaryAcl = (DiscretionaryAcl)null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != (SecurityIdentifier)null)
{
securityInformation |= SecurityInfos.Owner;
owner = this._securityDescriptor.Owner;
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != (SecurityIdentifier)null)
{
securityInformation |= SecurityInfos.Group;
group = this._securityDescriptor.Group;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
SecurityInfos securityInfos = securityInformation | SecurityInfos.SystemAcl;
systemAcl = !this._securityDescriptor.IsSystemAclPresent || this._securityDescriptor.SystemAcl == null || this._securityDescriptor.SystemAcl.Count <= 0 ? (SystemAcl)null : this._securityDescriptor.SystemAcl;
securityInformation = (this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ? securityInfos | (SecurityInfos)this.UnprotectedSystemAcl : securityInfos | (SecurityInfos)this.ProtectedSystemAcl;
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent)
{
SecurityInfos securityInfos = securityInformation | SecurityInfos.DiscretionaryAcl;
discretionaryAcl = !this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl ? this._securityDescriptor.DiscretionaryAcl : (DiscretionaryAcl)null;
securityInformation = (this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ? securityInfos | (SecurityInfos)this.UnprotectedDiscretionaryAcl : securityInfos | (SecurityInfos)this.ProtectedDiscretionaryAcl;
}
if (securityInformation == (SecurityInfos)0)
{
return;
}
int errorCode = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, (GenericAcl)systemAcl, (GenericAcl)discretionaryAcl);
if (errorCode != 0)
{
Exception exception = (Exception)null;
if (this._exceptionFromErrorCode != null)
{
exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext);
}
if (exception == null)
{
if (errorCode == 5)
{
exception = (Exception) new UnauthorizedAccessException();
}
else if (errorCode == 1307)
{
exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner"));
}
else if (errorCode == 1308)
{
exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup"));
}
else if (errorCode == 123)
{
exception = (Exception) new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name");
}
else if (errorCode == 6)
{
exception = (Exception) new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle"));
}
else if (errorCode == 2)
{
exception = (Exception) new FileNotFoundException();
}
else if (errorCode == 1350)
{
exception = (Exception) new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity"));
}
else
{
exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", (object)errorCode));
}
}
throw exception;
}
this.OwnerModified = false;
this.GroupModified = false;
this.AccessRulesModified = false;
this.AuditRulesModified = false;
}
finally
{
this.WriteUnlock();
}
}
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl)
{
if (systemAcl != null &&
systemAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(systemAcl));
}
if (discretionaryAcl != null &&
discretionaryAcl.IsContainer != isContainer)
{
throw new ArgumentException(
isContainer ?
SR.AccessControl_MustSpecifyContainerAcl :
SR.AccessControl_MustSpecifyLeafObjectAcl,
nameof(discretionaryAcl));
}
_isContainer = isContainer;
if (systemAcl != null &&
systemAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(systemAcl));
}
if (discretionaryAcl != null &&
discretionaryAcl.IsDS != isDS)
{
throw new ArgumentException(
isDS ?
SR.AccessControl_MustSpecifyDirectoryObjectAcl :
SR.AccessControl_MustSpecifyNonDirectoryObjectAcl,
nameof(discretionaryAcl));
}
_isDS = isDS;
_sacl = systemAcl;
//
// Replace null DACL with an allow-all for everyone DACL
//
if (discretionaryAcl == null)
{
//
// to conform to native behavior, we will add allow everyone ace for DACL
//
discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer);
}
_dacl = discretionaryAcl;
//
// DACL is never null. So always set the flag bit on
//
ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent;
//
// Keep SACL and the flag bit in sync.
//
if (systemAcl == null)
{
unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); }
}
else
{
actualFlags |= (ControlFlags.SystemAclPresent);
}
_rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl);
}
public void ContainerAndDSConsistencyEnforcedB ()
{
SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
SystemAcl sacl = new SystemAcl (false, false, 0);
new CommonSecurityDescriptor (true, false, ControlFlags.None, userSid, groupSid, sacl, null);
}
