// Gets a string representation of file/folder effective current user allowed permissions.
// Checks if current user has direct permissions or belongs to a group
// Skips GENERIC permissions
public static string GetEffectivePermissions(this FileSystemSecurity fileSystemSecurity)
{
FileSystemRights effectiveFileSystemRights = default(FileSystemRights);
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(currentUser);
AuthorizationRuleCollection rules = fileSystemSecurity.GetAccessRules(true, true, typeof(NTAccount));
foreach (AuthorizationRule rule in rules)
{
FileSystemAccessRule fsAccessRule = rule as FileSystemAccessRule;
if (fsAccessRule == null || fsAccessRule.AccessControlType == AccessControlType.Deny)
{
continue;
}
NTAccount ntAccount = rule.IdentityReference as NTAccount;
if (ntAccount == null)
{
continue;
}
if (principal.IsInRole(ntAccount.Value) ||
string.Compare(currentUser.Name, ntAccount.Value, StringComparison.OrdinalIgnoreCase) == 0)
{
effectiveFileSystemRights |= ParseSecurityEnumValue(effectiveFileSystemRights, fsAccessRule.FileSystemRights);
}
}
return(effectiveFileSystemRights.ToString());
}
public Dictionary <string, string> GetMetadata(string path, bool isSymlink, bool followSymlink)
{
var isDirTarget = path.EndsWith(DIRSEP, StringComparison.Ordinal);
var targetpath = isDirTarget ? path.Substring(0, path.Length - 1) : path;
var dict = new Dictionary <string, string>();
FileSystemSecurity rules = isDirTarget ? GetAccessControlDir(targetpath) : GetAccessControlFile(targetpath);
var objs = new List <FileSystemAccess>();
foreach (var f in rules.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier)))
{
objs.Add(new FileSystemAccess((FileSystemAccessRule)f));
}
dict["win-ext:accessrules"] = SerializeObject(objs);
// Only include the following key when its value is True.
// This prevents unnecessary 'metadata change' detections when upgrading from
// older versions (pre-2.0.5.101) that didn't store this value at all.
// When key is not present, its value is presumed False by the restore code.
if (rules.AreAccessRulesProtected)
{
dict["win-ext:accessrulesprotected"] = "True";
}
return(dict);
}
void AnalyzeAccessControl(StreamWriter sw, FileSystemSecurity security, string name, bool includeInherited)
{
var Owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier));
var matchOwner = MatchesUsersToCheck(Owner);
if (matchOwner.HasValue)
{
sw.WriteLine(name + "\t" + matchOwner.Value.Value + "\tOwner");
}
var accessRules = security.GetAccessRules(true, includeInherited, typeof(SecurityIdentifier));
if (accessRules == null)
{
return;
}
foreach (FileSystemAccessRule accessrule in accessRules)
{
if (accessrule.AccessControlType == AccessControlType.Deny)
{
continue;
}
if ((FileSystemRights.Write & accessrule.FileSystemRights) != FileSystemRights.Write)
{
continue;
}
var match = MatchesUsersToCheck(accessrule.IdentityReference);
if (!match.HasValue)
{
continue;
}
sw.WriteLine(name + "\t" + match.Value.Value + "\t" + accessrule.FileSystemRights.ToString());
}
}
/// <summary>
/// Determines whether the indicated file system security object has the indicated file system right.
/// </summary>
/// <param name="fss">The file system security object.</param>
/// <param name="right">The file system right.</param>
/// <returns>True, if the indicated file system security object has the indicated file system right.</returns>
/// <remarks>The current Windows user identity is used to search the security object's ACL for
/// relevent allow or deny rules. To have permission for the indicated right, the object's ACL
/// list must contain an explicit allow rule and no deny rules for either the user identity or a group to which
/// the user belongs.</remarks>
private static bool HasPermission(FileSystemSecurity fss, FileSystemRights right)
{
AuthorizationRuleCollection rules = fss.GetAccessRules(true, true, typeof(SecurityIdentifier));
var groups = WindowsIdentity.GetCurrent().Groups;
SecurityIdentifier user = WindowsIdentity.GetCurrent().User;
FileSystemRights remaining = right;
foreach (FileSystemAccessRule rule in rules.OfType <FileSystemAccessRule>())
{
FileSystemRights test = rule.FileSystemRights & right;
if (test != 0)
{
if (rule.IdentityReference == user || (groups != null && groups.Contains(rule.IdentityReference)))
{
if (rule.AccessControlType == AccessControlType.Allow)
{
remaining &= ~test;
if (remaining == 0)
{
return(true);
}
}
else if (rule.AccessControlType == AccessControlType.Deny)
{
return(false);
}
}
}
}
return(false);
}
/// <summary>
/// Displays the access rules for the directory.
