internal static extern Win32Error TreeResetNamedSecurityInfo(
string pObjectName,
SeObjectType ObjectType,
SecurityInformation SecurityInfo,
byte[] psidOwner,
byte[] psidGroup,
byte[] pDacl,
byte[] pSacl,
[MarshalAs(UnmanagedType.Bool)] bool KeepExplicit,
TreeSetNamedSecurityProgress fnProgress,
ProgressInvokeSetting ProgressInvokeSetting,
IntPtr Args
);
internal static extern Win32Error TreeSetNamedSecurityInfo(
string pObjectName,
SeObjectType ObjectType,
SecurityInformation SecurityInfo,
byte[] psidOwner,
byte[] psidGroup,
byte[] pDacl,
byte[] pSacl,
TreeSecInfo dwAction,
TreeSetNamedSecurityProgress fnProgress,
ProgressInvokeSetting ProgressInvokeSetting,
IntPtr Args
);
/// <summary>
/// Get the source of inherited ACEs.
/// </summary>
/// <param name="name">The name of the resource.</param>
/// <param name="type">The type of the resource.</param>
/// <param name="container">Whether the resource is a container.</param>
/// <param name="object_types">Optional list of object types.</param>
/// <param name="security_descriptor">The security descriptor for the resource.</param>
/// <param name="sacl">True to check the SACL otherwise checks the DACL.</param>
/// <param name="generic_mapping">Generic mapping for the resource.</param>
/// <param name="query_security">Query security descriptors for sources.</param>
/// <returns>The list of inheritance sources.</returns>
public static IEnumerable <SecurityDescriptorInheritanceSource> GetInheritanceSource(
string name,
SeObjectType type,
bool container,
Guid[] object_types,
SecurityDescriptor security_descriptor,
bool sacl,
GenericMapping generic_mapping,
bool query_security)
{
return(GetInheritanceSource(name, type, container, object_types,
security_descriptor, sacl, generic_mapping,
query_security, true).Result);
}
/// <summary>
/// Get the source of inherited ACEs.
/// </summary>
/// <param name="name">The name of the resource.</param>
/// <param name="type">The type of the resource.</param>
/// <param name="container">Whether the resource is a container.</param>
/// <param name="object_types">Optional list of object types.</param>
/// <param name="security_descriptor">The security descriptor for the resource.</param>
/// <param name="sacl">True to check the SACL otherwise checks the DACL.</param>
/// <param name="generic_mapping">Generic mapping for the resource.</param>
/// <param name="query_security">Query security descriptors for sources.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The list of inheritance sources.</returns>
public static NtResult <IEnumerable <SecurityDescriptorInheritanceSource> > GetInheritanceSource(
string name,
SeObjectType type,
bool container,
Guid[] object_types,
SecurityDescriptor security_descriptor,
bool sacl,
GenericMapping generic_mapping,
bool query_security,
bool throw_on_error)
{
Acl acl = sacl ? security_descriptor.Sacl : security_descriptor.Dacl;
if (acl == null || acl.NullAcl)
{
return(NtStatus.STATUS_INVALID_ACL.CreateResultFromError <IEnumerable <SecurityDescriptorInheritanceSource> >(throw_on_error));
}
using (var list = new DisposableList())
{
SafeGuidArrayBuffer guids = SafeGuidArrayBuffer.Null;
if (object_types?.Length > 0)
{
guids = list.AddResource(new SafeGuidArrayBuffer(object_types));
}
NtType native_type = GetNativeType(type);
INHERITED_FROM[] inherited_from = new INHERITED_FROM[acl.Count];
NtStatus status = NtStatus.STATUS_INVALID_PARAMETER;
try
{
status = Win32NativeMethods.GetInheritanceSource(name, type, sacl ? SecurityInformation.Sacl : SecurityInformation.Dacl,
container, guids, guids.Count, acl.ToByteArray(), IntPtr.Zero, ref generic_mapping, inherited_from).MapDosErrorToStatus();
return(status.CreateResult(throw_on_error, () => (IEnumerable <SecurityDescriptorInheritanceSource>)inherited_from
.Select((s, i) => new SecurityDescriptorInheritanceSource(acl[i], s, type,
native_type, container, query_security, sacl)).Where(s => s.Depth != -1).ToArray()));
}
finally
{
if (status.IsSuccess())
{
Win32NativeMethods.FreeInheritedFromArray(inherited_from, (ushort)inherited_from.Length, IntPtr.Zero);
}
}
}
}
/// <summary>
/// Get the security descriptor for a named resource.
