private void CheckAccess(TokenEntry token, NtFile file, AccessMask access_rights, SecurityDescriptor sd, SecurityDescriptor parent_sd) { NtType type = file.NtType; AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping); // Determine if the parent gives additonal rights to this file. if (!granted_access.IsAllAccessGranted(FileDirectoryAccessRights.ReadAttributes | FileDirectoryAccessRights.Delete) && parent_sd != null) { AccessMask parent_granted_access = NtSecurity.GetMaximumAccess(parent_sd, token.Token, type.GenericMapping); if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.DeleteChild)) { granted_access |= FileAccessRights.Delete; } if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.ListDirectory)) { granted_access |= FileAccessRights.ReadAttributes; } } if (IsAccessGranted(granted_access, access_rights)) { bool is_directory = IsDirectoryNoThrow(file); WriteAccessCheckResult(FormatWin32Path ? file.Win32PathName : file.FullPath, type.Name, granted_access, type.GenericMapping, sd, is_directory ? typeof(FileDirectoryAccessRights) : typeof(FileAccessRights), is_directory, token.Information); } }
/// <summary> /// Is an access mask granted to the object. /// </summary> /// <param name="access">The access to check.</param> /// <returns>True if all access is granted.</returns> public bool IsAccessMaskGranted(AccessMask access) { // We can't tell if we really have access or not, so just assume we do. if (_granted_access.IsAccessGranted(GenericAccessRights.MaximumAllowed)) { return(true); } return(_granted_access.IsAllAccessGranted(access)); }
private static AccessMask AdjustProcessAccess(AccessMask granted_access) { if (granted_access.IsAccessGranted(ProcessAccessRights.QueryInformation)) { granted_access |= ProcessAccessRights.QueryLimitedInformation; } if (granted_access.IsAllAccessGranted(ProcessAccessRights.VmWrite | ProcessAccessRights.VmOperation)) { granted_access |= ProcessAccessRights.QueryLimitedInformation; } if (granted_access.IsAccessGranted(ProcessAccessRights.SetInformation)) { granted_access |= ProcessAccessRights.SetLimitedInformation; } return(granted_access); }
private protected bool IsAccessGranted(AccessMask granted_access, AccessMask access_rights) { if (granted_access.IsEmpty) { return(AllowEmptyAccess); } if (access_rights.IsEmpty) { return(true); } if (AllowPartialAccess) { return(granted_access.IsAccessGranted(access_rights)); } return(granted_access.IsAllAccessGranted(access_rights)); }
internal bool IsAccessGranted(AccessMask granted_access, AccessMask access_rights) { if (granted_access.IsEmpty) { return(false); } if (access_rights.IsEmpty) { return(true); } if (AllowPartialAccess) { return(granted_access.IsAccessGranted(access_rights)); } return(granted_access.IsAllAccessGranted(access_rights)); }
/// <summary> /// Process record. /// </summary> protected override void ProcessRecord() { if (Empty) { WriteObject(AccessMask.IsEmpty); } else if (ParameterSetName == "WriteRestricted") { GenericMapping std_map = NtSecurity.StandardAccessMapping; WriteObject((std_map.GenericWrite & ~(std_map.GenericRead | std_map.GenericExecute) | WriteRestricted.GenericWrite & ~(WriteRestricted.GenericRead | WriteRestricted.GenericExecute)).IsEmpty); } else if (All) { WriteObject(AccessMask.IsAllAccessGranted(GetAccessMask())); } else { WriteObject(AccessMask.IsAccessGranted(GetAccessMask())); } }