/// </summary>
public void Initialize(DirectoryInfo filePath)
{
ItemsLV.Items.Clear();
AuthorizationRuleCollection authorizationRules = null;
if (filePath != null && filePath.Exists)
{
FileSystemSecurity security = filePath.GetAccessControl(AccessControlSections.Access);
authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
}
if (authorizationRules == null || authorizationRules.Count == 0)
{
Instructions = "No access rules are defined.";
AdjustColumns();
return;
}
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
if (accessRule == null)
{
continue;
}
AddItem(accessRule);
}
AdjustColumns();
}
public void SetSecurity(FileSystemSecurity security, AccessControlSections sections)
{
lock (Lock) {
if ((sections & AccessControlSections.Owner) != 0)
{
_directory.Owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier));
}
if ((sections & AccessControlSections.Group) != 0)
{
_directory.Group = (SecurityIdentifier)security.GetGroup(typeof(SecurityIdentifier));
}
if ((sections & AccessControlSections.Access) != 0)
{
_fileSystem.RemoveAccessRules(_directory);
foreach (var r in security.GetAccessRules(true, false, typeof(SecurityIdentifier)))
{
_fileSystem.AddAccessRule(_directory, (FileSystemAccessRule)r);
}
}
if ((sections & AccessControlSections.Audit) != 0)
{
_fileSystem.RemoveAuditRules(_directory);
foreach (var r in security.GetAuditRules(true, false, typeof(SecurityIdentifier)))
{
_fileSystem.AddAuditRule(_directory, (FileSystemAuditRule)r);
}
}
}
}
public static bool HasPermission(string filePath, FileSystemRights rights)
{
if (String.IsNullOrEmpty(filePath))
{
throw new ArgumentNullException("filePath");
}
if (!File.Exists(filePath) && !Directory.Exists(filePath))
{
return(false);
}
try {
FileSystemSecurity security = GetFileSystemSecurity(filePath);
if (security == null)
{
return(false);
}
var currentuser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
var rules = security.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule rule in rules)
{
if ((rule.FileSystemRights & rights) == 0)
{
continue;
}
if (rule.IdentityReference.Value.StartsWith("S-1-"))
{
var sid = new SecurityIdentifier(rule.IdentityReference.Value);
if (!currentuser.IsInRole(sid))
{
continue;
}
}
if (!currentuser.IsInRole(rule.IdentityReference.Value))
{
continue;
}
if (rule.AccessControlType == AccessControlType.Deny)
{
return(false);
}
if (rule.AccessControlType == AccessControlType.Allow)
{
return(true);
}
}
}
catch (UnauthorizedAccessException) {
return(false);
}
return(false);
}
public void SetMetadata(string path, Dictionary <string, string> data, bool restorePermissions)
{
var isDirTarget = path.EndsWith(DIRSEP, StringComparison.Ordinal);
var targetpath = isDirTarget ? path.Substring(0, path.Length - 1) : path;
if (restorePermissions)
{
FileSystemSecurity rules = isDirTarget ? GetAccessControlDir(targetpath) : GetAccessControlFile(targetpath);
if (data.ContainsKey("win-ext:accessrulesprotected"))
{
bool isProtected = bool.Parse(data["win-ext:accessrulesprotected"]);
if (rules.AreAccessRulesProtected != isProtected)
{
rules.SetAccessRuleProtection(isProtected, false);
}
}
if (data.ContainsKey("win-ext:accessrules"))
{
var content = DeserializeObject <FileSystemAccess[]>(data["win-ext:accessrules"]);
var c = rules.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));
for (var i = c.Count - 1; i >= 0; i--)
{
rules.RemoveAccessRule((System.Security.AccessControl.FileSystemAccessRule)c[i]);
}
Exception ex = null;
foreach (var r in content)
{
// Attempt to apply as many rules as we can
try
{
rules.AddAccessRule(r.Create(rules));
}
catch (Exception e)
{
ex = e;
}
}
if (ex != null)
{
throw ex;
}
}
if (isDirTarget)
{
SetAccessControlDir(targetpath, (DirectorySecurity)rules);
}
else
{
SetAccessControlFile(targetpath, (FileSecurity)rules);
}
}
}
private Dictionary <string, List <RelationType> > AnalyzeFileSecurityDescriptor(string filepath, FileSystemSecurity sd, bool skipInherited)
{
// relations can be duplicated - will slow down import
Dictionary <string, List <RelationType> > relationToAdd = new Dictionary <string, List <RelationType> >();
Storage.InsertRelation(sd.GetOwner(typeof(SecurityIdentifier)).Value, MappingType.Sid, filepath, MappingType.FileName, RelationType.FILE_OWNER);
