public static bool HasLocalAces(AuthorizationRuleCollection rules)
{
bool res = false;
AccessRule locaACE = rules.Cast<AccessRule>().FirstOrDefault(a => a.IsInherited == false);
res = (locaACE == null ? false : true);
return res;
}
static bool AccessControlAllowsRightForPrincipal(System.Security.AccessControl.AuthorizationRuleCollection rules, FileSystemRights right, WindowsIdentity principal)
{
return(rules
.Cast <FileSystemAccessRule>()
.Where(rule => principal.User.Equals(rule.IdentityReference)) // Find the rules for the given principal
.Where(rule => rule.FileSystemRights.HasFlag(right)) // Find the rules for the given right
.Where(rule => !AccessControlType.Deny.Equals(rule.AccessControlType)) // If the right is explicitly denied, we don't check the rule futher
.Where(rule => AccessControlType.Allow.Equals(rule.AccessControlType)) // If the right is explicitly allowed, then we mark it as allowed
.Any()); // If the right is neither allowed or denied, we treat is as denied
}
public PermissionsChecker(WindowsIdentity current, AuthorizationRuleCollection rules,
RequiredCheck requiredCheck)
{
_current = current;
_groups = _current.Groups.ToHashSet();
_rules =
rules.Cast<FileSystemAccessRule>()
.ToHashSet();
_requiredCheck = requiredCheck;
}
/// <summary>
/// Converts ACL into UNIX-like file mode
/// </summary>
private static FileModeFlags GetFileMode(System.Security.AccessControl.AuthorizationRuleCollection rules)
{
WindowsIdentity user = System.Security.Principal.WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(user);
FileModeFlags result;
// These are set to true if either the allow read or deny read access rights are set
bool allowRead = false;
bool denyRead = false;
bool allowWrite = false;
bool denyWrite = false;
bool allowExecute = false;
bool denyExecute = false;
foreach (FileSystemAccessRule currentRule in rules)
{
// If the current rule applies to the current user
if (user.User.Equals(currentRule.IdentityReference) || principal.IsInRole((SecurityIdentifier)currentRule.IdentityReference))
{
switch (currentRule.AccessControlType)
{
case AccessControlType.Deny:
denyRead |= (currentRule.FileSystemRights & FileSystemRights.ListDirectory | FileSystemRights.Read) != 0;
denyWrite |= (currentRule.FileSystemRights & FileSystemRights.Write) != 0;
denyExecute |= (currentRule.FileSystemRights & FileSystemRights.ExecuteFile) != 0;
break;
case AccessControlType.Allow:
allowRead |= (currentRule.FileSystemRights & FileSystemRights.ListDirectory | FileSystemRights.Read) != 0;
allowWrite |= (currentRule.FileSystemRights & FileSystemRights.Write) != 0;
allowExecute |= (currentRule.FileSystemRights & FileSystemRights.ExecuteFile) != 0;
break;
}
}
}
result = (allowRead & !denyRead) ? FileModeFlags.Read : 0;
result |= (allowWrite & !denyWrite) ? FileModeFlags.Write : 0;
result |= (allowExecute & !denyExecute) ? FileModeFlags.Execute : 0;
return(result);
}
/// <summary>
///
/// </summary>
/// <param name="directory"></param>
/// <param name="user"></param>
/// <returns></returns>
public static bool CanWrite(string directory, WindowsIdentity user)
{
bool bAllowed = false;
try
{
//Get the directory security
DirectorySecurity sec = Directory.GetAccessControl(directory, AccessControlSections.Access);
System.Security.AccessControl.AuthorizationRuleCollection dacls = sec.GetAccessRules(true, true, typeof(SecurityIdentifier));
//Enumerate each access rule
foreach (FileSystemAccessRule dacl in dacls)
{
SecurityIdentifier sid = (SecurityIdentifier)dacl.IdentityReference;
//If the right is either create files or write access
if (((dacl.FileSystemRights & FileSystemRights.CreateFiles) == FileSystemRights.CreateFiles) ||
((dacl.FileSystemRights & FileSystemRights.Write) == FileSystemRights.Write))
{
//If the sid matches the user or a group the user is in
if ((sid.IsAccountSid() && user.User == sid) ||
(!sid.IsAccountSid() && user.Groups.Contains(sid)))
{
//If this is a deny right then the user has no access
if (dacl.AccessControlType == AccessControlType.Deny)
{
return(false);
}
//Allowed, for now
bAllowed = true;
}
}
}
return(bAllowed);
}
catch (SecurityException)
{
throw;
}
}
public static bool CheckAccessRight(WindowsIdentity user, WindowsPrincipal principal, AuthorizationRuleCollection acl, FileSystemRights right)
{
// Get the collection of authorization rules that apply to the current directory
//AuthorizationRuleCollection acl =
//directory.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));
