internal static CommonSecurityDescriptor GetServerPipeSecurity() { #if UNIX return(null); #else // Built-in Admin SID SecurityIdentifier adminSID = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess( AccessControlType.Allow, adminSID, _pipeAccessMaskFullControl, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor( false, false, ControlFlags.DiscretionaryAclPresent | ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted, null, null, null, dacl); // Conditionally add User SID bool isAdminElevated = new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator); if (!isAdminElevated) { securityDesc.DiscretionaryAcl.AddAccess( AccessControlType.Allow, WindowsIdentity.GetCurrent().User, _pipeAccessMaskFullControl, InheritanceFlags.None, PropagationFlags.None); } return(securityDesc); #endif }
public void CreateTask(ScheduledJobDefinition definition) { if (definition != null) { ITaskDefinition variable = this._taskScheduler.NewTask(0); this.AddTaskOptions(variable, definition.Options); foreach (ScheduledJobTrigger jobTrigger in definition.JobTriggers) { this.AddTaskTrigger(variable, jobTrigger); } this.AddTaskAction(variable, definition); string str = "D:P(A;;GA;;;SY)(A;;GA;;;BA)"; SecurityIdentifier user = WindowsIdentity.GetCurrent().User; CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, str); commonSecurityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, user, 0x10000000, InheritanceFlags.None, PropagationFlags.None); string sddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); if (definition.Credential != null) { this._iRootFolder.RegisterTaskDefinition(definition.Name, variable, 2, definition.Credential.UserName, this.GetCredentialPassword(definition.Credential), _TASK_LOGON_TYPE.TASK_LOGON_PASSWORD, sddlForm); return; } else { this._iRootFolder.RegisterTaskDefinition(definition.Name, variable, 2, null, null, _TASK_LOGON_TYPE.TASK_LOGON_S4U, sddlForm); return; } } else { throw new PSArgumentNullException("definition"); } }
public static int ComputeBinaryLength(CommonSecurityDescriptor commonSecurityDescriptor, bool needCountDacl) { int verifierBinaryLength = 0; if (commonSecurityDescriptor != null) { verifierBinaryLength = 20; //initialize the binary length to header length if (commonSecurityDescriptor.Owner != null) { verifierBinaryLength += commonSecurityDescriptor.Owner.BinaryLength; } if (commonSecurityDescriptor.Group != null) { verifierBinaryLength += commonSecurityDescriptor.Group.BinaryLength; } if ((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0 && commonSecurityDescriptor.SystemAcl != null) { verifierBinaryLength += commonSecurityDescriptor.SystemAcl.BinaryLength; } if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0 && commonSecurityDescriptor.DiscretionaryAcl != null && needCountDacl) { verifierBinaryLength += commonSecurityDescriptor.DiscretionaryAcl.BinaryLength; } } return(verifierBinaryLength); }
/// <summary> /// Creates a new task in WTS with information from ScheduledJobDefinition. /// </summary> /// <param name="definition">ScheduledJobDefinition.</param> public void CreateTask( ScheduledJobDefinition definition) { if (definition == null) { throw new PSArgumentNullException("definition"); } // Create task definition ITaskDefinition iTaskDefinition = _taskScheduler.NewTask(0); // Add task options. AddTaskOptions(iTaskDefinition, definition.Options); // Add task triggers. foreach (ScheduledJobTrigger jobTrigger in definition.JobTriggers) { AddTaskTrigger(iTaskDefinition, jobTrigger); } // Add task action. AddTaskAction(iTaskDefinition, definition); // Create a security descriptor for the current user so that only the user // (and Local System account) can see/access the registered task. string startSddl = "D:P(A;;GA;;;SY)(A;;GA;;;BA)"; // DACL Allow Generic Access to System and BUILTIN\Administrators. System.Security.Principal.SecurityIdentifier userSid = System.Security.Principal.WindowsIdentity.GetCurrent().User; CommonSecurityDescriptor SDesc = new CommonSecurityDescriptor(false, false, startSddl); SDesc.DiscretionaryAcl.AddAccess(AccessControlType.Allow, userSid, 0x10000000, InheritanceFlags.None, PropagationFlags.None); string sddl = SDesc.GetSddlForm(AccessControlSections.All); // Register this new task with the Task Scheduler. if (definition.Credential == null) { // Register task to run as currently logged on user. _iRootFolder.RegisterTaskDefinition( definition.Name, iTaskDefinition, (int)_TASK_CREATION.TASK_CREATE, null, // User name null, // Password _TASK_LOGON_TYPE.TASK_LOGON_S4U, sddl); } else { // Register task to run under provided user account/credentials. _iRootFolder.RegisterTaskDefinition( definition.Name, iTaskDefinition, (int)_TASK_CREATION.TASK_CREATE, definition.Credential.UserName, GetCredentialPassword(definition.Credential), _TASK_LOGON_TYPE.TASK_LOGON_PASSWORD, sddl); } }
/// <summary> /// ProcessRecord method. /// </summary> protected override void ProcessRecord() { CommonSecurityDescriptor rawSecurityDescriptor = null; try { rawSecurityDescriptor = new CommonSecurityDescriptor(isContainer: false, isDS: false, Sddl); } catch (Exception e) { var ioe = PSTraceSource.NewInvalidOperationException(e, UtilityCommonStrings.InvalidSDDL, e.Message); ThrowTerminatingError(new ErrorRecord(ioe, "InvalidSDDL", ErrorCategory.InvalidArgument, Sddl)); } string owner = ConvertToNTAccount(rawSecurityDescriptor.Owner); string group = ConvertToNTAccount(rawSecurityDescriptor.Group); AccessRightTypeNames?typeToUse = _isTypeSet ? _type : (AccessRightTypeNames?)null; string[] discretionaryAcl = ConvertAccessControlListToStrings(rawSecurityDescriptor.DiscretionaryAcl, typeToUse); string[] systemAcl = ConvertAccessControlListToStrings(rawSecurityDescriptor.SystemAcl, typeToUse); var outObj = new SecurityDescriptorInfo(owner, group, discretionaryAcl, systemAcl, rawSecurityDescriptor); WriteObject(outObj); }