foreach (FileSystemAccessRule accessrule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
// ignore audit / denied ace
if (accessrule.AccessControlType != AccessControlType.Allow)
{
continue;
}
if (skipInherited && accessrule.IsInherited)
{
continue;
}
// GEN_RIGHT_ALL
if (IsRightSetinAccessRule(accessrule, FileSystemRights.FullControl))
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.GEN_RIGHT_ALL);
}
else
{
// GEN_RIGHT_WRITE
if (IsRightSetinAccessRule(accessrule, FileSystemRights.Write))
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.GEN_RIGHT_WRITE);
}
// STAND_RIGHT_WRITE_DAC
if (IsRightSetinAccessRule(accessrule, FileSystemRights.ChangePermissions))
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.STAND_RIGHT_WRITE_DAC);
}
// STAND_RIGHT_WRITE_OWNER
if (IsRightSetinAccessRule(accessrule, FileSystemRights.TakeOwnership))
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.STAND_RIGHT_WRITE_OWNER);
}
// FILE_WRITEDATA_ADDFILE
if (IsRightSetinAccessRule(accessrule, FileSystemRights.WriteData))
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.FS_RIGHT_WRITEDATA_ADDFILE);
}
// FILE_APPENDDATA_ADDSUBDIR
if (IsRightSetinAccessRule(accessrule, FileSystemRights.AppendData))
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.FS_RIGHT_APPENDDATA_ADDSUBDIR);
}
}
}
return(relationToAdd);
}
/// <summary>
/// Displays the access rules for the file.
/// </summary>
public void Initialize(SecuredObject objectType, string objectPath)
{
m_objectType = objectType;
ItemsLV.Items.Clear();
AuthorizationRuleCollection authorizationRules = null;
// determine if a file or directory.
FileInfo fileInfo = new FileInfo(objectPath);
if (fileInfo.Exists)
{
FileSystemSecurity security = fileInfo.GetAccessControl(AccessControlSections.Access);
authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
}
else
{
DirectoryInfo directoryInfo = new DirectoryInfo(objectPath);
if (directoryInfo.Exists)
{
FileSystemSecurity security = directoryInfo.GetAccessControl(AccessControlSections.Access);
authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
}
}
// set a message indicating no access rules.
if (authorizationRules == null || authorizationRules.Count == 0)
{
Instructions = "It is not possible to set the access rules.";
AdjustColumns();
return;
}
// display the access rules.
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
if (accessRule == null)
{
continue;
}
if (GetEffectiveRight(accessRule) == ApplicationAccessRight.None)
{
continue;
}
AddItem(accessRule);
}
AdjustColumns();
}
bool UsersHaveFullControl(FileSystemSecurity sec)
{
var usersAccount = GetUsersAccount();
var rules = sec.GetAccessRules(true, true, typeof(NTAccount)).OfType <FileSystemAccessRule>();
return(rules.Any(r =>
r.FileSystemRights == FileSystemRights.FullControl &&
r.AccessControlType == AccessControlType.Allow &&
r.InheritanceFlags == (InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit) &&
r.IdentityReference == usersAccount));
}
private static bool IsEveryoneHere(FileSystemSecurity fss)
{
foreach (FileSystemAccessRule accessrule in fss.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
// ignore audit / denied ace
if (accessrule.AccessControlType != AccessControlType.Allow)
{
continue;
}
if (((SecurityIdentifier)accessrule.IdentityReference).IsWellKnown(WellKnownSidType.WorldSid) ||
((SecurityIdentifier)accessrule.IdentityReference).IsWellKnown(WellKnownSidType.AuthenticatedUserSid))
{
return(true);
}
}
return(false);
}
private static SharpSploitResultList <DaclResult> GetDaclResults(FileSystemSecurity SecurityEntry)
{
SharpSploitResultList <DaclResult> results = new SharpSploitResultList <DaclResult>();
foreach (FileSystemAccessRule ace in SecurityEntry.GetAccessRules(true, true, typeof(NTAccount)))
{
results.Add(new DaclResult
{
IdentityReference = ace.IdentityReference.Value,
AccessControlType = ace.AccessControlType,
FileSystemRights = ace.FileSystemRights,
IsInherited = ace.IsInherited,
InheritanceFlags = ace.InheritanceFlags,
PropagationFlags = ace.PropagationFlags
});
}
return(results);
}
public IEnumerable <FileSystemAccessRule> GetUsersWithPermission(string path)
{
FileSystemSecurity fsSecurity = default;
if (FileUtils.IsFile(path))
{
fsSecurity = File.GetAccessControl(path);
}
else
{
fsSecurity = Directory.GetAccessControl(path);
