/// <summary>
/// Returns security descriptor for given object
/// </summary>
public static SecurityDescriptor GetSecurity(
IntPtr objectHandle,
SecureObjectType objectType,
SecurityInformationType securityInfo)
{
// parameters validation
if (objectHandle == IntPtr.Zero)
{
throw new ArgumentNullException("objectHandle");
}
// obtain security descriptor
IntPtr pSd;
int error = SecurityNative.GetSecurityInfo(
objectHandle,
(uint)objectType,
(uint)securityInfo,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
out pSd);
if (error != Win32.ERROR_SUCCESS)
{
throw new Win32Exception(error);
}
// create security descriptor object
return(new SecurityDescriptor(pSd, false));
}
/// <summary>
/// Sets security descriptor for given object
/// </summary>
public static void SetSecurity(
string objectName,
SecureObjectType objectType,
SecurityInformationType securityInfo,
SecurityDescriptor securityDescriptor)
{
// parameters validation
if (objectName == null)
{
throw new ArgumentNullException("objectName");
}
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
// set security descriptor
int error = SecurityNative.SetNamedSecurityInfo(
objectName,
(uint)objectType,
(uint)securityInfo,
securityDescriptor.Owner == null ? IntPtr.Zero : securityDescriptor.Owner.Handle,
securityDescriptor.Group == null ? IntPtr.Zero : securityDescriptor.Group.Handle,
securityDescriptor.DiscretionaryAcl == null ? IntPtr.Zero : securityDescriptor.DiscretionaryAcl.Handle,
securityDescriptor.SystemAcl == null ? IntPtr.Zero : securityDescriptor.SystemAcl.Handle);
if (error != Win32.ERROR_SUCCESS)
{
throw new Win32Exception(error);
}
}
public SecurityDescriptor(
SecurityIdentifier owner,
SecurityIdentifier group,
AccessControlList dacl,
AccessControlList sacl,
SecurityDescriptorControl control)
{
// create security descriptor
_pSd = CreateSecurityDescriptor(
owner == null ? IntPtr.Zero : owner.Handle,
group == null ? IntPtr.Zero : group.Handle,
dacl == null ? IntPtr.Zero : dacl.Handle,
sacl == null ? IntPtr.Zero : sacl.Handle,
control);
// query properties
uint revision;
uint controlFlags;
if (!SecurityNative.GetSecurityDescriptorControl(_pSd, out controlFlags, out revision))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
_revision = (int)revision;
_control = (SecurityDescriptorControl)controlFlags;
_owner = owner;
_group = group;
_dacl = dacl;
_sacl = sacl;
}
public SecurityIdentifier(byte[] authorityIdentifier, uint[] rids)
{
// parameters validation
if (authorityIdentifier == null)
{
throw new ArgumentNullException("authorityIdentifier");
}
if (rids == null)
{
throw new ArgumentNullException("rids");
}
// get SID size
byte subAuthCount = (byte)rids.Length;
_size = SecurityNative.GetSidLengthRequired(subAuthCount);
// allocate memory for security identifier
_pSid = new LocalAllocHandle(_size);
// initialize security identifier
GCHandle gcAuthId = GCHandle.Alloc(authorityIdentifier, GCHandleType.Pinned);
if (!SecurityNative.InitializeSid(_pSid, gcAuthId.AddrOfPinnedObject(), subAuthCount))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
gcAuthId.Free();
// initialize subauthorities
for (byte i = 0; i < subAuthCount; ++i)
{
Marshal.WriteInt32(SecurityNative.GetSidSubAuthority(_pSid, i), (int)rids[i]);
}
}
internal SecurityIdentifier(IntPtr pSid, bool copy)
{
// parameters validation
if (pSid == IntPtr.Zero)
{
throw new ArgumentNullException("pSid");
}
// get SID size
_size = SecurityNative.GetLengthSid(pSid);
if (copy)
{
// allocate memory for security identifier
_pSid = new LocalAllocHandle(_size);
// copy security identifier