public static void AdditionalTestCases() { CommonSecurityDescriptor commonSecurityDescriptor = null; // Case1, null binary form Assert.Throws<ArgumentNullException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, null, 0); // expect to throw exception but not }); // case 2: offset < 0 Assert.Throws<ArgumentOutOfRangeException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[24], -1); // expect to throw exception but not }); // case 3: binaryForm.Length - offset < HeaderLength Assert.Throws<ArgumentOutOfRangeException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[24], 5); // expect to throw exception but not }); // case 4: binaryForm[offset + 0] != Revision Assert.Throws<ArgumentOutOfRangeException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[24], 0); // expect to throw exception but not }); // case 5: ControlFlags.SelfRelative is not set Assert.Throws<ArgumentException>(() => { byte[] binaryForm = new byte[24]; for (int i = 0; i < binaryForm.Length; i++) binaryForm[i] = 0; //set correct Revision binaryForm[0] = 1; commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, binaryForm, 0); // expect to throw exception but not }); // Case 6, parameter binaryForm is empty Assert.Throws<ArgumentOutOfRangeException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[0], 0); // expect to throw exception but not }); // Case 7, an array of garbage Assert.Throws<ArgumentException>(() => { byte[] binaryForm = { 1, 0, 0, 128, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, binaryForm, 0); // expect to throw exception }); }
public static void TestDiscretionaryAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerDacl, bool isDSDacl, string newDaclStr) { bool result = false; bool isContainer = false; bool isDS = false; CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl); DiscretionaryAcl dacl = newDaclStr == null ? null : new DiscretionaryAcl(isContainerDacl, isDSDacl, Utils.CreateRawAclFromString(newDaclStr)); try { //save IsContainer, IsDS isContainer = commonSecurityDescriptor.IsContainer; isDS = commonSecurityDescriptor.IsDS; commonSecurityDescriptor.DiscretionaryAcl = dacl; //per shawn, the controlflag will show DaclPresent when dacl assigned is null if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0) { if (dacl == null) { //a dacl with Allow Everyone Everything Ace should be assigned if (commonSecurityDescriptor.DiscretionaryAcl.Count == 1 && commonSecurityDescriptor.IsContainer == isContainer && commonSecurityDescriptor.IsDS == isDS && Utils.VerifyDaclWithCraftedAce(commonSecurityDescriptor.IsContainer, commonSecurityDescriptor.IsDS, commonSecurityDescriptor.DiscretionaryAcl)) { result = true; } else { result = false; } } else if (dacl == commonSecurityDescriptor.DiscretionaryAcl) { result = true; } else { result = false; } } else { result = false; } } catch (NullReferenceException) { Assert.Null(dacl); result = true; } catch (ArgumentException) { Assert.True((dacl.IsContainer != commonSecurityDescriptor.IsContainer) || (dacl.IsDS != commonSecurityDescriptor.IsDS)); result = true; } Assert.True(result); }
/// <summary> /// Helper method to create a PowerShell transport named pipe via native API, along /// with a returned .Net NamedPipeServerStream object wrapping the named pipe. /// </summary> /// <param name="pipeName">Named pipe core name.</param> /// <param name="securityDesc"></param> /// <returns>NamedPipeServerStream</returns> internal static NamedPipeServerStream CreateNamedPipe( string pipeName, PipeSecurity pipeSecurity) { string fullPipeName = @"\\.\pipe\" + pipeName; CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor(false, false, pipeSecurity.GetSecurityDescriptorBinaryForm(), 0); // Create optional security attributes based on provided PipeSecurity. NamedPipeNative.SECURITY_ATTRIBUTES securityAttributes = null; GCHandle?securityDescHandle = null; if (securityDesc != null) { byte[] securityDescBuffer = new byte[securityDesc.BinaryLength]; securityDesc.GetBinaryForm(securityDescBuffer, 0); securityDescHandle = GCHandle.Alloc(securityDescBuffer, GCHandleType.Pinned); securityAttributes = NamedPipeNative.GetSecurityAttributes(securityDescHandle.Value); } // Create named pipe. SafePipeHandle pipeHandle = NamedPipeNative.CreateNamedPipe( fullPipeName, NamedPipeNative.PIPE_ACCESS_DUPLEX | NamedPipeNative.FILE_FLAG_FIRST_PIPE_INSTANCE | NamedPipeNative.FILE_FLAG_OVERLAPPED, NamedPipeNative.PIPE_TYPE_BYTE | NamedPipeNative.PIPE_READMODE_BYTE, 1, 1024, 1024, 0, securityAttributes); int lastError = Marshal.GetLastWin32Error(); if (securityDescHandle != null) { securityDescHandle.Value.Free(); } if (pipeHandle.IsInvalid) { throw new InvalidOperationException(); } // Create the .Net NamedPipeServerStream wrapper. try { return(new NamedPipeServerStream( PipeDirection.InOut, true, // IsAsync false, // IsConnected pipeHandle)); } catch (Exception) { pipeHandle.Dispose(); throw; } }