// These are set to true if either the allow or deny access rights are set
bool allow = false;
bool deny = false;
for (int x = 0; x < acl.Count; x++)
{
FileSystemAccessRule currentRule = (FileSystemAccessRule)acl[x];
// If the current rule applies to the current user
if (user.User.Equals(currentRule.IdentityReference) || principal.IsInRole((SecurityIdentifier)currentRule.IdentityReference))
{
if
(currentRule.AccessControlType.Equals(AccessControlType.Deny))
{
if ((currentRule.FileSystemRights & right) == right)
{
deny = true;
}
}
else if
(currentRule.AccessControlType.Equals(AccessControlType.Allow))
{
if ((currentRule.FileSystemRights & right) == right)
{
allow = true;
}
}
}
}
if (allow & !deny)
return true;
else
return false;
}
private bool CheckPermissions(string path, bool checkRead, bool checkWrite, bool checkModify, bool checkDelete)
{
bool flag = false;
bool flag2 = false;
bool flag3 = false;
bool flag4 = false;
bool flag5 = false;
bool flag6 = false;
bool flag7 = false;
bool flag8 = false;
WindowsIdentity current = WindowsIdentity.GetCurrent();
System.Security.AccessControl.AuthorizationRuleCollection rules = null;
try
{
rules = Directory.GetAccessControl(path).GetAccessRules(true, true, typeof(SecurityIdentifier));
}
catch
{
return(true);
}
try
{
foreach (FileSystemAccessRule rule in rules)
{
if (!current.User.Equals(rule.IdentityReference))
{
continue;
}
if (AccessControlType.Deny.Equals(rule.AccessControlType))
{
if ((FileSystemRights.Delete & rule.FileSystemRights) == FileSystemRights.Delete)
{
flag4 = true;
}
if ((FileSystemRights.Modify & rule.FileSystemRights) == FileSystemRights.Modify)
{
flag3 = true;
}
if ((FileSystemRights.Read & rule.FileSystemRights) == FileSystemRights.Read)
{
flag = true;
}
if ((FileSystemRights.Write & rule.FileSystemRights) == FileSystemRights.Write)
{
flag2 = true;
}
continue;
}
if (AccessControlType.Allow.Equals(rule.AccessControlType))
{
if ((FileSystemRights.Delete & rule.FileSystemRights) == FileSystemRights.Delete)
{
flag8 = true;
}
if ((FileSystemRights.Modify & rule.FileSystemRights) == FileSystemRights.Modify)
{
flag7 = true;
}
if ((FileSystemRights.Read & rule.FileSystemRights) == FileSystemRights.Read)
{
flag5 = true;
}
if ((FileSystemRights.Write & rule.FileSystemRights) == FileSystemRights.Write)
{
flag6 = true;
}
}
}
foreach (IdentityReference reference in current.Groups)
{
foreach (FileSystemAccessRule rule2 in rules)
{
if (!reference.Equals(rule2.IdentityReference))
{
continue;
}
if (AccessControlType.Deny.Equals(rule2.AccessControlType))
{
if ((FileSystemRights.Delete & rule2.FileSystemRights) == FileSystemRights.Delete)
{
flag4 = true;
}
if ((FileSystemRights.Modify & rule2.FileSystemRights) == FileSystemRights.Modify)
{
flag3 = true;
}
if ((FileSystemRights.Read & rule2.FileSystemRights) == FileSystemRights.Read)
{
flag = true;
}
if ((FileSystemRights.Write & rule2.FileSystemRights) == FileSystemRights.Write)
{
flag2 = true;
}
continue;
}
if (AccessControlType.Allow.Equals(rule2.AccessControlType))
{
if ((FileSystemRights.Delete & rule2.FileSystemRights) == FileSystemRights.Delete)
{
flag8 = true;
}
if ((FileSystemRights.Modify & rule2.FileSystemRights) == FileSystemRights.Modify)
{
flag7 = true;
}
if ((FileSystemRights.Read & rule2.FileSystemRights) == FileSystemRights.Read)
{
flag5 = true;
}
if ((FileSystemRights.Write & rule2.FileSystemRights) == FileSystemRights.Write)
{
flag6 = true;
}
}
}
}
bool flag9 = !flag4 && flag8;
bool flag10 = !flag3 && flag7;
bool flag11 = !flag && flag5;
bool flag12 = !flag2 && flag6;
bool flag13 = true;
if (checkRead)
{
flag13 = flag13 && flag11;
}
if (checkWrite)
{
flag13 = flag13 && flag12;
}
if (checkModify)
{
flag13 = flag13 && flag10;
}
if (checkDelete)
{
flag13 = flag13 && flag9;
}
return(flag13);
}
catch (IOException)
{
}
return(false);
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType)
{
ReadLock();
try
{
AuthorizationRuleCollection result = new AuthorizationRuleCollection();
if (!IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(SR.Arg_MustBeIdentityReferenceType, "targetType");
}
CommonAcl acl = null;
if (access)
{
if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
acl = _securityDescriptor.DiscretionaryAcl;
}
}
else // !access == audit
{
if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0)
{
acl = _securityDescriptor.SystemAcl;
}
}
if (acl == null)
{
//
// The required ACL was not present; return an empty collection.
