private static SecurityIdentifier GetSidFromAce(GenericAce ace) { KnownAce knownAce = ace as KnownAce; if (knownAce != null) { return(knownAce.SecurityIdentifier); } return(null); }
private static RawSecurityDescriptor UpdateMailboxSecurityDescriptor(SecurityIdentifier userSid, ADUser userToConnect, MapiAdministrationSession mapiAdministrationSession, MailboxDatabase database, Guid deletedMailboxGuid, string parameterSetName, Task.TaskVerboseLoggingDelegate verboseLogger) { RawSecurityDescriptor rawSecurityDescriptor = null; try { rawSecurityDescriptor = mapiAdministrationSession.GetMailboxSecurityDescriptor(new MailboxId(MapiTaskHelper.ConvertDatabaseADObjectToDatabaseId(database), deletedMailboxGuid)); } catch (Microsoft.Exchange.Data.Mapi.Common.MailboxNotFoundException) { rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclDefaulted | ControlFlags.SystemAclDefaulted | ControlFlags.SelfRelative, WindowsIdentity.GetCurrent().User, WindowsIdentity.GetCurrent().User, null, null); DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, true, 0); byte[] binaryForm = new byte[discretionaryAcl.BinaryLength]; discretionaryAcl.GetBinaryForm(binaryForm, 0); rawSecurityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0); } bool flag = false; foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl) { KnownAce knownAce = (KnownAce)genericAce; if (knownAce.SecurityIdentifier.IsWellKnown(WellKnownSidType.SelfSid)) { flag = true; break; } } if (!flag) { CommonAce ace = new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 131073, new SecurityIdentifier(WellKnownSidType.SelfSid, null), false, null); rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace); } rawSecurityDescriptor.SetFlags(rawSecurityDescriptor.ControlFlags | ControlFlags.SelfRelative); if ("Linked" == parameterSetName || "Shared" == parameterSetName || "Room" == parameterSetName || "Equipment" == parameterSetName) { RawSecurityDescriptor sd = userToConnect.ReadSecurityDescriptor(); MailboxTaskHelper.GrantPermissionToLinkedUserAccount(userToConnect.MasterAccountSid, ref rawSecurityDescriptor, ref sd); verboseLogger(Strings.VerboseSaveADSecurityDescriptor(userToConnect.Id.ToString())); userToConnect.SaveSecurityDescriptor(sd); } mapiAdministrationSession.Administration.PurgeCachedMailboxObject(deletedMailboxGuid); return(rawSecurityDescriptor); }
public void EnumerateSecurityDescriptor(RawSecurityDescriptor sd) { if (sd == null) { return; } this.sourceMapper.AddSid(sd.Owner); if (sd.DiscretionaryAcl != null) { foreach (GenericAce genericAce in sd.DiscretionaryAcl) { KnownAce knownAce = genericAce as KnownAce; if (knownAce != null) { this.sourceMapper.AddSid(knownAce.SecurityIdentifier); } } } }
private static bool TestPurge(DiscretionaryAcl discretionaryAcl, SecurityIdentifier sid, int aceCount) { KnownAce ace = null; discretionaryAcl.Purge(sid); if (aceCount != discretionaryAcl.Count) { return(false); } for (int i = 0; i < discretionaryAcl.Count; i++) { ace = discretionaryAcl[i] as KnownAce; if (ace != null && ((ace.AceFlags & AceFlags.Inherited) == 0)) { if (ace.SecurityIdentifier == sid) { return(false); } } } return(true); }
private void UpdateTokenData() { UserGroup user = _token.GetUser(); txtUsername.Text = user.GetName(); txtUserSid.Text = user.Sid.ToString(); TokenType tokentype = _token.GetTokenType(); txtTokenType.Text = _token.GetTokenType().ToString(); TokenLibrary.TokenImpersonationLevel implevel = _token.GetImpersonationLevel(); txtImpLevel.Text = implevel.ToString(); txtTokenId.Text = FormatLuid(_token.GetTokenId()); txtModifiedId.Text = FormatLuid(_token.GetModifiedId()); txtAuthId.Text = FormatLuid(_token.GetAuthenticationId()); if (Enum.IsDefined(typeof(TokenLibrary.TokenIntegrityLevel), _token.GetTokenIntegrityLevel())) { comboBoxIL.SelectedItem = _token.GetTokenIntegrityLevel(); comboBoxILForDup.SelectedItem = _token.GetTokenIntegrityLevel(); } else { comboBoxIL.Text = _token.GetTokenIntegrityLevel().ToString(); comboBoxILForDup.Text = _token.GetTokenIntegrityLevel().ToString(); } txtSessionId.Text = _token.GetSessionId().ToString(); txtSourceName.Text = _token.GetSourceName(); txtSourceId.Text = FormatLuid(_token.GetSourceId()); TokenElevationType evtype = _token.GetElevationType(); txtElevationType.Text = evtype.ToString(); txtIsElevated.Text = _token.IsElevated().ToString(); txtOriginLoginId.Text = FormatLuid(_token.GetTokenOriginId()); btnLinkedToken.Enabled = evtype != TokenElevationType.Default; UpdateGroupList(); txtPrimaryGroup.Text = _token.GetPrimaryGroup().GetName(); txtOwner.Text = _token.GetDefaultOwner().GetName(); RawAcl defdacl = _token.GetDefaultDacl(); if (defdacl != null) { foreach (GenericAce ace in defdacl) { KnownAce kace = ace as KnownAce; if (kace != null) { UserGroup group = new UserGroup(kace.SecurityIdentifier, GroupFlags.None); ListViewItem item = new ListViewItem(group.GetName()); uint mask = (uint)(GenericAccessRights.GenericAll | GenericAccessRights.GenericExecute | GenericAccessRights.GenericRead | GenericAccessRights.GenericWrite); string maskstr; if (((uint)kace.AccessMask & ~mask) != 0) { maskstr = String.Format("0x{0:X08}", kace.AccessMask); } else { GenericAccessRights generic = (GenericAccessRights)kace.AccessMask; maskstr = generic.ToString(); } item.SubItems.Add(maskstr); item.SubItems.Add(kace.AceFlags.ToString()); item.SubItems.Add(kace.AceType.ToString()); listViewDefDacl.Items.Add(item); } } } else { listViewDefDacl.Items.Add("No Default DACL"); } listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent); listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize); if (_token.IsRestricted()) { PopulateGroupList(listViewRestrictedSids, _token.GetRestrictedSids()); } else { tabControlMain.TabPages.Remove(tabPageRestricted); } if (_token.IsAppContainer()) { PopulateGroupList(listViewCapabilities, _token.GetCapabilities()); txtACNumber.Text = _token.GetAppContainerNumber().ToString(); txtPackageSid.Text = _token.GetPackageSid().GetName(); } else { tabControlMain.TabPages.Remove(tabPageAppContainer); } txtUIAccess.Text = _token.IsUIAccess().ToString(); txtSandboxInert.Text = _token.IsSandboxInert().ToString(); bool virtAllowed = _token.IsVirtualizationAllowed(); txtVirtualizationAllowed.Text = virtAllowed.ToString(); if (virtAllowed) { txtVirtualizationEnabled.Text = _token.IsVirtualizationEnabled().ToString(); } else { txtVirtualizationEnabled.Text = "N/A"; } txtMandatoryILPolicy.Text = _token.GetIntegrityLevelPolicy().ToString(); UpdatePrivileges(); }
public RawSecurityDescriptor TranslateSecurityDescriptor(RawSecurityDescriptor sourceSD, TranslateSecurityDescriptorFlags flags) { if (sourceSD == null) { return(null); } this.ResolveMappings(); RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(sourceSD.ControlFlags, sourceSD.Owner, sourceSD.Group, sourceSD.SystemAcl, sourceSD.DiscretionaryAcl); bool flag = (flags & TranslateSecurityDescriptorFlags.ExcludeUnmappedACEs) != TranslateSecurityDescriptorFlags.None; SecurityIdentifier securityIdentifier; if (this.TryTranslateSid(sourceSD.Owner, out securityIdentifier)) { rawSecurityDescriptor.Owner = securityIdentifier; MrsTracer.Service.Debug("Mapped SD owner from {0} to {1}", new object[] { sourceSD.Owner, rawSecurityDescriptor.Owner }); } else if (flag) { rawSecurityDescriptor.Owner = null; } if (this.TryTranslateSid(sourceSD.Group, out securityIdentifier)) { rawSecurityDescriptor.Group = securityIdentifier; MrsTracer.Service.Debug("Mapped SD group from {0} to {1}", new object[] { sourceSD.Group, rawSecurityDescriptor.Group }); } else if (flag) { rawSecurityDescriptor.Group = null; } if (sourceSD.DiscretionaryAcl != null) { for (int i = sourceSD.DiscretionaryAcl.Count - 1; i >= 0; i--) { KnownAce knownAce = sourceSD.DiscretionaryAcl[i] as KnownAce; if (knownAce == null) { if (flag) { sourceSD.DiscretionaryAcl.RemoveAce(i); } } else if (this.TryTranslateSid(knownAce.SecurityIdentifier, out securityIdentifier)) { RawSecurityDescriptor rawSecurityDescriptor2 = new RawSecurityDescriptor("D:"); rawSecurityDescriptor2.DiscretionaryAcl.InsertAce(0, knownAce); MrsTracer.Service.Debug("Mapped ACE {0} to {1}", new object[] { CommonUtils.GetSDDLString(rawSecurityDescriptor2), securityIdentifier }); sourceSD.DiscretionaryAcl.RemoveAce(i); knownAce.SecurityIdentifier = securityIdentifier; sourceSD.DiscretionaryAcl.InsertAce(i, knownAce); } else if (flag) { sourceSD.DiscretionaryAcl.RemoveAce(i); } } } return(rawSecurityDescriptor); }