private static bool TestAddAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
discretionaryAcl.AddAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
if (discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
result = false;
return result;
}
public byte[] ToDaclBytes()
{
DiscretionaryAcl dacl = getDacl(this._securityIdentifiers);
byte[] bytes = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(bytes, 0);
return(bytes);
}
// Token: 0x06000146 RID: 326 RVA: 0x00008600 File Offset: 0x00006800
private static RawSecurityDescriptor smethod_3()
{
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, 0);
byte[] binaryForm = new byte[discretionaryAcl.BinaryLength - 1 + 1];
discretionaryAcl.GetBinaryForm(binaryForm, 0);
return(new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, null, null, null, new RawAcl(binaryForm, 0)));
}
internal byte[] ToDaclBytes()
{
DiscretionaryAcl dacl = getDacl(_securityIdentifiers);
var bytes = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(bytes, 0);
return(bytes);
}
private static string InstallService()
{
// Install service
var dir = new DirectoryInfo(Path.GetDirectoryName(Utils.ExecutablePath));
var acl = dir.GetAccessControl(AccessControlSections.Access);
acl.SetAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow));
dir.SetAccessControl(acl);
ManagedInstallerClass.InstallHelper(new string[] { Utils.ExecutablePath });
// Set permission
var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName);
if (sc == null)
{
return("Service installation failure");
}
var buffer = new byte[0];
if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size))
{
int err = Marshal.GetLastWin32Error();
if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER
{
return("QueryServiceObjectSecurity[1] error: " + err);
}
buffer = new byte[size];
if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size))
{
return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error());
}
}
var rsd = new RawSecurityDescriptor(buffer, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None);
buffer = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(buffer, 0);
rsd.DiscretionaryAcl = new RawAcl(buffer, 0);
buffer = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(buffer, 0);
if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer))
{
return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error());
}
return(null);
}
public static void SetServicePermissions(string service, string username)
{
System.ServiceProcess.ServiceController sc = new System.ServiceProcess.ServiceController(service);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = ServiceAccountHelper.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + username + ": error code=" + err);
}
}
if (!ok)
{
throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + username + ": error code=" + Marshal.GetLastWin32Error());
}
// get security descriptor via raw into DACL form so ACE
// ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
// Add start/stop/read access
NTAccount acct = new NTAccount(username);
SecurityIdentifier sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier));
dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_START, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, sid, (int)ServiceAccountHelper.SERVICE_ACCESS.SERVICE_STOP, InheritanceFlags.None, PropagationFlags.None);
// convert discretionary ACL back to raw form; looks like via byte[] is only way
byte[] rawdacl = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(rawdacl, 0);
rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);
// set raw security descriptor on service again
byte[] rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
ok = ServiceAccountHelper.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
if (!ok)
{
throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
}
}
public static bool SetAcl(this ServiceController controller, Action <DiscretionaryAcl> fn)
{
// from http://pinvoke.net/default.aspx/advapi32/QueryServiceObjectSecurity.html (thx!)
using (SafeHandle handle = controller.ServiceHandle)
{
var psd = new byte[0];
uint bufSizeNeeded;
bool success = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0,
out bufSizeNeeded);
if (!success)
{
int error = Marshal.GetLastWin32Error();
if (error == ErrorInsufficientBuffer)
{
psd = new byte[bufSizeNeeded];
success = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded,
out bufSizeNeeded);
}
else
{
return(false);
}
}
if (!success)
{
return(false);
}
// get security descriptor via raw into DACL form so ACE
// ordering checks are done for us.
var rsd = new RawSecurityDescriptor(psd, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
fn(dacl);
// convert discretionary ACL back to raw form; looks like via byte[] is only way
var rawdacl = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(rawdacl, 0);
rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);
// set raw security descriptor on service again
var rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
success = SetServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, rawsd);
return(success);
}
}
public void EmptyBinaryFormDSOK()
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, true, 0);
byte[] buffer = new byte[8];
dacl.GetBinaryForm(buffer, 0);
Assert.AreEqual(4, buffer [0]); // Revision
Assert.AreEqual(8, ToUInt16(buffer, 2)); // ACL Size
Assert.AreEqual(0, ToUInt16(buffer, 4)); // ACE Count
}
internal static void EnsureServiceAclsCorrect()
{
var psd = new byte[0];
uint bufSizeNeeded;
var ok = Advapi32.QueryServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122)
{
// ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = Advapi32.QueryServiceObjectSecurity(
Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for Service: error code=" + err);
}
}
if (!ok)
{
throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for Service: error code=" + Marshal.GetLastWin32Error());
}
// get security descriptor via raw into DACL form so ACE
// ordering checks are done for us.
