static void Main(string[] args)
{
String user = "******";
String Path = "C:\\";
IntPtr pSidOwner, pSidGroup, pDacl, pSacl, pSecurityDescriptor;
ACCESS_MASK mask = new ACCESS_MASK();
uint ret = GetNamedSecurityInfo(Path,
SE_OBJECT_TYPE.SE_FILE_OBJECT,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out pSidOwner, out pSidGroup, out pDacl, out pSacl, out pSecurityDescriptor);
TRUSTEE t = new TRUSTEE();
t.TrusteeForm = TRUSTEE_FORM.TRUSTEE_IS_NAME;
t.TrusteeType = TRUSTEE_TYPE.TRUSTEE_IS_USER;
t.ptstrName = user;
ret = GetEffectiveRightsFromAcl(pDacl, ref t, ref mask);
if ((mask & ACCESS_MASK.READ_CONTROL) == ACCESS_MASK.READ_CONTROL)
{
System.Diagnostics.Debug.WriteLine("Read");
}
else
{
System.Diagnostics.Debug.WriteLine("No Read");
}
}
static uint GetEffectiveRights(SE_OBJECT_TYPE type, String name, String sidString)
{
SecurityIdentifier sid = new SecurityIdentifier(sidString);
IntPtr pOwner = IntPtr.Zero; // pSID
IntPtr pGroup = IntPtr.Zero; // pSID
IntPtr pSacl = IntPtr.Zero;
IntPtr pDacl = IntPtr.Zero;
IntPtr pSD = IntPtr.Zero; // pSECURITY_DESCRIPTOR
uint result = GetNamedSecurityInfo(name, type, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, out pOwner,
out pGroup, out pDacl, out pSacl, out pSD);
if (result != 0)
{
throw new System.ComponentModel.Win32Exception((int)result);
}
byte[] sidBuffer = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBuffer, 0);
TRUSTEE t = new TRUSTEE();
BuildTrusteeWithSid(ref t, sidBuffer);
uint access = 0;
uint hr = GetEffectiveRightsFromAcl(pDacl, ref t, ref access);
int i = Marshal.Release(t.ptstrName);
return(access);
}
public static uint GetEffectiveRights(this RawSecurityDescriptor sd, SecurityIdentifier sid)
{
var t = new TRUSTEE(GetPSID(sid));
uint access = 0;
using (var pDacl = new PinnedAcl(sd.DiscretionaryAcl))
GetEffectiveRightsFromAcl(pDacl, t, ref access);
return(access);
}
public static uint GetEffectiveRights(PSID pSid, IntPtr pSD)
{
var t = new TRUSTEE(pSid);
GetSecurityDescriptorDacl(pSD, out bool daclPresent, out IntPtr pDacl, out bool daclDefaulted);
uint access = 0;
GetEffectiveRightsFromAcl(pDacl, t, ref access);
return(access);
}
public static uint GetEffectiveRights(IntPtr pSid, IntPtr pSD)
{
TRUSTEE t = new TRUSTEE();
BuildTrusteeWithSid(ref t, pSid);
bool daclPresent, daclDefaulted;
IntPtr pDacl = IntPtr.Zero;
GetSecurityDescriptorDacl(pSD, out daclPresent, ref pDacl, out daclDefaulted);
uint access = 0;
GetEffectiveRightsFromAcl(pDacl, ref t, ref access);
return(access);
}
/// <summary>
/// Returns the user permissions on a share
/// </summary>
/// <param name="shareName">the full path to the shaer</param>
/// <param name="userName">the user to check for</param>
/// <returns>the user rights</returns>
public static ACCESS_MASK GetSharePermissions(string shareName, string userName)
{
IntPtr ownerSid = IntPtr.Zero;
IntPtr groupSid = IntPtr.Zero;
IntPtr dacl = IntPtr.Zero;
IntPtr sacl = IntPtr.Zero;
IntPtr securityDescriptor = IntPtr.Zero;
try
{
// get the security informaton of the object
int returnValue;
SECURITY_INFORMATION flags = SECURITY_INFORMATION.DACL_SECURITY_INFORMATION;
returnValue = GetNamedSecurityInfo(shareName, SE_OBJECT_TYPE.SE_LMSHARE, flags, out ownerSid, out groupSid, out dacl, out sacl, out securityDescriptor);
if (returnValue != ERROR_SUCCESS)
{
throw new System.Runtime.InteropServices.ExternalException(string.Format("Cannot retrieve security info entries. Last Error: {0}.", Marshal.GetLastWin32Error()));
}
// get the user SID