}
//var ntAccountType = typeof(NTAccount);
foreach (FileSystemAccessRule fsAccessRule in fsSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
yield return(fsAccessRule);
}
}
// return true if there is new relation(s) created
private bool InsertFileDescriptorRelation(string filenode, FileSystemSecurity sd, bool skipInherited, string knownOwner)
{
bool newRelation = false;
if (!sd.GetOwner(typeof(SecurityIdentifier)).Value.Equals(knownOwner, StringComparison.InvariantCultureIgnoreCase))
{
Storage.InsertRelation(sd.GetOwner(typeof(SecurityIdentifier)).Value, MappingType.Sid, filenode, MappingType.Name, RelationType.FILE_OWNER);
newRelation = true;
}
// relations can be duplicated - will slow down import
Dictionary <string, List <RelationType> > relationToAdd = new Dictionary <string, List <RelationType> >();
foreach (FileSystemAccessRule accessrule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
// ignore audit / denied ace
if (accessrule.AccessControlType != AccessControlType.Allow)
{
continue;
}
if (skipInherited && accessrule.IsInherited)
{
continue;
}
// GEN_RIGHT_ALL
if ((accessrule.FileSystemRights & FileSystemRights.FullControl) == FileSystemRights.FullControl)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.GEN_RIGHT_ALL);
}
// GEN_RIGHT_WRITE
if ((accessrule.FileSystemRights & FileSystemRights.Write) == FileSystemRights.Write)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.GEN_RIGHT_WRITE);
}
// STAND_RIGHT_WRITE_DAC
if ((accessrule.FileSystemRights & FileSystemRights.ChangePermissions) == FileSystemRights.ChangePermissions)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.STAND_RIGHT_WRITE_DAC);
}
// STAND_RIGHT_WRITE_OWNER
if ((accessrule.FileSystemRights & FileSystemRights.TakeOwnership) == FileSystemRights.TakeOwnership)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.STAND_RIGHT_WRITE_OWNER);
}
// FILE_WRITEDATA_ADDFILE
if ((accessrule.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.FS_RIGHT_WRITEDATA_ADDFILE);
}
// FILE_APPENDDATA_ADDSUBDIR
if ((accessrule.FileSystemRights & FileSystemRights.AppendData) == FileSystemRights.AppendData)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.FS_RIGHT_APPENDDATA_ADDSUBDIR);
}
}
foreach (string target in relationToAdd.Keys)
{
foreach (RelationType link in relationToAdd[target])
{
Storage.InsertRelation(target, MappingType.Sid, filenode, MappingType.Name, link);
newRelation = true;
}
}
return(newRelation);
}
/// <summary>
/// Gets the application access rules implied by the access rights to the file.
/// </summary>
public static IList <ApplicationAccessRule> GetAccessRules(String filePath)
{
// get the current permissions from the file or directory.
FileSystemSecurity security = null;
FileInfo fileInfo = new FileInfo(filePath);
DirectoryInfo directoryInfo = null;
if (!fileInfo.Exists)
{
directoryInfo = new DirectoryInfo(filePath);
if (!directoryInfo.Exists)
{
throw new FileNotFoundException("File or directory does not exist.", filePath);
}
security = directoryInfo.GetAccessControl(AccessControlSections.Access);
}
else
{
security = fileInfo.GetAccessControl(AccessControlSections.Access);
}
// combine the access rules into a set of abstract application rules.
List <ApplicationAccessRule> accessRules = new List <ApplicationAccessRule>();
AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
// only care about file system rules.
if (accessRule == null)
{
continue;
}
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.RuleType = ApplicationAccessRule.Convert(accessRule.AccessControlType);
rule.IdentityName = accessRule.IdentityReference.Value;
rule.Right = ApplicationAccessRight.None;
// create an allow rule.
if (rule.RuleType == AccessControlType.Allow)
{
// check if all rights required for configuration access exist.
if (((int)accessRule.FileSystemRights & (int)Configure) == (int)Configure)
{
rule.Right = ApplicationAccessRight.Configure;
}
// check if all rights required for update access exist.
else if (((int)accessRule.FileSystemRights & (int)Update) == (int)Update)
{
rule.Right = ApplicationAccessRight.Update;
}
// check if all rights required for read access exist.
else if (((int)accessRule.FileSystemRights & (int)Read) == (int)Read)
{
rule.Right = ApplicationAccessRight.Run;
}
}
// create a deny rule.