var rsd = new RawSecurityDescriptor(psd, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)ServiceAccess.ServiceCoapp, InheritanceFlags.None, PropagationFlags.None);
// convert discretionary ACL back to raw form; looks like via byte[] is only way
var rawdacl = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(rawdacl, 0);
rsd.DiscretionaryAcl = new RawAcl(rawdacl, 0);
// set raw security descriptor on service again
var rawsd = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(rawsd, 0);
ok = Advapi32.SetServiceObjectSecurity(Controller.Value.ServiceHandle, SecurityInfos.DiscretionaryAcl, rawsd);
if (!ok)
{
throw new ApplicationException("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error());
}
}
public static bool Constructor2(bool isContainer, bool isDS, byte revision, int capacity)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, revision, capacity);
rawAcl = new RawAcl(revision, capacity);
if (isContainer == discretionaryAcl.IsContainer &&
isDS == discretionaryAcl.IsDS &&
revision == discretionaryAcl.Revision &&
0 == discretionaryAcl.Count &&
8 == discretionaryAcl.BinaryLength &&
true == discretionaryAcl.IsCanonical)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
Assert.True(result);
return(result);
}
public static string SetServicePermission()
{
var sc = ServiceController.GetServices().FirstOrDefault(s => s.ServiceName == Consts.ServiceName);
if (sc == null)
{
return("Service not found");
}
var buffer = new byte[0];
if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out uint size))
{
int err = Marshal.GetLastWin32Error();
if (err != 122 && err != 0) // ERROR_INSUFFICIENT_BUFFER
{
return("QueryServiceObjectSecurity[1] error: " + err);
}
buffer = new byte[size];
if (!NTAPI.QueryServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, size, out size))
{
return("QueryServiceObjectSecurity[2] error: " + Marshal.GetLastWin32Error());
}
}
var rsd = new RawSecurityDescriptor(buffer, 0);
var dacl = new DiscretionaryAcl(false, false, rsd.DiscretionaryAcl);
dacl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), (int)(ServiceAccessRights.SERVICE_QUERY_STATUS | ServiceAccessRights.SERVICE_START | ServiceAccessRights.SERVICE_STOP | ServiceAccessRights.SERVICE_INTERROGATE), InheritanceFlags.None, PropagationFlags.None);
buffer = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(buffer, 0);
rsd.DiscretionaryAcl = new RawAcl(buffer, 0);
buffer = new byte[rsd.BinaryLength];
rsd.GetBinaryForm(buffer, 0);
if (!NTAPI.SetServiceObjectSecurity(sc.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer))
{
return("SetServiceObjectSecurity error: " + Marshal.GetLastWin32Error());
}
return(null);
}
public static bool Constructor1(bool isContainer, bool isDS, int capacity)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, capacity);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, capacity);
if (isContainer == discretionaryAcl.IsContainer &&
isDS == discretionaryAcl.IsDS &&
(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision) == discretionaryAcl.Revision &&
0 == discretionaryAcl.Count &&
8 == discretionaryAcl.BinaryLength &&
true == discretionaryAcl.IsCanonical)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
Assert.True(result);
return result;
}
private static RawSecurityDescriptor UpdateMailboxSecurityDescriptor(SecurityIdentifier userSid, ADUser userToConnect, MapiAdministrationSession mapiAdministrationSession, MailboxDatabase database, Guid deletedMailboxGuid, string parameterSetName, Task.TaskVerboseLoggingDelegate verboseLogger)
{
RawSecurityDescriptor rawSecurityDescriptor = null;
try
{
rawSecurityDescriptor = mapiAdministrationSession.GetMailboxSecurityDescriptor(new MailboxId(MapiTaskHelper.ConvertDatabaseADObjectToDatabaseId(database), deletedMailboxGuid));
}
catch (Microsoft.Exchange.Data.Mapi.Common.MailboxNotFoundException)
{
rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclDefaulted | ControlFlags.SystemAclDefaulted | ControlFlags.SelfRelative, WindowsIdentity.GetCurrent().User, WindowsIdentity.GetCurrent().User, null, null);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, true, 0);
byte[] binaryForm = new byte[discretionaryAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(binaryForm, 0);
rawSecurityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
}
bool flag = false;
foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
{
KnownAce knownAce = (KnownAce)genericAce;
if (knownAce.SecurityIdentifier.IsWellKnown(WellKnownSidType.SelfSid))
{
flag = true;
break;
}
}
if (!flag)
{
CommonAce ace = new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 131073, new SecurityIdentifier(WellKnownSidType.SelfSid, null), false, null);
rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
}
rawSecurityDescriptor.SetFlags(rawSecurityDescriptor.ControlFlags | ControlFlags.SelfRelative);
if ("Linked" == parameterSetName || "Shared" == parameterSetName || "Room" == parameterSetName || "Equipment" == parameterSetName)
{