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; ControlFlags controlFlags = ControlFlags.OwnerDefaulted; SecurityIdentifier owner = null; SecurityIdentifier group = null; RawAcl rawAcl = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; AccessControlSections accControlSections = AccessControlSections.None; controlFlags = (ControlFlags)flags; owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null; group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null; rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null; if (rawAcl == null) { sacl = null; } else { sacl = new SystemAcl(isContainer, isDS, rawAcl); } rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null; if (rawAcl == null) { dacl = null; } else { dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl); } commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl); if (getOwner) { accControlSections |= AccessControlSections.Owner; } if (getGroup) { accControlSections |= AccessControlSections.Group; } if (getSacl) { accControlSections |= AccessControlSections.Audit; } if (getDacl) { accControlSections |= AccessControlSections.Access; } resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections); Assert.True(string.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0); }
public static void TestCreateFromSddlForm(bool isContainer, bool isDS, string sddl, string verifierSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); Assert.True(string.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0); }
static IpcStore() { var dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None); IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }
} // StopListening // // end of IChannelReceiver implementation // // Thread for listening void Listen() { InternalRemotingServices.RemotingTrace("Waiting to Accept a Connection on Port: " + _portName); // // Wait for an incoming client connection // IntPtr handle = IntPtr.Zero; bool connected = false; CommonSecurityDescriptor descriptor = _securityDescriptor; // Connect with exlusive flag the first time try{ // If the descriptor is not explicitly set through code use the _authorizedGroup config if (descriptor == null && _authorizedGroup != null) { NTAccount ntAccount = new NTAccount(_authorizedGroup); descriptor = IpcPort.CreateSecurityDescriptor((SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier))); } _port = IpcPort.Create(_portName, descriptor, _bExclusiveAddressUse); } catch (Exception e) { _startListeningException = e; } finally { _bListening = (_startListeningException == null); _waitForStartListening.Set(); // allow main thread to continue now that we have tried to start the socket } if (_port != null) { connected = _port.WaitForConnect(); } while (_bListening) { InternalRemotingServices.RemotingTrace("IpcChannel::Listen"); // For DevDiv#220882, we need to create new IpcPort before handling the current message // to avoid race condition in case the message is handled and finished before // the new IpcPort is created. The client will intermittently fail with Port not found. IpcPort port = IpcPort.Create(_portName, descriptor, false); if (connected) { // Initialize the server handler and perform an async read IpcServerHandler serverHandler = new IpcServerHandler(_port, CoreChannel.RequestQueue, new PipeStream(_port)); serverHandler.DataArrivedCallback = new WaitCallback(_transportSink.ServiceRequest); serverHandler.BeginReadMessage(); } _port = port; connected = _port.WaitForConnect(); } }
public static void TestPurgeAudit(bool isContainer, bool isDS, string sddl, string sidString, string verifierSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; var sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidString)); commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); commonSecurityDescriptor.PurgeAudit(sid); resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); Assert.False(resultSddl != verifierSddl); }
public void ConstructorLetsFalseDSThrough() { CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, null); TestSecurity security = new TestSecurity(descriptor); Assert.IsFalse(security.IsContainerTest); Assert.IsFalse(security.IsDSTest); }
public void DefaultOwnerAndGroup() { CommonSecurityDescriptor csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, null); Assert.IsNull(csd.Owner); Assert.IsNull(csd.Group); Assert.AreEqual(ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); }
public void ContainerAndDSConsistencyEnforcedInSetter() { SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); CommonSecurityDescriptor csd = new CommonSecurityDescriptor (true, false, ControlFlags.None, userSid, groupSid, null, null); csd.DiscretionaryAcl = new DiscretionaryAcl(true, true, 0); }
public static List <string> GetInheritedFrom(string path, ObjectSecurity sd, bool isContainer) { var inheritedFrom = new List <string>(); path = Path.GetLongPath(path); uint returnValue = 0; GENERIC_MAPPING genericMap = new GENERIC_MAPPING(); genericMap.GenericRead = (uint)MappedGenericRights.FILE_GENERIC_READ; genericMap.GenericWrite = (uint)MappedGenericRights.FILE_GENERIC_WRITE; genericMap.GenericExecute = (uint)MappedGenericRights.FILE_GENERIC_EXECUTE; genericMap.GenericAll = (uint)MappedGenericRights.FILE_GENERIC_ALL; var sdBytes = sd.GetSecurityDescriptorBinaryForm(); var commonSd = new CommonSecurityDescriptor(isContainer, false, sdBytes, 0); var aclBytes = new byte[commonSd.DiscretionaryAcl.BinaryLength]; commonSd.DiscretionaryAcl.GetBinaryForm(aclBytes, 0); var pInheritInfo = Marshal.AllocHGlobal(commonSd.DiscretionaryAcl.Count * Marshal.SizeOf(typeof(PINHERITED_FROM))); returnValue = GetInheritanceSource( path, ResourceType.FileObject, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, isContainer, IntPtr.Zero, 0, aclBytes, IntPtr.Zero, ref genericMap, pInheritInfo ); if (returnValue != 0) { throw new System.ComponentModel.Win32Exception((int)returnValue); } for (int i = 0; i < commonSd.DiscretionaryAcl.Count; i++) { var inheritInfo = pInheritInfo.ElementAt <PINHERITED_FROM>(i); inheritedFrom.Add( !string.IsNullOrEmpty(inheritInfo.AncestorName) && inheritInfo.AncestorName.StartsWith(@"\\?\") ? inheritInfo.AncestorName.Substring(4) : inheritInfo.AncestorName ); } FreeInheritedFromArray(pInheritInfo, (ushort)commonSd.DiscretionaryAcl.Count, IntPtr.Zero); Marshal.FreeHGlobal(pInheritInfo); return(inheritedFrom); }