byte[] userSID = GetUserSID(userName);
// build a trustee object for the user
TRUSTEE trustee = new TRUSTEE();
IntPtr pTrustee = Marshal.AllocHGlobal(Marshal.SizeOf(trustee));
Marshal.StructureToPtr(trustee, pTrustee, false);
BuildTrusteeWithSid(pTrustee, userSID);
// get the access rights
ACCESS_MASK accessRights = 0;
GetEffectiveRightsFromAcl(dacl, pTrustee, ref accessRights);
return(accessRights);
}
finally
{
// clean up
LocalFree(ownerSid);
LocalFree(groupSid);
LocalFree(dacl);
LocalFree(sacl);
LocalFree(securityDescriptor);
}
}
public static ServiceAccessRights GetEffectiveAccessRights([NotNull] this ServiceController thisValue, [NotNull] SecurityIdentifier sid)
{
Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, null, 0u, out uint len);
int errCode = Marshal.GetLastWin32Error();
if (errCode != ResultWin32.ERROR_INSUFFICIENT_BUFFER)
{
return(errCode == 0
? (ServiceAccessRights)0
: throw new Win32Exception(errCode));
}
byte[] buffer = new byte[len];
if (!Win32.QueryServiceObjectSecurity(thisValue.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, len, out len))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
RawSecurityDescriptor rsd = new RawSecurityDescriptor(buffer, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
byte[] daclBuffer = new byte[dacl.BinaryLength];
dacl.GetBinaryForm(daclBuffer, 0);
byte[] sidBuffer = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBuffer, 0);
TRUSTEE trustee = new TRUSTEE();
Win32.BuildTrusteeWithSid(ref trustee, sidBuffer);
uint access = 0u;
int hr = (int)Win32.GetEffectiveRightsFromAcl(daclBuffer, ref trustee, ref access);
Marshal.Release(trustee.ptstrName);
if (hr != ResultWin32.ERROR_SUCCESS)
{
throw Marshal.GetExceptionForHR(hr);
}
return((ServiceAccessRights)access);
}
public void GetAceTest(bool validUser, bool validCred, string urn, string dn, string dc, string domain, string username, string password, string notes)
{
var fun = $"{domain}\\{username}";
var pSD = GetSD(fn);
var b = GetSecurityDescriptorDacl(pSD, out var daclPresent, out var pAcl, out var defaulted);
Assert.That(b, Is.True);
Assert.That(daclPresent, Is.True);
Assert.That(pAcl, Is.Not.EqualTo(IntPtr.Zero));
var hardAcl = pAcl.ToStructure <ACL>();
var ari = new ACL_REVISION_INFORMATION();
b = GetAclInformation(pAcl, ref ari, (uint)Marshal.SizeOf(typeof(ACL_REVISION_INFORMATION)), ACL_INFORMATION_CLASS.AclRevisionInformation);
Assert.That(b, Is.True);
Assert.That(ari.AclRevision, Is.EqualTo(hardAcl.AclRevision));
var asi = new ACL_SIZE_INFORMATION();
b = GetAclInformation(pAcl, ref asi, (uint)Marshal.SizeOf(typeof(ACL_SIZE_INFORMATION)), ACL_INFORMATION_CLASS.AclSizeInformation);
Assert.That(b, Is.True);
Assert.That(asi.AceCount, Is.GreaterThan(0));
Assert.That(asi.AceCount, Is.EqualTo(hardAcl.AceCount));
b = GetAce(pAcl, 0, out var pAce);
Assert.That(b, Is.True);
var accessRights = 0U;
var pTrustee = new TRUSTEE(fun);
Assert.That(GetEffectiveRightsFromAcl(pAcl, pTrustee, ref accessRights), Is.EqualTo(Win32Error.ERROR_NONE_MAPPED).Or.Zero);
var map = new GENERIC_MAPPING((uint)Kernel32.FileAccess.FILE_GENERIC_READ, (uint)Kernel32.FileAccess.FILE_GENERIC_WRITE, (uint)Kernel32.FileAccess.FILE_GENERIC_EXECUTE, (uint)Kernel32.FileAccess.FILE_ALL_ACCESS);
var ifArray = new SafeInheritedFromArray(hardAcl.AceCount);
var err = GetInheritanceSource(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, false, null,
0, pAcl, IntPtr.Zero, map, ifArray);
Assert.That(err, Is.EqualTo(0));