/// </summary>
/// <param name="name">The name of the resource.</param>
/// <param name="type">The type of the resource.</param>
/// <param name="security_information">The security information to get.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The security descriptor.</returns>
public static NtResult <SecurityDescriptor> GetSecurityInfo(
string name,
SeObjectType type,
SecurityInformation security_information,
bool throw_on_error)
{
using (var result = Win32NativeMethods.GetNamedSecurityInfo(name, type,
security_information, null,
null, null, null, out SafeLocalAllocBuffer sd).MapDosErrorToStatus().CreateResult(throw_on_error, () => sd))
{
if (!result.IsSuccess)
{
return(result.Cast <SecurityDescriptor>());
}
return(SecurityDescriptor.Parse(result.Result, GetNativeType(type), throw_on_error));
}
}
/// <summary>
/// Gets the security descriptor of an object.
/// </summary>
/// <param name="handle">A handle to an object.</param>
/// <param name="objectType">The type of the object.</param>
/// <param name="securityInformation">The information to retrieve.</param>
/// <returns>A security descriptor.</returns>
public static SecurityDescriptor GetSecurity(IntPtr handle, SeObjectType objectType, SecurityInformation securityInformation)
{
Win32Error result;
IntPtr dummy, securityDescriptor;
if ((result = Win32.GetSecurityInfo(
handle,
objectType,
securityInformation,
out dummy, out dummy, out dummy, out dummy,
out securityDescriptor
)) != 0)
{
Win32.Throw(result);
}
return(new SecurityDescriptor(new LocalMemoryAlloc(securityDescriptor)));
}
/// <summary>
/// Reset security using a named object.
/// </summary>
/// <param name="name">The name of the object.</param>
/// <param name="type">The type of named object.</param>
/// <param name="security_information">The security information to set.</param>
/// <param name="security_descriptor">The security descriptor to set.</param>
/// <param name="invoke_setting">Specify to indicate when to execute progress function.</param>
/// <param name="keep_explicit">True to keep explicit ACEs.</param>
/// <param name="progress_function">Progress function.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The NT status code.</returns>
public static NtStatus ResetSecurityInfo(string name, SeObjectType type,
SecurityInformation security_information,
SecurityDescriptor security_descriptor,
TreeProgressFunction progress_function,
ProgressInvokeSetting invoke_setting,
bool keep_explicit,
bool throw_on_error)
{
return(Win32NativeMethods.TreeResetNamedSecurityInfo(
name, type, security_information,
security_descriptor.Owner?.Sid.ToArray(),
security_descriptor.Group?.Sid.ToArray(),
security_descriptor.Dacl?.ToByteArray(),
security_descriptor.Sacl?.ToByteArray(),
keep_explicit,
CreateCallback(progress_function),
invoke_setting,
IntPtr.Zero
).ToNtException(throw_on_error));
}
/// <summary>
/// Sets the security descriptor of an object.