public static IChannel PublishLocalProxy(ExecutionServiceProxy proxy) { //We want the object to be available for as long as possible so we choose one year LifetimeServices.LeaseTime = TimeSpan.FromDays(365); RemotingConfiguration.CustomErrorsMode = CustomErrorsModes.Off; BinaryServerFormatterSinkProvider provider = new BinaryServerFormatterSinkProvider(); provider.TypeFilterLevel = TypeFilterLevel.Full; //need full deserialization //create a server channel and make the object available remotely Hashtable channelSettings = new Hashtable(); channelSettings["portName"] = ExecutionService.LocalPortName; //Grant access to everyone (need to get the name from the well known SID to support localized builds) SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); NTAccount everyoneAccount = (NTAccount)everyoneSid.Translate(typeof(NTAccount)); channelSettings["authorizedGroup"] = everyoneAccount.Value; //Because use use ExecutionService to update itself we have to disallow exclusive access //to the port, otherwise updating ExecutionService fails. channelSettings["exclusiveAddressUse"] = false; // Workaround for Remoting breaking change. This custom security descriptor is needed // to allow Medium IL processes to use IPC to talk to elevated UAC processes. DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); // This is the well-known sid for network security ID string networkSidSddlForm = @"S-1-5-2"; // This is the well-known sid for all users on this machine string everyoneSidSddlForm = @"S-1-1-0"; // Deny all access to NetworkSid dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(networkSidSddlForm), -1, InheritanceFlags.None, PropagationFlags.None); // Add access to the current user creating the pipe dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None); // Add access to the all users on the machine dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(everyoneSidSddlForm), -1, InheritanceFlags.None, PropagationFlags.None); // Initialize and return the CommonSecurityDescriptor CommonSecurityDescriptor allowMediumILSecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent, null, null, null, dacl); IpcServerChannel publishedChannel = new IpcServerChannel(channelSettings, provider, allowMediumILSecurityDescriptor); ChannelServices.RegisterChannel(publishedChannel, false); RemotingServices.Marshal(proxy, ExecutionService.ProxyName, typeof(IExecutionService)); return(publishedChannel); }
public IpcServerChannel(IDictionary properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor) { this._channelPriority = 20; this._channelName = "ipc server"; this._bExclusiveAddressUse = true; this._waitForStartListening = new AutoResetEvent(false); if (properties != null) { foreach (DictionaryEntry entry in properties) { switch (((string)entry.Key)) { case "name": this._channelName = (string)entry.Value; break; case "portName": this._portName = (string)entry.Value; break; case "priority": this._channelPriority = Convert.ToInt32(entry.Value, CultureInfo.InvariantCulture); break; case "secure": this._secure = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); break; case "impersonate": this._impersonate = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); this.authSet = true; break; case "suppressChannelData": this._bSuppressChannelData = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); break; case "authorizedGroup": this._authorizedGroup = (string)entry.Value; break; case "exclusiveAddressUse": this._bExclusiveAddressUse = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); break; } } } if (this._portName == null) { throw new RemotingException(CoreChannel.GetResourceString("Remoting_Ipc_NoPortNameSpecified")); } this._sinkProvider = sinkProvider; this._securityDescriptor = securityDescriptor; this.SetupChannel(); }
private static CommonSecurityDescriptor GetSecurityDescriptor(List <SecurityIdentifier> securityIdentifiers) { var discretionaryAcl = GetDiscretionaryAcl(securityIdentifiers); var securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, discretionaryAcl); return(securityDescriptor); }
internal static NamedPipeServerStream CreateNamedServerPipe( string serverName, string namespaceName, string pipeName, PipeSecurity pipeSecurity) { string fullPipeName = $@"\\{serverName}\{namespaceName}\{pipeName}"; var securityDescriptor = new CommonSecurityDescriptor( false, false, pipeSecurity.GetSecurityDescriptorBinaryForm(), 0); byte[] securityDescriptorBuffer = new byte[securityDescriptor.BinaryLength]; securityDescriptor.GetBinaryForm(securityDescriptorBuffer, 0); GCHandle?securityDescriptorHandle = GCHandle.Alloc(securityDescriptorBuffer, GCHandleType.Pinned); var securityAttributes = GetSecurityAttributes(securityDescriptorHandle.Value); if (Interop.Kernel32.WaitNamedPipe(fullPipeName, System.Threading.Timeout.Infinite)) { if (Marshal.GetLastWin32Error() != Interop.Errors.ERROR_FILE_NOT_FOUND) { throw new InvalidOperationException(); } } SafePipeHandle pipeHandle = Interop.Kernel32.CreateNamedPipe( fullPipeName, Interop.Kernel32.PipeOptions.PIPE_ACCESS_DUPLEX | Interop.Kernel32.FileOperations.FILE_FLAG_OVERLAPPED, Interop.Kernel32.PipeOptions.PIPE_TYPE_BYTE | Interop.Kernel32.PipeOptions.PIPE_READMODE_BYTE, 1, 65536, 65536, 0, ref securityAttributes); securityDescriptorHandle.Value.Free(); if (pipeHandle.IsInvalid) { throw new InvalidOperationException(); } try { return(new NamedPipeServerStream(PipeDirection.InOut, true, true, pipeHandle)); } catch (Exception) { pipeHandle.Dispose(); throw; } }