if (!SecurityNative.CopySid((uint)_size, (IntPtr)_pSid, pSid))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
// store pointer
_pSid = new LocalAllocHandle(pSid);
}
}
/// <summary>
/// Returns security descriptor information
/// </summary>
private static void GetSecurityDescriptorInfo(
IntPtr pSd,
out IntPtr pOwner,
out IntPtr pGroup,
out IntPtr pDacl,
out IntPtr pSacl,
out SecurityDescriptorControl control)
{
// parameters validation
if (pSd == IntPtr.Zero)
{
throw new ArgumentNullException("pSd");
}
// query SIDs
bool ownerDefaulted;
if (!SecurityNative.GetSecurityDescriptorOwner(pSd, out pOwner, out ownerDefaulted))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
bool groupDefaulted;
if (!SecurityNative.GetSecurityDescriptorGroup(pSd, out pGroup, out groupDefaulted))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// query ACLs
bool daclPresent;
bool daclDefaulted;
if (!SecurityNative.GetSecurityDescriptorDacl(pSd, out daclPresent, out pDacl, out daclDefaulted))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
bool saclPresent;
bool saclDefaulted;
if (!SecurityNative.GetSecurityDescriptorSacl(pSd, out saclPresent, out pSacl, out saclDefaulted))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// query properties
uint revision;
uint controlFlags;
if (!SecurityNative.GetSecurityDescriptorControl(pSd, out controlFlags, out revision))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
control = (SecurityDescriptorControl)controlFlags;
}
/// <summary>
/// Creates security descriptor
/// </summary>
private static LocalAllocHandle CreateSecurityDescriptor(
IntPtr pOwner,
IntPtr pGroup,
IntPtr pDacl,
IntPtr pSacl,
SecurityDescriptorControl control)
{
// correct control flags
if (pDacl != IntPtr.Zero)
{
control |= SecurityDescriptorControl.DaclPresent;
}
if (pSacl != IntPtr.Zero)
{
control |= SecurityDescriptorControl.SaclPresent;
}
// allocate memory for security descriptor
LocalAllocHandle pSd = new LocalAllocHandle(SecurityNative.SecurityDescriptor.Size);
// initialize security descriptor
if (!SecurityNative.InitializeSecurityDescriptor(pSd, SecurityNative.SECURITY_DESCRIPTOR_REVISION))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// set security descriptor control
if (!SecurityNative.SetSecurityDescriptorControl(pSd, (uint)SecurityDescriptorControl.InheritenceMask, (uint)(control & SecurityDescriptorControl.InheritenceMask)))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// set SIDs
if (!SecurityNative.SetSecurityDescriptorOwner(pSd, pOwner, (control & SecurityDescriptorControl.OwnerDefaulted) != 0))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
if (!SecurityNative.SetSecurityDescriptorGroup(pSd, pGroup, (control & SecurityDescriptorControl.GroupDefaulted) != 0))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// set ACLs
if (!SecurityNative.SetSecurityDescriptorDacl(pSd, (control & SecurityDescriptorControl.DaclPresent) != 0, pDacl, (control & SecurityDescriptorControl.DaclDefaulted) != 0))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
if (!SecurityNative.SetSecurityDescriptorSacl(pSd, (control & SecurityDescriptorControl.SaclPresent) != 0, pSacl, (control & SecurityDescriptorControl.SaclDefaulted) != 0))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(pSd);
}
/// <summary>
/// Returns security identifier string representation
/// </summary>
public override string ToString()
{
if (_stringSid == null)
{
// convert SID to string
IntPtr pStringSd;
if (!SecurityNative.ConvertSidToStringSid(_pSid, out pStringSd))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