else if (rule.RuleType == AccessControlType.Deny)
{
// check if any rights required for read access are denied.
if (((int)accessRule.FileSystemRights & (int)Read) != 0)
{
rule.Right = ApplicationAccessRight.Run;
}
// check if any rights required for update access are denied.
else if (((int)accessRule.FileSystemRights & (int)Update) != 0)
{
rule.Right = ApplicationAccessRight.Update;
}
// check if any rights required for configure access are denied.
else if (((int)accessRule.FileSystemRights & (int)Configure) != 0)
{
rule.Right = ApplicationAccessRight.Configure;
}
}
// add rule if not trivial.
if (rule.Right != ApplicationAccessRight.None)
{
accessRules.Add(rule);
}
}
return(accessRules);
}
/// <summary>
/// Gets the application access rules implied by the access rights to the file.
/// </summary>
public static void SetAccessRules(String filePath, IList <ApplicationAccessRule> accessRules, bool replaceExisting)
{
// get the current permissions from the file or directory.
FileSystemSecurity security = null;
FileInfo fileInfo = new FileInfo(filePath);
DirectoryInfo directoryInfo = null;
if (!fileInfo.Exists)
{
directoryInfo = new DirectoryInfo(filePath);
if (!directoryInfo.Exists)
{
throw new FileNotFoundException("File or directory does not exist.", filePath);
}
security = directoryInfo.GetAccessControl(AccessControlSections.Access);
}
else
{
security = fileInfo.GetAccessControl(AccessControlSections.Access);
}
if (replaceExisting)
{
// can't use inhieritance when setting permissions
security.SetAccessRuleProtection(true, false);
// remove all existing access rules.
AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
// only care about file system rules.
if (accessRule == null)
{
continue;
}
security.RemoveAccessRule(accessRule);
}
}
// allow children to inherit rules for directories.
InheritanceFlags flags = InheritanceFlags.None;
if (directoryInfo != null)
{
flags = InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit;
}
// add the new rules.
for (int ii = 0; ii < accessRules.Count; ii++)
{
ApplicationAccessRule applicationRule = accessRules[ii];
IdentityReference identityReference = applicationRule.IdentityReference;
if (identityReference == null)
{
if (applicationRule.IdentityName.StartsWith("S-"))
{
SecurityIdentifier sid = new SecurityIdentifier(applicationRule.IdentityName);
if (!sid.IsValidTargetType(typeof(NTAccount)))
{
continue;
}
identityReference = sid.Translate(typeof(NTAccount));
}
else
{
identityReference = new NTAccount(applicationRule.IdentityName);
}
}
FileSystemAccessRule fileRule = null;
switch (applicationRule.Right)
{
case ApplicationAccessRight.Run:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Read : Configure,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
break;
}
case ApplicationAccessRight.Update:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Update : ConfigureOnly | UpdateOnly,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
security.SetAccessRule(fileRule);
break;
}
case ApplicationAccessRight.Configure:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Configure : ConfigureOnly,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
break;
}
}
try
{
security.SetAccessRule(fileRule);
}
catch (Exception e)
{
Utils.Trace(
"Could not set access rule for account '{0}' on file '{1}'. Error={2}",
applicationRule.IdentityName,
filePath,
e.Message);
}
}
if (directoryInfo != null)
{
directoryInfo.SetAccessControl((DirectorySecurity)security);
return;
}
fileInfo.SetAccessControl((FileSecurity)security);
}
public virtual AuthorizationRuleCollection GetAccessRules(bool includeExplicit, bool includeInherited, Type targetType)
{
return(_fileSystemSecurity.GetAccessRules(includeExplicit, includeInherited, targetType));
}
internal static void SetAccessControlExtracted(FileSystemSecurity security, string name)
{
//security.WriteLock();
AccessControlSections includeSections = AccessControlSections.Owner | AccessControlSections.Group;
if (security.GetAccessRules(true, false, typeof(SecurityIdentifier)).Count > 0)
{
includeSections |= AccessControlSections.Access;
}
if (security.GetAuditRules(true, false, typeof(SecurityIdentifier)).Count > 0)
{
includeSections |= AccessControlSections.Audit;
}
SecurityInfos securityInfo = (SecurityInfos)0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None)
{
owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier));
if (owner != null)
{
securityInfo = securityInfo | SecurityInfos.Owner;
}
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None)
{
@group = (SecurityIdentifier)security.GetGroup(typeof(SecurityIdentifier));
if (@group != null)
{
securityInfo = securityInfo | SecurityInfos.Group;
}
}
var securityDescriptorBinaryForm = security.GetSecurityDescriptorBinaryForm();
RawSecurityDescriptor rawSecurityDescriptor = null;
bool isDiscretionaryAclPresent = false;
if (securityDescriptorBinaryForm != null)
{
rawSecurityDescriptor = new RawSecurityDescriptor(securityDescriptorBinaryForm, 0);
isDiscretionaryAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInfo = securityInfo | SecurityInfos.SystemAcl;
sacl = null;
if (rawSecurityDescriptor != null)
{
var isSystemAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None;
if (isSystemAclPresent && rawSecurityDescriptor.SystemAcl != null && rawSecurityDescriptor.SystemAcl.Count > 0)
{
// are all system acls on a file not a container?