public void OwnerAndGroupAreReferences() { SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); CommonSecurityDescriptor csd; csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, null, null); Assert.AreSame(groupSid, csd.Group); Assert.AreSame(userSid, csd.Owner); }
public void PurgeNullSaclWithoutError() { SecurityIdentifier userSid = new SecurityIdentifier("SY"); SecurityIdentifier groupSid = new SecurityIdentifier("BA"); CommonSecurityDescriptor csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, null, null); csd.PurgeAudit(userSid); Assert.IsNull(csd.SystemAcl); }
public static void AdditionalTestCases() { //test cases include the exceptions from the constructor CommonSecurityDescriptor sd = null; // test case 1: rawSecurityDescriptor is null Assert.Throws<ArgumentNullException>(() => { sd = new CommonSecurityDescriptor(true, true, (RawSecurityDescriptor)null); }); }
public static void TestPurgeAccessControl(bool isContainer, bool isDS, string sddl, string sidString, string verifierSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidString)); commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); commonSecurityDescriptor.PurgeAccessControl(sid); resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); Assert.False(resultSddl != verifierSddl); }
public static void AdditionalTestCases() { //test cases include the exceptions from the constructor CommonSecurityDescriptor sd = null; // test case 1: rawSecurityDescriptor is null Assert.Throws <ArgumentNullException>(() => { sd = new CommonSecurityDescriptor(true, true, (RawSecurityDescriptor)null); }); }
public static void TestCreateFromRawSecurityDescriptor(bool isContainer, bool isDS, string rawSecurityDescriptorSddl, string verifierSddl) { RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(rawSecurityDescriptorSddl); CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, rawSecurityDescriptor); // verify the result Assert.True((isContainer == commonSecurityDescriptor.IsContainer) && (isDS == commonSecurityDescriptor.IsDS)); string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); Assert.True(String.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0); }
/// <summary> /// The main entry point for the application. /// </summary> static void Main() { RemotingConfiguration.Configure("Server.exe.config", false /*ensureSecurity*/); IDictionary props = new Hashtable(); props["portName"] = "test"; // This is the wellknown sid for network sid string networkSidSddlForm = @"S-1-5-2"; // Local administrators sid SecurityIdentifier localAdminSid = new SecurityIdentifier( WellKnownSidType.BuiltinAdministratorsSid, null); // Local Power users sid SecurityIdentifier powerUsersSid = new SecurityIdentifier( WellKnownSidType.BuiltinPowerUsersSid, null); // Network sid SecurityIdentifier networkSid = new SecurityIdentifier(networkSidSddlForm); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); // Disallow access from off machine dacl.AddAccess(AccessControlType.Deny, networkSid, -1, InheritanceFlags.None, PropagationFlags.None); // Allow acces only from local administrators and power users dacl.AddAccess(AccessControlType.Allow, localAdminSid, -1, InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, powerUsersSid, -1, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); IpcServerChannel channel = new IpcServerChannel( props, null, securityDescriptor); ChannelServices.RegisterChannel(channel, false /*ensureSecurity*/); foreach (IChannel chan in ChannelServices.RegisteredChannels) { Console.WriteLine(chan.ChannelName); } Console.WriteLine("Waiting for connections..."); Console.WriteLine("Press enter to exit."); Console.ReadLine(); }
public static IpcServerChannel CreateIpcServer <IService, TService>( TService service, string channelName = null, string portName = null, WellKnownSidType aclSid = WellKnownSidType.WorldSid) where IService : class where TService : MarshalByRefObject, IService { if (channelName == null) { channelName = GenerateIpcServerChannelName(); } System.Collections.IDictionary properties = new System.Collections.Hashtable { { "name", channelName }, { "portName", portName ?? channelName } }; // Setup ACL : allow access from all users. Channel is protected by a random name. DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1); dacl.AddAccess( AccessControlType.Allow, new SecurityIdentifier( aclSid, null), -1, InheritanceFlags.None, PropagationFlags.None); CommonSecurityDescriptor secDescr = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); // Formatter sink // TODO: Custom sink BinaryServerFormatterSinkProvider binaryProv = new BinaryServerFormatterSinkProvider { TypeFilterLevel = TypeFilterLevel.Full }; // Create server var ipcServer = new IpcServerChannel(properties, binaryProv, secDescr); ChannelServices.RegisterChannel(ipcServer, false); // Initialize with SMA interface RemotingServices.Marshal(service, channelName, typeof(IService)); return(ipcServer); }
public static void AdditionalTestCases() { CommonSecurityDescriptor sd = null; // test case 1: sid is null Assert.Throws <ArgumentNullException>(() => { sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null); sd.PurgeAccessControl(null); // expect to throw exception but not }); }