/// </summary>
/// <param name="handle">A handle to an object.</param>
/// <param name="objectType">The type of the object.</param>
/// <param name="securityInformation">The information to modify.</param>
/// <param name="securityDescriptor">The security descriptor.</param>
public static void SetSecurity(IntPtr handle, SeObjectType objectType, SecurityInformation securityInformation, SecurityDescriptor securityDescriptor)
{
Win32Error result;
IntPtr dacl = IntPtr.Zero;
IntPtr group = IntPtr.Zero;
IntPtr owner = IntPtr.Zero;
IntPtr sacl = IntPtr.Zero;
if ((securityInformation & SecurityInformation.Dacl) == SecurityInformation.Dacl)
{
dacl = securityDescriptor.Dacl ?? IntPtr.Zero;
}
if ((securityInformation & SecurityInformation.Group) == SecurityInformation.Group)
{
group = securityDescriptor.Group;
}
if ((securityInformation & SecurityInformation.Owner) == SecurityInformation.Owner)
{
owner = securityDescriptor.Owner;
}
if ((securityInformation & SecurityInformation.Sacl) == SecurityInformation.Sacl)
{
sacl = securityDescriptor.Sacl ?? IntPtr.Zero;
}
if ((result = Win32.SetSecurityInfo(
handle,
objectType,
securityInformation,
owner,
group,
dacl,
sacl
)) != 0)
{
Win32.Throw(result);
}
}
/// <summary>
/// Get the security descriptor for a resource.
/// </summary>
/// <param name="handle">The handle to the resource.</param>
/// <param name="type">The type of the resource.</param>
/// <param name="security_information">The security information to get.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The security descriptor.</returns>
public static NtResult <SecurityDescriptor> GetSecurityInfo(
SafeHandle handle,
SeObjectType type,
SecurityInformation security_information,
bool throw_on_error)
{
using (var result = SecurityNativeMethods.GetSecurityInfo(handle, type,
security_information, null,
null, null, null, out SafeLocalAllocBuffer sd).MapDosErrorToStatus().CreateResult(throw_on_error, () => sd)) {
if (!result.IsSuccess)
{
return(result.Cast <SecurityDescriptor>());
}
NtType sd_type = null;
if (handle is SafeKernelObjectHandle kernel_handle)
{
sd_type = NtType.GetTypeByName(kernel_handle.NtTypeName, false);
}
return(SecurityDescriptor.Parse(result.Result, sd_type ?? GetNativeType(type), throw_on_error));
}
}
internal SecurityDescriptorInheritanceSource(
Ace ace, INHERITED_FROM inherited_from, SeObjectType type,
NtType native_type,
bool container,
bool query_security, bool sacl)
{
InheritedAce = ace;
Sid = ace.Sid;
if (native_type != null)
{
Access = NtSecurity.AccessMaskToString(ace.Mask, container
? native_type.ContainerAccessRightsType
: native_type.AccessRightsType,
native_type.GenericMapping, false);
GenericAccess = NtSecurity.AccessMaskToString(ace.Mask, container
? native_type.ContainerAccessRightsType
: native_type.AccessRightsType,
native_type.GenericMapping, true);
}
else
{
Access = NtSecurity.AccessMaskToString(ace.Mask.ToGenericAccess());
GenericAccess = NtSecurity.AccessMaskToString(ace.Mask.ToGenericAccess());
}
Depth = inherited_from.GenerationGap;
Name = Marshal.PtrToStringUni(inherited_from.AncestorName);
if (query_security && Name != null)
{
SecurityInformation sec_info = sacl ? SecurityInformation.All : SecurityInformation.AllNoSacl;
var sd = Win32Security.GetSecurityInfo(Name, type, sec_info, false);
if (sd.IsSuccess)
{
SecurityDescriptor = sd.Result;
}
}
}
/// <summary>
/// Get the NT type for a SE Object Type.
/// </summary>
/// <param name="type">The type of the resource.</param>
/// <returns>The NT type if known, otherwise null.</returns>
public static NtType GetNativeType(SeObjectType type)
{
switch (type)
{
case SeObjectType.File:
return(NtType.GetTypeByType <NtFile>());
case SeObjectType.RegistryKey:
case SeObjectType.RegistryWow6432Key:
case SeObjectType.RegistryWow6464Key:
return(NtType.GetTypeByType <NtKey>());
case SeObjectType.Service:
return(ServiceUtils.GetServiceNtType("Service"));
case SeObjectType.WmiGuid:
return(NtType.GetTypeByType <NtEtwRegistration>());
case SeObjectType.Ds:
case SeObjectType.DsAll:
return(DirectoryServiceUtils.NtType);
}
return(null);
}
/// <summary>
/// Constructor.
