protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, string name, AccessControlSections includeSections, NativeObjectSecurity.ExceptionFromErrorCode exceptionFromErrorCode, object exceptionContext);
/// <summary>
/// Canonicalize the Dacl
/// </summary>
/// <param name="objectSecurity"></param>
public static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
{
if (objectSecurity.AreAccessRulesCanonical)
{
return;
}
// A canonical ACL must have ACES sorted according to the following order:
// 1. Access-denied on the object
// 2. Access-denied on a child or property
// 3. Access-allowed on the object
// 4. Access-allowed on a child or property
// 5. All inherited ACEs
RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
var explicitDenyDacl = new List <CommonAce>();
var explicitDenyObjectDacl = new List <CommonAce>();
var inheritedDacl = new List <CommonAce>();
var explicitAllowDacl = new List <CommonAce>();
var explicitAllowObjectDacl = new List <CommonAce>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited)
{
inheritedDacl.Add(ace);
}
else
{
switch (ace.AceType)
{
case AceType.AccessAllowed:
explicitAllowDacl.Add(ace);
break;
case AceType.AccessDenied:
explicitDenyDacl.Add(ace);
break;
case AceType.AccessAllowedObject:
explicitAllowObjectDacl.Add(ace);
break;
case AceType.AccessDeniedObject:
explicitDenyObjectDacl.Add(ace);
break;
}
}
}
int aceIndex = 0;
var newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
explicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
explicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
explicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
explicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
if (aceIndex != descriptor.DiscretionaryAcl.Count)
{
throw new InvalidOperationException("The Dacl cannot be canonicalized since it would potentially result in a loss of information");
}
descriptor.DiscretionaryAcl = newDacl;
objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}
protected NativeObjectSecurity(bool isContainer, ResourceType resourceType, NativeObjectSecurity.ExceptionFromErrorCode exceptionFromErrorCode, object exceptionContext);
internal static void SetSecurityInfo(SafeHandle handle, NativeMethods.SE_OBJECT_TYPE objectType, NativeObjectSecurity fileSecurity)
{
byte[] managedDescriptor = fileSecurity.GetSecurityDescriptorBinaryForm();
using (SafeGlobalMemoryBufferHandle hDescriptor = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length))
{
hDescriptor.CopyFrom(managedDescriptor, 0, managedDescriptor.Length);
NativeMethods.SECURITY_DESCRIPTOR_CONTROL control;
uint revision;
if (!NativeMethods.GetSecurityDescriptorControl(hDescriptor, out control, out revision))
{
NativeError.ThrowException();
}
IntPtr pDacl;
bool daclDefaulted, daclPresent;
if (!NativeMethods.GetSecurityDescriptorDacl(hDescriptor, out daclPresent, out pDacl, out daclDefaulted))
{
NativeError.ThrowException();
}
IntPtr pSacl;
bool saclDefaulted, saclPresent;
if (!NativeMethods.GetSecurityDescriptorSacl(hDescriptor, out saclPresent, out pSacl, out saclDefaulted))
{
NativeError.ThrowException();
}
IntPtr pOwner;
bool ownerDefaulted;
if (!NativeMethods.GetSecurityDescriptorOwner(hDescriptor, out pOwner, out ownerDefaulted))
{
NativeError.ThrowException();
}
IntPtr pGroup;
bool GroupDefaulted;
if (!NativeMethods.GetSecurityDescriptorGroup(hDescriptor, out pGroup, out GroupDefaulted))
{
NativeError.ThrowException();
}
PrivilegeEnabler privilegeEnabler = null;
try
{
NativeMethods.SECURITY_INFORMATION info = 0;
if (daclPresent)
{
info |= NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION;
if ((control & NativeMethods.SECURITY_DESCRIPTOR_CONTROL.SE_DACL_PROTECTED) != 0)
{
info |= NativeMethods.SECURITY_INFORMATION.PROTECTED_DACL_SECURITY_INFORMATION;
}
else
{
info |= NativeMethods.SECURITY_INFORMATION.UNPROTECTED_DACL_SECURITY_INFORMATION;
}
}
if (saclPresent)
{
info |= NativeMethods.SECURITY_INFORMATION.SACL_SECURITY_INFORMATION;
if ((control & NativeMethods.SECURITY_DESCRIPTOR_CONTROL.SE_SACL_PROTECTED) != 0)
{
info |= NativeMethods.SECURITY_INFORMATION.PROTECTED_SACL_SECURITY_INFORMATION;
}
else
{
info |= NativeMethods.SECURITY_INFORMATION.UNPROTECTED_SACL_SECURITY_INFORMATION;
}
privilegeEnabler = new PrivilegeEnabler(Privilege.Security);
}
if (pOwner != IntPtr.Zero)
{
info |= NativeMethods.SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION;
}
if (pGroup != IntPtr.Zero)
{
info |= NativeMethods.SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION;
}
uint errorCode = NativeMethods.SetSecurityInfo(handle, objectType, info, pOwner, pGroup, pDacl, pSacl);
if (errorCode != 0)
{
NativeError.ThrowException((int)errorCode);
}
}
finally
{
if (privilegeEnabler != null)
{
privilegeEnabler.Dispose();
}
}
}
}