const bool notAContainer = false;
const bool notADirectoryObjectACL = false;
sacl = new SystemAcl(notAContainer, notADirectoryObjectACL,
rawSecurityDescriptor.SystemAcl);
}
securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ?
(uint)securityInfo | UnprotectedSystemAcl : (uint)securityInfo | ProtectedSystemAcl));
}
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && isDiscretionaryAclPresent)
{
securityInfo = securityInfo | SecurityInfos.DiscretionaryAcl;
dacl = null;
if (rawSecurityDescriptor != null)
{
//if (!this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = new DiscretionaryAcl(false, false, rawSecurityDescriptor.DiscretionaryAcl);
}
securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ?
(uint)securityInfo | UnprotectedDiscretionaryAcl : (uint)securityInfo | ProtectedDiscretionaryAcl));
}
}
if (securityInfo == 0)
{
return;
}
int errorNum = SetSecurityInfo(ResourceType.FileObject, name, null, securityInfo, owner, @group, sacl, dacl);
if (errorNum != 0)
{
Exception exception = GetExceptionFromWin32Error(errorNum, name);
if (exception == null)
{
if (errorNum == NativeMethods.ERROR_ACCESS_DENIED)
{
exception = new UnauthorizedAccessException();
}
else if (errorNum == NativeMethods.ERROR_INVALID_OWNER)
{
exception = new InvalidOperationException("Invalid owner");
}
else if (errorNum == NativeMethods.ERROR_INVALID_PRIMARY_GROUP)
{
exception = new InvalidOperationException("Invalid group");
}
else if (errorNum == NativeMethods.ERROR_INVALID_NAME)
{
exception = new ArgumentException("Invalid name", "name");
}
else if (errorNum == NativeMethods.ERROR_INVALID_HANDLE)
{
exception = new NotSupportedException("Invalid Handle");
}
else if (errorNum == NativeMethods.ERROR_FILE_NOT_FOUND)
{
exception = new FileNotFoundException();
}
else if (errorNum != NativeMethods.ERROR_NO_SECURITY_ON_OBJECT)
{
exception = new InvalidOperationException("Unexpected error");
}
else
{
exception = new NotSupportedException("No associated security");
}
}
throw exception;
}
//finally
//{
//security.WriteLUnlck();
//}
}
public static void SetAccessControlExtracted([NotNull] this FileSystemSecurity security, [NotNull] String name)
{
if (security == null)
{
throw new ArgumentNullException(paramName: nameof(security));
}
name = name.ThrowIfBlank();
var includeSections = AccessControlSections.Owner | AccessControlSections.Group;
if (security.GetAccessRules(true, false, typeof(SecurityIdentifier)).Count > 0)
{
includeSections |= AccessControlSections.Access;
}
if (security.GetAuditRules(true, false, typeof(SecurityIdentifier)).Count > 0)
{
includeSections |= AccessControlSections.Audit;
}
UInt32 securityInfo = 0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None)
{
owner = security.GetOwner(typeof(SecurityIdentifier)) as SecurityIdentifier;
if (owner != null)
{
securityInfo |= ( UInt32 )SecurityInfos.Owner;
}
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None)
{
group = security.GetGroup(typeof(SecurityIdentifier)) as SecurityIdentifier;
if (group != null)
{
securityInfo |= ( UInt32 )SecurityInfos.Group;
}
}
var securityDescriptorBinaryForm = security.GetSecurityDescriptorBinaryForm();
var rawSecurityDescriptor = new RawSecurityDescriptor(securityDescriptorBinaryForm, 0);
var isDiscretionaryAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None;
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInfo |= ( UInt32 )SecurityInfos.SystemAcl;
var isSystemAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None;
if (isSystemAclPresent && rawSecurityDescriptor.SystemAcl != null && rawSecurityDescriptor.SystemAcl.Count > 0)
{
// are all system acls on a file not a container?