TestContext.WriteLine($"{hardAcl.AceCount}: {string.Join("; ", ifArray.Results.Select(i => i.ToString()))}");
Assert.That(() => ifArray.Dispose(), Throws.Nothing);
}
public EXPLICIT_ACCESS(ACCESS_MASK AccessPermissions = default, ACCESS_MODE AccessMode = default, uint Inheritance = default, TRUSTEE Trustee = default)
{
this.AccessPermissions = AccessPermissions;
this.AccessMode = AccessMode;
this.Inheritance = Inheritance;
this.Trustee = Trustee;
}
public static extern void BuildTrusteeWithSid(ref TRUSTEE pTrustee, byte[] sid);
static uint GetEffectiveRights(SE_OBJECT_TYPE type, String name, String sidString)
{
SecurityIdentifier sid = new SecurityIdentifier(sidString);
IntPtr pOwner = IntPtr.Zero; // pSID
IntPtr pGroup = IntPtr.Zero; // pSID
IntPtr pSacl = IntPtr.Zero;
IntPtr pDacl = IntPtr.Zero;
IntPtr pSD = IntPtr.Zero; // pSECURITY_DESCRIPTOR
uint result = GetNamedSecurityInfo(name, type, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, out pOwner,
out pGroup, out pDacl, out pSacl, out pSD);
if (result != 0) {
throw new System.ComponentModel.Win32Exception((int)result);
}
byte[] sidBuffer = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBuffer, 0);
TRUSTEE t = new TRUSTEE();
BuildTrusteeWithSid(ref t, sidBuffer);
uint access = 0;
uint hr = GetEffectiveRightsFromAcl(pDacl, ref t, ref access);
int i = Marshal.Release(t.ptstrName);
return access;
}
public static extern void GetEffectiveRightsFromAcl(IntPtr pacl, ref TRUSTEE pTrustee, ref uint pAccessRights);
static extern uint GetEffectiveRightsFromAcl(IntPtr pDacl, ref TRUSTEE pTrustee, ref ACCESS_MASK pAccessRights);
public static extern void BuildTrusteeWithSid(ref TRUSTEE pTrustee, IntPtr sid);
public static extern uint GetEffectiveRightsFromAcl(IntPtr pacl, ref TRUSTEE pTrustee, ref uint pAccessRights);
public static extern void BuildTrusteeWithSid(ref TRUSTEE pTrustee, byte[] sid);
public static extern Win32Error GetEffectiveRightsFromAcl(IntPtr pacl, [In] TRUSTEE pTrustee, ref uint pAccessRights);
/// <summary>
/// Returns the user permissions on a share
/// </summary>
/// <param name="shareName">the full path to the shaer</param>
/// <param name="userName">the user to check for</param>
/// <returns>the user rights</returns>
public static ACCESS_MASK GetSharePermissions(string shareName, string userName)
{
IntPtr ownerSid = IntPtr.Zero;
IntPtr groupSid = IntPtr.Zero;
IntPtr dacl = IntPtr.Zero;
IntPtr sacl = IntPtr.Zero;
IntPtr securityDescriptor = IntPtr.Zero;
try
{
// get the security informaton of the object
int returnValue;
SECURITY_INFORMATION flags = SECURITY_INFORMATION.DACL_SECURITY_INFORMATION;
returnValue = GetNamedSecurityInfo(shareName, SE_OBJECT_TYPE.SE_LMSHARE, flags, out ownerSid, out groupSid, out dacl, out sacl, out securityDescriptor);
if (returnValue != ERROR_SUCCESS)
{
throw new System.Runtime.InteropServices.ExternalException(string.Format("Cannot retrieve security info entries. Last Error: {0}.", Marshal.GetLastWin32Error()));
}
// get the user SID
byte[] userSID = GetUserSID(userName);
// build a trustee object for the user
TRUSTEE trustee = new TRUSTEE();
IntPtr pTrustee = Marshal.AllocHGlobal(Marshal.SizeOf(trustee));
Marshal.StructureToPtr(trustee, pTrustee, false);
BuildTrusteeWithSid(pTrustee, userSID);
// get the access rights
ACCESS_MASK accessRights = 0;
GetEffectiveRightsFromAcl(dacl, pTrustee, ref accessRights);
return accessRights;
}
finally
{
// clean up
LocalFree(ownerSid);
LocalFree(groupSid);
LocalFree(dacl);
LocalFree(sacl);
LocalFree(securityDescriptor);
}
}