/// </summary>
public GetWin32GrantedAccessCmdlet()
{
Type = SeObjectType.File;
}
internal static int SetNamedSecurityInfo(string pObjectName, SeObjectType ObjectType, SecurityInformation SecurityInfo, IntPtr psidOwner, IntPtr psidGroup, IntPtr pDacl, IntPtr pSacl)
{
return(0);
}
public static ISecurable GetSecurableWrapper(SeObjectType objectType, IntPtr handle)
{
return(GetSecurableWrapper(objectType, (access) => new NativeHandle <StandardRights>(handle, access)));
}
public static ISecurable GetSecurableWrapper(SeObjectType objectType, Func <StandardRights, NativeHandle> openMethod)
{
return(new SeSecurableObjectWrapper(objectType, openMethod));
}
private static extern uint SetSecurityInfo(IntPtr handle, SeObjectType ObjectType,
SecurityInformation SecurityInfo, IntPtr psidOwner,
IntPtr psidGroup, IntPtr pDacl, IntPtr pSacl);
/// <summary>
/// Sets the security descriptor of an object.
/// </summary>
/// <param name="handle">A handle to an object.</param>
/// <param name="objectType">The type of the object.</param>
/// <param name="securityInformation">The information to modify.</param>
/// <param name="securityDescriptor">The security descriptor.</param>
public static void SetSecurity(IntPtr handle, SeObjectType objectType, SecurityInformation securityInformation, SecurityDescriptor securityDescriptor)
{
Win32Error result;
IntPtr dacl = IntPtr.Zero;
IntPtr group = IntPtr.Zero;
IntPtr owner = IntPtr.Zero;
IntPtr sacl = IntPtr.Zero;
if (securityInformation.HasFlag(SecurityInformation.Dacl))
dacl = securityDescriptor.Dacl ?? IntPtr.Zero;
if (securityInformation.HasFlag(SecurityInformation.Group))
group = securityDescriptor.Group;
if (securityInformation.HasFlag(SecurityInformation.Owner))
owner = securityDescriptor.Owner;
if (securityInformation.HasFlag(SecurityInformation.Sacl))
sacl = securityDescriptor.Sacl ?? IntPtr.Zero;
if ((result = Win32.SetSecurityInfo(
handle,
objectType,
securityInformation,
owner,
group,
dacl,
sacl
)) != 0)
Win32.Throw(result);
}
/// <summary>
/// Sets the security descriptor of the object.
/// </summary>
/// <param name="objectType">The type of the object.</param>
/// <param name="securityInformation">The information to modify.</param>
/// <param name="securityDescriptor">The security descriptor.</param>
protected void SetSecurity(SeObjectType objectType, SecurityInformation securityInformation, SecurityDescriptor securityDescriptor)
{
SecurityDescriptor.SetSecurity(this, objectType, securityInformation, securityDescriptor);
}
internal static int GetNamedSecurityInfo(string pObjectName, SeObjectType ObjectType, SecurityInformation SecurityInfo, out IntPtr ppsidOwner, out IntPtr ppsidGroup, out IntPtr ppDacl, out IntPtr ppSacl, out IntPtr ppSecurityDescriptor)
{
ppsidOwner = IntPtr.Zero;
ppsidGroup = IntPtr.Zero;
ppDacl = IntPtr.Zero;
ppSacl = IntPtr.Zero;
ppSecurityDescriptor = IntPtr.Zero;
return 0;
}
public SeSecurableObjectWrapper(SeObjectType objectType, Func <StandardRights, NativeHandle> openMethod)
{
_objectType = objectType;
_openMethod = openMethod;
}
internal static int SetNamedSecurityInfo(string pObjectName, SeObjectType ObjectType, SecurityInformation SecurityInfo, IntPtr psidOwner, IntPtr psidGroup, IntPtr pDacl, IntPtr pSacl) {
return 0;
}
/// <summary>
/// Set security using a named object.