const Boolean notAContainer = false;
const Boolean notADirectoryObjectACL = false;
sacl = new SystemAcl(notAContainer, notADirectoryObjectACL, rawSecurityDescriptor.SystemAcl);
}
if ((rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None)
{
securityInfo |= UnprotectedSystemAcl;
}
else
{
securityInfo |= ProtectedSystemAcl;
}
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && isDiscretionaryAclPresent)
{
securityInfo |= ( UInt32 )SecurityInfos.DiscretionaryAcl;
dacl = new DiscretionaryAcl(false, false, rawSecurityDescriptor.DiscretionaryAcl);
securityInfo = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ?
securityInfo | UnprotectedDiscretionaryAcl :
securityInfo | ProtectedDiscretionaryAcl;
}
if (securityInfo == 0)
{
return;
}
var errorNum = SetSecurityInfo(ResourceType.FileObject, name, ( SecurityInfos )securityInfo, owner, group, sacl, dacl); //eh?
if (errorNum != 0)
{
var exception = GetExceptionFromWin32Error(errorNum, name);
throw exception;
}
}
/// <summary>Checks if the current process has the necessary permissions to a folder. This allows "custom" elevation of limited users -- allowing them control over normally restricted folders.</summary>
/// <param name="folder">The full path to the folder to check.</param>
/// <returns>True if the user has permission, false if not.</returns>
static bool HaveFolderPermissions(string folder)
{
try
{
const FileSystemRights RightsNeeded = FileSystemRights.Traverse |
FileSystemRights.DeleteSubdirectoriesAndFiles |
FileSystemRights.ListDirectory | FileSystemRights.CreateFiles |
FileSystemRights.CreateDirectories |
FileSystemRights.Modify; //Read, ExecuteFile, Write, Delete
FileSystemSecurity security = Directory.GetAccessControl(folder);
var rules = security.GetAccessRules(true, true, typeof(NTAccount));
var currentuser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
FileSystemRights RightsHave = 0;
FileSystemRights RightsDontHave = 0;
foreach (FileSystemAccessRule rule in rules)
{
// First check to see if the current user is even in the role, if not, skip
if (rule.IdentityReference.Value.StartsWith("S-1-"))
{
var sid = new SecurityIdentifier(rule.IdentityReference.Value);
if (!currentuser.IsInRole(sid))
{
continue;
}
}
else
{
if (!currentuser.IsInRole(rule.IdentityReference.Value))
{
continue;
}
}
if (rule.AccessControlType == AccessControlType.Deny)
{
RightsDontHave |= rule.FileSystemRights;
}
else
{
RightsHave |= rule.FileSystemRights;
}
}
// exclude "RightsDontHave"
RightsHave &= ~RightsDontHave;
//Note: We're "XOR"ing with RightsNeeded to eliminate permissions that
// "RightsHave" and "RightsNeeded" have in common. Then we're
// ANDing that result with RightsNeeded to get permissions in
// "RightsNeeded" that are missing from "RightsHave". The result
// should be 0 if the user has RightsNeeded over the folder (even
// if "RightsHave" has flags that aren't present in the
// "RightsNeeded" -- which can happen because "RightsNeeded" isn't
// *every* possible flag).
// Check if the user has full control over the folder.
return(((RightsHave ^ RightsNeeded) & RightsNeeded) == 0);
}
catch
{
return(false);
}
}
public static bool WritePermissionGranted(string fileOrDirectoryPath)
{
try
{
AuthorizationRuleCollection rules;
if (C1File.Exists(fileOrDirectoryPath))
{
FileSystemSecurity security = File.GetAccessControl(fileOrDirectoryPath);
rules = security.GetAccessRules(true, true, typeof(NTAccount));
}
else if (C1Directory.Exists(fileOrDirectoryPath))
{
DirectorySecurity security = Directory.GetAccessControl(fileOrDirectoryPath);
rules = security.GetAccessRules(true, true, typeof(NTAccount));
}
else
{
throw new FileNotFoundException("File or directory '{0}' does not exist".FormatWith(fileOrDirectoryPath));
}
var currentuser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
bool result = false;
foreach (FileSystemAccessRule rule in rules)
{
if ((rule.FileSystemRights & (FileSystemRights.WriteData | FileSystemRights.Write)) == 0)
{
continue;
}
if (rule.IdentityReference.Value.StartsWith("S-1-"))
{
var sid = new SecurityIdentifier(rule.IdentityReference.Value);
if (!currentuser.IsInRole(sid))
{
continue;
}
}
else
{
if (!currentuser.IsInRole(rule.IdentityReference.Value))
{
continue;
}
}
if (rule.AccessControlType == AccessControlType.Deny)
{
return(false);
}
if (rule.AccessControlType == AccessControlType.Allow)
{
result = true;
}
}
return(result);
}
catch
{
return(false);
}
}
/// <summary>
/// Gets the access rights granted to each account.