RawSecurityDescriptor sd = userToConnect.ReadSecurityDescriptor();
MailboxTaskHelper.GrantPermissionToLinkedUserAccount(userToConnect.MasterAccountSid, ref rawSecurityDescriptor, ref sd);
verboseLogger(Strings.VerboseSaveADSecurityDescriptor(userToConnect.Id.ToString()));
userToConnect.SaveSecurityDescriptor(sd);
}
mapiAdministrationSession.Administration.PurgeCachedMailboxObject(deletedMailboxGuid);
return(rawSecurityDescriptor);
}
public static ServiceAccessRights GetEffectiveAccessRights([NotNull] this ServiceController thisValue, [NotNull] SecurityIdentifier sid)
{
Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, null, 0u, out uint len);
int errCode = Marshal.GetLastWin32Error();
if (errCode != ResultWin32.ERROR_INSUFFICIENT_BUFFER)
{
return(errCode == 0
? (ServiceAccessRights)0
: throw new Win32Exception(errCode));
}
byte[] buffer = new byte[len];
if (!Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, len, out len))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
RawSecurityDescriptor rsd = new RawSecurityDescriptor(buffer, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
byte[] daclBuffer = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(daclBuffer, 0);
byte[] sidBuffer = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBuffer, 0);
TRUSTEE trustee = new TRUSTEE();
Win32.BuildTrusteeWithSid(ref trustee, sidBuffer);
uint access = 0u;
int hr = (int)Win32.GetEffectiveRightsFromAcl(daclBuffer, ref trustee, ref access);
Marshal.Release(trustee.ptstrName);
if (hr != ResultWin32.ERROR_SUCCESS)
{
throw Marshal.GetExceptionForHR(hr);
}
return((ServiceAccessRights)access);
}
public static void SetServicePermissions(string serviceName)
{
Logger.Info("{0} {1}", (object)MethodBase.GetCurrentMethod().Name, (object)serviceName);
using (ServiceController serviceController = new ServiceController(serviceName, "."))
{
int status = (int)serviceController.Status;
byte[] numArray1 = new byte[0];
uint bufSizeNeeded;
bool flag = ServiceManager.QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray1, 0U, out bufSizeNeeded);
if (!flag)
{
int lastWin32Error = Marshal.GetLastWin32Error();
switch (lastWin32Error)
{
case 0:
case 122:
numArray1 = new byte[(int)bufSizeNeeded];
flag = ServiceManager.QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray1, bufSizeNeeded, out bufSizeNeeded);
break;
default:
throw new Exception("error calling QueryServiceObjectSecurity() to get DACL : error code=" + lastWin32Error.ToString());
}
}
if (!flag)
{
throw new Exception("error calling QueryServiceObjectSecurity(2) to get DACL : error code=" + Marshal.GetLastWin32Error().ToString());
}
RawSecurityDescriptor securityDescriptor = new RawSecurityDescriptor(numArray1, 0);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, securityDescriptor.DiscretionaryAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.InteractiveSid, (SecurityIdentifier)null), 983551, InheritanceFlags.None, PropagationFlags.None);
byte[] binaryForm = new byte[discretionaryAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(binaryForm, 0);
securityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
byte[] numArray2 = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(numArray2, 0);
if (!ServiceManager.SetServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, numArray2))
{
throw new Exception("error calling SetServiceObjectSecurity(); error code=" + Marshal.GetLastWin32Error().ToString());
}
}
}
public void BinaryRoundtrip()
{
RawAcl acl = GetRemovesMeaninglessAcesAcl();
DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, acl);
byte[] binaryForm1 = new byte[dacl1.BinaryLength];
dacl1.GetBinaryForm(binaryForm1, 0);
DiscretionaryAcl dacl2 = new DiscretionaryAcl(false, false, new RawAcl(binaryForm1, 0));
byte[] binaryForm2 = new byte[dacl2.BinaryLength];
dacl2.GetBinaryForm(binaryForm2, 0);
Assert.AreEqual(binaryForm1.Length, binaryForm2.Length);
for (int i = 0; i < binaryForm1.Length; i++)
{
Assert.AreEqual(binaryForm1 [i], binaryForm2 [i]);
}
}
//verify the dacl is crafted with one Allow Everyone Everything ACE
public static bool VerifyDaclWithCraftedAce(bool isContainer, bool isDS, DiscretionaryAcl dacl)
{
byte[] craftedBForm;
byte[] binaryForm;
DiscretionaryAcl craftedDacl = new DiscretionaryAcl(isContainer, isDS, 1);
craftedDacl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier("S-1-1-0"),
-1,
isContainer ? InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit : InheritanceFlags.None,
PropagationFlags.None);
craftedBForm = new byte[craftedDacl.BinaryLength];
binaryForm = new byte[dacl.BinaryLength];
Assert.False(craftedBForm == null || binaryForm == null);
craftedDacl.GetBinaryForm(craftedBForm, 0);
dacl.GetBinaryForm(binaryForm, 0);
return(Utils.IsBinaryFormEqual(craftedBForm, binaryForm));
}
private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
if (discretionaryAcl.IsContainer == isContainer &&
discretionaryAcl.IsDS == isDS &&
discretionaryAcl.Revision == rawAcl.Revision &&
discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength &&
discretionaryAcl.IsCanonical == wasCanonicalInitially)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return(result);
}
private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
if (discretionaryAcl.IsContainer == isContainer &&
discretionaryAcl.IsDS == isDS &&
discretionaryAcl.Revision == rawAcl.Revision &&
discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength &&
discretionaryAcl.IsCanonical == wasCanonicalInitially)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return result;
}
private static void SetServiceSecurity(SafeHandle service)
{
byte[] buf = Array.Empty <byte>();
if (!QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, null, 0, out var bufSize))
{
if (Marshal.GetLastWin32Error() != Errors.InsufficientBuffer)
{
throw new Exception("Could not query service object security size.", new Win32Exception());
}
buf = new byte[bufSize];
if (!QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, buf, bufSize, out bufSize))
{
throw new Exception("Could not query service object security.", new Win32Exception());
}
}
var securityDescriptor = new RawSecurityDescriptor(buf, 0);
var rawAcl = securityDescriptor.DiscretionaryAcl;
var acl = new DiscretionaryAcl(false, false, rawAcl);
var userSid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
const ServiceAccess accessMask = ServiceAccess.GenericRead | ServiceAccess.GenericExecute;
acl.SetAccess(AccessControlType.Allow, userSid, (int)accessMask, InheritanceFlags.None,
PropagationFlags.None);
buf = new byte[acl.BinaryLength];
acl.GetBinaryForm(buf, 0);
securityDescriptor.DiscretionaryAcl = new RawAcl(buf, 0);
buf = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(buf, 0);
if (!SetServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, buf))
{
throw new Exception("Could not set object security.", new Win32Exception());
}
}
private static bool TestSetAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
discretionaryAcl.SetAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
if (discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return(result);
}
public static void GetBinaryForm_BasicValidationTestCases()
{
DiscretionaryAcl dAcl = null;
RawAcl rAcl = null;
GenericAce gAce = null;
byte[] binaryForm = null;
//Case 1, array binaryForm is null
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentNullException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
//Case 2, offset is negative
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, -1);
});
//Case 3, offset is equal to binaryForm length
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, binaryForm.Length);
});
//Case 4, offset is a big possitive number
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
binaryForm = new byte[dAcl.BinaryLength + 10000];
dAcl.GetBinaryForm(binaryForm, 10000);
//get the binaryForm of the original RawAcl
byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(verifierBinaryForm, 0);
Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));
//Case 5, binaryForm array's size is insufficient
binaryForm = new byte[4];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
}
//verify the dacl is crafted with one Allow Everyone Everything ACE
public static bool VerifyDaclWithCraftedAce(bool isContainer, bool isDS, DiscretionaryAcl dacl)
{
byte[] craftedBForm;
byte[] binaryForm;
DiscretionaryAcl craftedDacl = new DiscretionaryAcl(isContainer, isDS, 1);
craftedDacl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier("S-1-1-0"),
-1,
isContainer ? InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit : InheritanceFlags.None,
PropagationFlags.None);
craftedBForm = new byte[craftedDacl.BinaryLength];
binaryForm = new byte[dacl.BinaryLength];
Assert.False(craftedBForm == null || binaryForm == null);
craftedDacl.GetBinaryForm(craftedBForm, 0);
dacl.GetBinaryForm(binaryForm, 0);
return Utils.IsBinaryFormEqual(craftedBForm, binaryForm);
}
public static void GetBinaryForm_BasicValidationTestCases()
{
DiscretionaryAcl dAcl = null;
RawAcl rAcl = null;
GenericAce gAce = null;
byte[] binaryForm = null;
//Case 1, array binaryForm is null
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentNullException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
//Case 2, offset is negative
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, -1);
});
//Case 3, offset is equal to binaryForm length
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, binaryForm.Length);
});
//Case 4, offset is a big possitive number
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
binaryForm = new byte[dAcl.BinaryLength + 10000];
dAcl.GetBinaryForm(binaryForm, 10000);
//get the binaryForm of the original RawAcl
byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(verifierBinaryForm, 0);
Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));
//Case 5, binaryForm array's size is insufficient
binaryForm = new byte[4];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
}