/// </summary>
/// <param name="name">The name of the object.</param>
/// <param name="type">The type of named object.</param>
/// <param name="security_information">The security information to set.</param>
/// <param name="security_descriptor">The security descriptor to set.</param>
/// <returns>The Win32 Error Code.</returns>
public static void SetSecurityInfo(string name, SeObjectType type,
SecurityInformation security_information,
SecurityDescriptor security_descriptor)
{
SetSecurityInfo(name, type, security_information, security_descriptor, true);
}
/// <summary>
/// Gets the security descriptor of the object.
/// </summary>
/// <param name="objectType">The type of the object.</param>
/// <param name="securityInformation">The information to retrieve.</param>
/// <returns>A security descriptor.</returns>
protected SecurityDescriptor GetSecurity(SeObjectType objectType, SecurityInformation securityInformation)
{
return(SecurityDescriptor.GetSecurity(this, objectType, securityInformation));
}
/// <summary>
/// Set security using an object handle.
/// </summary>
/// <param name="handle">The handle of the object.</param>
/// <param name="type">The type of object.</param>
/// <param name="security_information">The security information to set.</param>
/// <param name="security_descriptor">The security descriptor to set.</param>
public static void SetSecurityInfo(SafeHandle handle, SeObjectType type,
SecurityInformation security_information,
SecurityDescriptor security_descriptor)
{
SetSecurityInfo(handle, type, security_information, security_descriptor, true);
}
/// <summary>
/// Constructor.
/// </summary>
public GetWin32SecurityDescriptorCmdlet()
{
Type = SeObjectType.File;
SecurityInformation = SecurityInformation.AllBasic;
}
/// <summary>
/// Set security using an object handle.
/// </summary>
/// <param name="obj">The handle of the object.</param>
/// <param name="type">The type of object.</param>
/// <param name="security_information">The security information to set.</param>
/// <param name="security_descriptor">The security descriptor to set.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The NT status code.</returns>
public static NtStatus SetSecurityInfo(NtObject obj, SeObjectType type,
SecurityInformation security_information,
SecurityDescriptor security_descriptor, bool throw_on_error)
{
return(SetSecurityInfo(obj.Handle, type, security_information, security_descriptor, throw_on_error));
}
/// <summary>
/// Set security using an object handle.
/// </summary>
/// <param name="obj">The handle of the object.</param>
/// <param name="type">The type of object.</param>
/// <param name="security_information">The security information to set.</param>
/// <param name="security_descriptor">The security descriptor to set.</param>
public static void SetSecurityInfo(NtObject obj, SeObjectType type,
SecurityInformation security_information,
SecurityDescriptor security_descriptor)
{
SetSecurityInfo(obj, type, security_information, security_descriptor, true);
}
/// <summary>
/// Gets the security descriptor of an object.
/// </summary>
/// <param name="handle">A handle to an object.</param>
/// <param name="objectType">The type of the object.</param>
/// <param name="securityInformation">The information to retrieve.</param>
/// <returns>A security descriptor.</returns>
public static SecurityDescriptor GetSecurity(IntPtr handle, SeObjectType objectType, SecurityInformation securityInformation)
{
Win32Error result;
IntPtr dummy, securityDescriptor;
if ((result = Win32.GetSecurityInfo(
handle,
objectType,
securityInformation,
out dummy, out dummy, out dummy, out dummy,
out securityDescriptor
)) != 0)
Win32.Throw(result);
return new SecurityDescriptor(new LocalMemoryAlloc(securityDescriptor));
}