public static void AdditionalTestCases() { CommonSecurityDescriptor sd = null; // test case 1: sid is null Assert.Throws<ArgumentNullException>(() => { sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null); sd.PurgeAudit(null); // expect to throw exception but not }); }
private static void RegisterRemoting() { Hashtable hashtable = new Hashtable(); hashtable["name"] = "ipc"; hashtable["priority"] = "20"; hashtable["portName"] = MyConst.ChannelPortName; CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, string.Empty); SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); commonSecurityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, sid, -1, InheritanceFlags.None, PropagationFlags.None); IpcServerChannel chnl = new IpcServerChannel(hashtable, null, commonSecurityDescriptor); ChannelServices.RegisterChannel(chnl, false); RemotingConfiguration.RegisterWellKnownServiceType(typeof(ProfilerService), MyConst.ObjectURI, WellKnownObjectMode.Singleton); }
public override byte[] GetAllowAllNodeAcl(string repositoryName, Guid domainId, Guid rootMapId) { // Return an empty Windows node ACL. SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier; CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null); securityDescriptor.SetDiscretionaryAclProtection(true, false); byte[] itemAcl = new byte[securityDescriptor.BinaryLength]; securityDescriptor.GetBinaryForm(itemAcl, 0); return(itemAcl); }
internal SecurityDescriptorInfo( string owner, string group, string[] discretionaryAcl, string[] systemAcl, CommonSecurityDescriptor rawDescriptor) { Owner = owner; Group = group; DiscretionaryAcl = discretionaryAcl; SystemAcl = systemAcl; RawDescriptor = rawDescriptor; }
private static List <SecurityIdentifier> securityIdentifiersFromSDDL(string securityDescriptor) { CommonSecurityDescriptor csd = new CommonSecurityDescriptor(false, false, securityDescriptor); DiscretionaryAcl dacl = csd.DiscretionaryAcl; List <SecurityIdentifier> securityIdentifiers = new List <SecurityIdentifier>(dacl.Count); foreach (CommonAce ace in dacl) { securityIdentifiers.Add(ace.SecurityIdentifier); } return(securityIdentifiers); }
public static void AdditionalTestCases() { // test case will be passing in binaryForm array that is null, length is invalid and offset is invalid CommonSecurityDescriptor commonSecurityDescriptor = null; string sddl = null; byte[] binaryForm = null; //Case 1, null byte array Assert.Throws<ArgumentNullException>(() => { sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)"; commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl); binaryForm = null; commonSecurityDescriptor.GetBinaryForm(binaryForm, 0); }); //case 2, empty byte array Assert.Throws<ArgumentOutOfRangeException>(() => { sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)"; commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl); binaryForm = new byte[0]; commonSecurityDescriptor.GetBinaryForm(binaryForm, 0); }); //case 3, negative offset Assert.Throws<ArgumentOutOfRangeException>(() => { sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)"; commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl); binaryForm = new byte[100]; commonSecurityDescriptor.GetBinaryForm(binaryForm, -1); }); //case 4, binaryForm.Length - offset < BinaryLength Assert.Throws<ArgumentOutOfRangeException>(() => { sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)"; commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl); binaryForm = new byte[commonSecurityDescriptor.BinaryLength]; commonSecurityDescriptor.GetBinaryForm(binaryForm, 8); }); }
public static void TestSetSystemAclProtection(bool isContainer, bool isDS, string sddl, bool isProtected, bool preserveInheritance, string verifierSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); commonSecurityDescriptor.SetSystemAclProtection(isProtected, preserveInheritance); resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); if (!isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == 0) { Assert.False(resultSddl != verifierSddl); } else if (isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != 0) { Assert.False(resultSddl != verifierSddl); } }
public static void AdditionalTestCases() { CommonSecurityDescriptor commonSecurityDescriptor = null; // Case1, null sddl string Assert.Throws<ArgumentNullException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, (string)null); // expect to throw exception but not }); // Case 3, sddl form owner symbol exists but no content Assert.Throws<ArgumentException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:G:SYD:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)"); // expect to throw exception but not }); // Case 4, sddl form group symbol exists but no content Assert.Throws<ArgumentException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:LAG:D:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)"); // expect to throw exception but not }); // Case 5, garbage string sddl Assert.Throws<ArgumentException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "ABCDEFGHIJKLMNOPQ"); // expect to throw exception but not }); // Case 7, sddl form with invalid owner sid Assert.Throws<ArgumentException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:XXG:D:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)"); // expect to throw exception but not }); // Case 8, sddl form with invalid group sid Assert.Throws<ArgumentException>(() => { commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:LAG:YYD:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)"); // expect to throw exception but not }); }