_stringSid = Marshal.PtrToStringUni(pStringSd);
Win32.LocalFree(pStringSd);
}
return(_stringSid);
}
public SecurityIdentifier(string sid)
{
// parameters validation
if (sid == null)
{
throw new ArgumentNullException("sid");
}
// convert string to SID
IntPtr pSid;
if (!SecurityNative.ConvertStringSidToSid(sid, out pSid))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// store pointer
_pSid = new LocalAllocHandle(pSid);
// get SID size
_size = SecurityNative.GetLengthSid(pSid);
}
/// <summary>
/// Returns security identifier string representation
/// </summary>
public override string ToString()
{
if (_stringSd == null)
{
// convert SD to string
IntPtr pStringSd;
int stringLen;
if (!SecurityNative.ConvertSecurityDescriptorToStringSecurityDescriptor(
_pSd,
SecurityNative.SDDL_REVISION,
(uint)SecurityInformationType.All,
out pStringSd,
out stringLen))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
_stringSd = Marshal.PtrToStringUni(pStringSd);
Win32.LocalFree(pStringSd);
}
return(_stringSd);
}
internal SecurityDescriptor(IntPtr pSd, bool copy)
{
// get security descriptor information
IntPtr pOwner;
IntPtr pGroup;
IntPtr pDacl;
IntPtr pSacl;
SecurityDescriptorControl control;
GetSecurityDescriptorInfo(
pSd,
out pOwner,
out pGroup,
out pDacl,
out pSacl,
out control);
bool copyStructs;
if (copy)
{
// create security descriptor
_pSd = CreateSecurityDescriptor(pOwner, pGroup, pDacl, pSacl, control);
copyStructs = true;
}
else
{
// store pointer
_pSd = new LocalAllocHandle(pSd);
copyStructs = (control & SecurityDescriptorControl.SelfRelative) != 0;
}
// query properties
uint revision;
uint controlFlags;
if (!SecurityNative.GetSecurityDescriptorControl(_pSd, out controlFlags, out revision))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
_revision = (int)revision;
_control = (SecurityDescriptorControl)controlFlags;
if (pOwner != IntPtr.Zero)
{
_owner = new SecurityIdentifier(pOwner, copyStructs);
}
if (pGroup != IntPtr.Zero)
{
_group = new SecurityIdentifier(pGroup, copyStructs);
}
if (pDacl != IntPtr.Zero)
{
_dacl = new AccessControlList(pDacl, copyStructs);
}
if (pSacl != IntPtr.Zero)
{
_sacl = new AccessControlList(pSacl, copyStructs);
}
}
/// <summary>
/// Compares two SID prefixes
/// </summary>
public bool ComparePrefix(SecurityIdentifier sid)
{
return(SecurityNative.EqualPrefixSid(_pSid, sid.Handle));
}
/// <summary>
/// Returns account name for the SID
/// </summary>
public static string LookupAccount(string systemName, SecurityIdentifier accountSid)
{
// parameters validation
if (accountSid == null)
{
throw new ArgumentNullException("accountSid");
}
uint cbAccountName = 256;
IntPtr pAccountName = IntPtr.Zero;
uint cbDomainName = 256;
IntPtr pDomainName = IntPtr.Zero;
try
{
while (true)
{
// allocate buffers
pAccountName = Win32.LocalAlloc(Win32.LMEM_FIXED, cbAccountName);
pDomainName = Win32.LocalAlloc(Win32.LMEM_FIXED, cbDomainName);
if ((pAccountName == IntPtr.Zero) || (pDomainName == IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// lookup for account
int accountType;
if (SecurityNative.LookupAccountSid(
systemName,
accountSid.Handle,
pAccountName,
ref cbAccountName,
pDomainName,
ref cbDomainName,
out accountType))
{
return(Marshal.PtrToStringUni(pDomainName) + "\\" + Marshal.PtrToStringUni(pAccountName));
}
else
{
int error = Marshal.GetLastWin32Error();
if (error != Win32.ERROR_OUTOFMEMORY)
{
throw new Win32Exception(error);
}
}
}
}
finally
{
if (pAccountName != IntPtr.Zero)
{
Win32.LocalFree(pAccountName);
}
if (pDomainName != IntPtr.Zero)
{
Win32.LocalFree(pDomainName);
}
}
}