/// </summary>
private void GetAccountAccessRights(
string path,
SecuredObject objectToSecure,
Dictionary <string, SecuredObjectAccessRights> read,
Dictionary <string, SecuredObjectAccessRights> write,
Dictionary <string, SecuredObjectAccessRights> configure)
{
AuthorizationRuleCollection authorizationRules = null;
// determine if a file or directory.
FileInfo fileInfo = new FileInfo(path);
if (fileInfo.Exists)
{
FileSystemSecurity security = fileInfo.GetAccessControl(AccessControlSections.Access);
authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
}
else
{
DirectoryInfo directoryInfo = new DirectoryInfo(path);
if (directoryInfo.Exists)
{
FileSystemSecurity security = directoryInfo.GetAccessControl(AccessControlSections.Access);
authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
}
}
// check if no rules to add.
if (authorizationRules == null || authorizationRules.Count == 0)
{
return;
}
// process the access rules.
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
// check for file system rule.
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
if (accessRule == null)
{
continue;
}
// check the type of rule.
bool denied = (accessRule.AccessControlType == System.Security.AccessControl.AccessControlType.Deny);
// check for right to take ownership.
if (!denied)
{
if ((FileSystemRights.TakeOwnership & accessRule.FileSystemRights) != 0)
{
UpdateAccessRightSet(objectToSecure, accessRule.IdentityReference, denied, configure);
}
}
// check if the rule affects configuration rights.
if ((FileSystemRights.ChangePermissions & accessRule.FileSystemRights) != 0)
{
UpdateAccessRightSet(objectToSecure, accessRule.IdentityReference, denied, configure);
}
// check if the rule affects write rights.
if ((FileSystemRights.WriteData & accessRule.FileSystemRights) != 0)
{
UpdateAccessRightSet(objectToSecure, accessRule.IdentityReference, denied, write);
}
// check if the rule affects read rights.
if ((FileSystemRights.ReadData & accessRule.FileSystemRights) != 0)
{
UpdateAccessRightSet(objectToSecure, accessRule.IdentityReference, denied, read);
}
// check if the rule affects read rights.
if (objectToSecure == SecuredObject.ExecutableFile)
{
if ((FileSystemRights.ExecuteFile & accessRule.FileSystemRights) != 0)
{
UpdateAccessRightSet(objectToSecure, accessRule.IdentityReference, denied, read);
}
}
else
{
if ((FileSystemRights.ReadData & accessRule.FileSystemRights) != 0)
{
UpdateAccessRightSet(objectToSecure, accessRule.IdentityReference, denied, read);
}
}
}
}
public static bool SetPermission(string filePath, FileSystemRights rights)
{
if (String.IsNullOrEmpty(filePath))
{
throw new ArgumentNullException("filePath");
}
try {
var rule = new FileSystemAccessRule(WindowsIdentity.GetCurrent().Name, rights, AccessControlType.Allow);
FileSystemSecurity security = GetFileSystemSecurity(filePath);
if (security == null)
{
return(false);
}
// Remove any access rules before adding them.
var currentuser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
var rules = security.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule r in rules)
{
if ((r.FileSystemRights & rights) == 0)
{
continue;
}
if (r.IdentityReference.Value.StartsWith("S-1-"))
{
var sid = new SecurityIdentifier(r.IdentityReference.Value);
if (!currentuser.IsInRole(sid))
{
continue;
}
}
if (r.AccessControlType == AccessControlType.Deny)
{
security.RemoveAccessRuleAll(r);
break;
}
}
security.AddAccessRule(rule);
if (File.Exists(filePath))
{
File.SetAccessControl(filePath, security as FileSecurity);
}
else if (Directory.Exists(filePath))
{
Directory.SetAccessControl(filePath, security as DirectorySecurity);
}
else
{
return(false);
}
return(true);
}
catch (UnauthorizedAccessException) {
return(false);
}
}
internal static bool UserHasRights(FileSystemSecurity sec)
{
NTAccount usersAccount = GetUsersAccount();
return(sec.GetAccessRules(true, true, typeof(NTAccount)).OfType <FileSystemAccessRule>().Any <FileSystemAccessRule>(r => ((((r.FileSystemRights == FileSystemRights.FullControl) && (r.AccessControlType == AccessControlType.Allow)) && (r.InheritanceFlags == (InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit))) && (r.IdentityReference == usersAccount))));
}