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; ControlFlags controlFlags = ControlFlags.OwnerDefaulted; SecurityIdentifier owner = null; SecurityIdentifier group = null; RawAcl rawAcl = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; AccessControlSections accControlSections = AccessControlSections.None; controlFlags = (ControlFlags)flags; owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null; group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null; rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null; if (rawAcl == null) sacl = null; else sacl = new SystemAcl(isContainer, isDS, rawAcl); rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null; if (rawAcl == null) dacl = null; else dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl); commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl); if (getOwner) accControlSections |= AccessControlSections.Owner; if (getGroup) accControlSections |= AccessControlSections.Group; if (getSacl) accControlSections |= AccessControlSections.Audit; if (getDacl) accControlSections |= AccessControlSections.Access; resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections); if (expectedSddl == null || resultSddl == null) Assert.True(expectedSddl == null && resultSddl == null); else Assert.True(String.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0); }
public static void TestGroup(string newGroupStr) { bool isContainer = false; bool isDS = false; int controlFlags = 1; string ownerStr = "BA"; string groupStr = "BG"; CommonSecurityDescriptor commonSecurityDescriptor = null; SecurityIdentifier owner = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)); SecurityIdentifier newGroup = (newGroupStr != null ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(newGroupStr)) : null); SecurityIdentifier group = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)); SystemAcl sacl = null; DiscretionaryAcl dacl = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, (ControlFlags)controlFlags, owner, group, sacl, dacl); commonSecurityDescriptor.Group = newGroup; // verify the result, we can use == here as SecurityIdentifier overrides the comparsison Assert.True(newGroup == commonSecurityDescriptor.Group); }
public static void TestSystemAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerSacl, bool isDSSacl, string newSaclStr) { CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl); SystemAcl sacl = newSaclStr == null ? null : new SystemAcl(isContainerSacl, isDSSacl, Utils.CreateRawAclFromString(newSaclStr)); try { commonSecurityDescriptor.SystemAcl = sacl; Assert.True(sacl == commonSecurityDescriptor.SystemAcl); if (sacl != null) Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0); else Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) == 0); } catch (NullReferenceException) { Assert.Null(sacl); } catch (ArgumentException) { Assert.True((sacl.IsContainer != commonSecurityDescriptor.IsContainer) || (sacl.IsDS != commonSecurityDescriptor.IsDS)); } }
public static void AdditionalTestCases() { CommonSecurityDescriptor sd = null; // test case 1: SACL is null, isProtected is true, preserveInheritance is true sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null); sd.SetSystemAclProtection(true, true); Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) != 0); // test case 2: SACL is null, isProtected is true, preserveInheritance is false sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null); sd.SetSystemAclProtection(true, false); Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) != 0); // test case 3: SACL is null, isProtected is false, preserveInheritance is true sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null); sd.SetSystemAclProtection(false, true); Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) == 0); // test case 4: SACL is null, isProtected is false, preserveInheritance is false sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null); sd.SetSystemAclProtection(false, false); Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) == 0); }
public static int ComputeBinaryLength(CommonSecurityDescriptor commonSecurityDescriptor, bool needCountDacl) { int verifierBinaryLength = 0; if (commonSecurityDescriptor != null) { verifierBinaryLength = 20; //intialize the binary length to header length if (commonSecurityDescriptor.Owner != null) verifierBinaryLength += commonSecurityDescriptor.Owner.BinaryLength; if (commonSecurityDescriptor.Group != null) verifierBinaryLength += commonSecurityDescriptor.Group.BinaryLength; if ((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0 && commonSecurityDescriptor.SystemAcl != null) verifierBinaryLength += commonSecurityDescriptor.SystemAcl.BinaryLength; if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0 && commonSecurityDescriptor.DiscretionaryAcl != null && needCountDacl) verifierBinaryLength += commonSecurityDescriptor.DiscretionaryAcl.BinaryLength; } return verifierBinaryLength; }
public CryptoKeySecurity(CommonSecurityDescriptor securityDescriptor) {}
public static void TestWasSystemAclCanonicalInitially(bool isContainer, bool isDS, string sddl, bool verifierWasCanonicalInitially) { CommonSecurityDescriptor commonSecurityDescriptor = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); Assert.False(verifierWasCanonicalInitially != commonSecurityDescriptor.IsSystemAclCanonical); }