//
return result;
}
IdentityReferenceCollection irTarget = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count);
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
QualifiedAce ace = acl[i] as QualifiedAce;
if (ace == null)
{
//
// Only consider qualified ACEs
//
continue;
}
if (ace.IsCallback == true)
{
//
// Ignore callback ACEs
//
continue;
}
if (access)
{
if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else
{
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
}
irSource.Add(ace.SecurityIdentifier);
}
irTarget = irSource.Translate(targetType);
}
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
QualifiedAce ace = acl[i] as CommonAce;
if (ace == null)
{
ace = acl[i] as ObjectAce;
if (ace == null)
{
//
// Only consider common or object ACEs
//
continue;
}
}
if (ace.IsCallback == true)
{
//
// Ignore callback ACEs
//
continue;
}
if (access)
{
if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else
{
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
}
if ((includeExplicit && ((ace.AceFlags & AceFlags.Inherited) == 0)) || (includeInherited && ((ace.AceFlags & AceFlags.Inherited) != 0)))
{
IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget[i];
if (access)
{
AccessControlType type;
if (ace.AceQualifier == AceQualifier.AccessAllowed)
{
type = AccessControlType.Allow;
}
else
{
type = AccessControlType.Deny;
}
if (ace is ObjectAce)
{
ObjectAce objectAce = ace as ObjectAce;
result.AddRule(AccessRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = ace as CommonAce;
if (commonAce == null)
{
continue;
}
result.AddRule(AccessRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
}
}
else
{
if (ace is ObjectAce)
{
ObjectAce objectAce = ace as ObjectAce;
result.AddRule(AuditRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = ace as CommonAce;
if (commonAce == null)
{
continue;
}
result.AddRule(AuditRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags));
}
}
}
}
return result;
}
finally
{
ReadUnlock();
}
}
/// <summary>
/// Processes the authentication data of a Windows user
/// </summary>
/// <param name="acl"><see cref="AuthorizationRuleCollection"/></param>
private void ReceiveUserIdentityRules(AuthorizationRuleCollection acl)
{
if (WindowsIdentity.User == null)
{
return;
}
for (var i = 0; i < acl.Count; i++)
{
var rule = (FileSystemAccessRule)acl[i];
HandleFileSystemAccessRule(rule, WindowsIdentity.User);
}
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType)
{
ReadLock();
try
{
AuthorizationRuleCollection result = new AuthorizationRuleCollection();
if (!IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(
SR.Arg_MustBeIdentityReferenceType,
nameof(targetType));
}
CommonAcl?acl = null;
if (access)
{
if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
acl = _securityDescriptor.DiscretionaryAcl;
}
}
else // !access == audit
{
if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0)
{
acl = _securityDescriptor.SystemAcl;
}
}
if (acl == null)
{
//
// The required ACL was not present; return an empty collection.
//
return(result);
}
IdentityReferenceCollection?irTarget = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count);
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
CommonAce?ace = acl[i] as CommonAce;
if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
irSource.Add(ace.SecurityIdentifier);
}
}
irTarget = irSource.Translate(targetType);
}
int targetIndex = 0;
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
CommonAce?ace = acl[i] as CommonAce;
if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget ![targetIndex++];
/// <summary>
/// Checks if the rule already exists in the collection.