private static bool VerifyResult(bool isContainer, bool isDS, ControlFlags controlFlags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl sacl, DiscretionaryAcl dacl) { CommonSecurityDescriptor commonSecurityDescriptor = null; bool result = false; try { commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl); // verify the result if ((isContainer == commonSecurityDescriptor.IsContainer) && (isDS == commonSecurityDescriptor.IsDS) && ((((sacl != null) ? (controlFlags | ControlFlags.SystemAclPresent) : (controlFlags & (~ControlFlags.SystemAclPresent))) | ControlFlags.SelfRelative | ControlFlags.DiscretionaryAclPresent) == commonSecurityDescriptor.ControlFlags) && (owner == commonSecurityDescriptor.Owner) && (group == commonSecurityDescriptor.Group) && (sacl == commonSecurityDescriptor.SystemAcl) && (Utils.ComputeBinaryLength(commonSecurityDescriptor, dacl != null) == commonSecurityDescriptor.BinaryLength)) { if (dacl == null) { //check the contructor created an empty Dacl with correct IsContainer and isDS info if (isContainer == commonSecurityDescriptor.DiscretionaryAcl.IsContainer && isDS == commonSecurityDescriptor.DiscretionaryAcl.IsDS && commonSecurityDescriptor.DiscretionaryAcl.Count == 1 && Utils.VerifyDaclWithCraftedAce(isContainer, isDS, commonSecurityDescriptor.DiscretionaryAcl)) { result = true; } else { result = false; } } else if (dacl == commonSecurityDescriptor.DiscretionaryAcl) { result = true; } else { result = false; } } else { result = false; } } catch (ArgumentException) { if ((sacl != null && sacl.IsContainer != isContainer) || (sacl != null && sacl.IsDS != isDS) || (dacl != null && dacl.IsContainer != isContainer) || (dacl != null && dacl.IsDS != isDS)) result = true; else { // unexpected exception result = false; } } return result; }
private static void TestCreateFromSddlForm(bool isContainer, bool isDS, string sddl, string verifierSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); Assert.True(string.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0); }
public static void TestGetBinaryForm(bool isContainer, bool isDS, string sddl, string verifierSddl, int offset) { CommonSecurityDescriptor commonSecurityDescriptor = null; CommonSecurityDescriptor verifierCommonSecurityDescriptor = null; string resultSddl = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength + offset]; commonSecurityDescriptor.GetBinaryForm(binaryForm, offset); verifierCommonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, binaryForm, offset); resultSddl = verifierCommonSecurityDescriptor.GetSddlForm(AccessControlSections.All); if (resultSddl == null || verifierSddl == null) Assert.True(resultSddl == null && verifierSddl == null); else Assert.True(String.Compare(resultSddl, verifierSddl, StringComparison.CurrentCultureIgnoreCase) == 0); }
public static void TestWasDiscretionaryAclCanonicalInitially(bool isContainer, bool isDS, string sddl, bool verifierWasCanonicalInitially) { CommonSecurityDescriptor commonSecurityDescriptor = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl); Assert.True(verifierWasCanonicalInitially == commonSecurityDescriptor.IsDiscretionaryAclCanonical); }
private static void TestCreateFromBinaryForm(bool isContainer, bool isDS, string sddl, int offset, string verifierSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; byte[] binaryForm; Assert.Equal(0, Utils.CreateBinaryArrayFromSddl(sddl, out binaryForm)); byte[] tempBForm = null; if (offset > 0) { //copy the binaryform to a new array, start at offset tempBForm = new byte[binaryForm.Length + offset]; for (int i = 0; i < binaryForm.Length; i++) { tempBForm[i + offset] = binaryForm[i]; } commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, tempBForm, offset); } else { commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, binaryForm, offset); } string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All); Assert.True(String.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0); }
protected DirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor);
protected ObjectSecurity(CommonSecurityDescriptor securityDescriptor);
public static void AdditionalTestCases() { //test cases include the exceptions from the constructor SystemAcl sacl = null; DiscretionaryAcl dacl = null; CommonSecurityDescriptor sd = null; // test case 1: SACL is not null, SACL.IsContainer is true, but isContainer parameter is false sacl = new SystemAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(false, true, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 2: SACL is not null, SACL.IsContainer is false, but isContainer parameter is true sacl = new SystemAcl(false, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 3: DACL is not null, DACL.IsContainer is true, but isContainer parameter is false dacl = new DiscretionaryAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); // test case 4: DACL is not null, DACL.IsContainer is false, but isContainer parameter is true dacl = new DiscretionaryAcl(false, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); // test case 5: SACL is not null, SACL.IsDS is true, but isDS parameter is false sacl = new SystemAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, false, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 6: SACL is not null, SACL.IsDS is false, but isDS parameter is true sacl = new SystemAcl(true, false, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 7: DACL is not null, DACL.IsDS is true, but isDS parameter is false dacl = new DiscretionaryAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); // test case 8: DACL is not null, DACL.IsDS is false, but isDS parameter is true dacl = new DiscretionaryAcl(true, false, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); }