/// </summary>
/// <param name="allRules">collection of existing rules</param>
/// <param name="checkRule">rule to check for</param>
/// <returns>true if existing</returns>
private static bool ContainsRule(AuthorizationRuleCollection allRules, RegistryAccessRule checkRule)
{
foreach (RegistryAccessRule existingRule in allRules)
{
if (IsEqualRule(existingRule, checkRule))
return true;
}
return false;
}
/// <summary>
/// Processes the authentication data of a Windows Group
/// </summary>
/// <param name="acl"><see cref="AuthorizationRuleCollection"/></param>
private void ReceivGroupIdentityRules(AuthorizationRuleCollection acl)
{
// Only Handle Groups
if (WindowsIdentity.Groups == null)
{
return;
}
foreach (var identity in WindowsIdentity.Groups)
{
for (var i = 0; i < acl.Count; i++)
{
var rule = (FileSystemAccessRule)acl[i];
HandleFileSystemAccessRule(rule, identity);
}
}
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
AuthorizationRuleCollection rules2;
base.ReadLock();
try
{
AuthorizationRuleCollection rules = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl discretionaryAcl = null;
if (access)
{
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.DiscretionaryAcl;
}
}
else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.SystemAcl;
}
if (discretionaryAcl == null)
{
return rules;
}
IdentityReferenceCollection references = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count);
for (int j = 0; j < discretionaryAcl.Count; j++)
{
QualifiedAce ace = discretionaryAcl[j] as QualifiedAce;
if ((ace == null) || ace.IsCallback)
{
continue;
}
if (access)
{
if ((ace.AceQualifier == AceQualifier.AccessAllowed) || (ace.AceQualifier == AceQualifier.AccessDenied))
{
goto Label_00DD;
}
continue;
}
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
Label_00DD:
references2.Add(ace.SecurityIdentifier);
}
references = references2.Translate(targetType);
}
for (int i = 0; i < discretionaryAcl.Count; i++)
{
QualifiedAce ace2 = discretionaryAcl[i] as CommonAce;
if (ace2 == null)
{
ace2 = discretionaryAcl[i] as ObjectAce;
if (ace2 == null)
{
continue;
}
}
if (ace2.IsCallback)
{
continue;
}
if (access)
{
if ((ace2.AceQualifier == AceQualifier.AccessAllowed) || (ace2.AceQualifier == AceQualifier.AccessDenied))
{
goto Label_0174;
}
continue;
}
if (ace2.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
Label_0174:
if ((includeExplicit && (((byte) (ace2.AceFlags & AceFlags.Inherited)) == 0)) || (includeInherited && (((byte) (ace2.AceFlags & AceFlags.Inherited)) != 0)))
{
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[i];
if (access)
{
AccessControlType allow;
if (ace2.AceQualifier == AceQualifier.AccessAllowed)
{
allow = AccessControlType.Allow;
}
else
{
allow = AccessControlType.Deny;
}
if (ace2 is ObjectAce)
{
ObjectAce ace3 = ace2 as ObjectAce;
rules.AddRule(this.AccessRuleFactory(identityReference, ace3.AccessMask, ace3.IsInherited, ace3.InheritanceFlags, ace3.PropagationFlags, allow, ace3.ObjectAceType, ace3.InheritedObjectAceType));
}
else
{
CommonAce ace4 = ace2 as CommonAce;
if (ace4 != null)
{
rules.AddRule(this.AccessRuleFactory(identityReference, ace4.AccessMask, ace4.IsInherited, ace4.InheritanceFlags, ace4.PropagationFlags, allow));
}
}
}
else if (ace2 is ObjectAce)
{
ObjectAce ace5 = ace2 as ObjectAce;
rules.AddRule(this.AuditRuleFactory(identityReference, ace5.AccessMask, ace5.IsInherited, ace5.InheritanceFlags, ace5.PropagationFlags, ace5.AuditFlags, ace5.ObjectAceType, ace5.InheritedObjectAceType));
}
else
{
CommonAce ace6 = ace2 as CommonAce;
if (ace6 != null)
{
rules.AddRule(this.AuditRuleFactory(identityReference, ace6.AccessMask, ace6.IsInherited, ace6.InheritanceFlags, ace6.PropagationFlags, ace6.AuditFlags));
}
}
}
}
rules2 = rules;
}
finally
{
base.ReadUnlock();
}
return rules2;
}
private uint GetUserDACLfromAllRegistryKeyDACLs(AuthorizationRuleCollection DACLs, string userSID)
{
foreach (RegistryAccessRule dacl in DACLs)
if (dacl.IdentityReference.Value.Equals(userSID))
return (uint)dacl.RegistryRights;
return 0;
}
private void CheckAccessControl(AuthorizationRuleCollection authorizationRules, out Boolean canRead, out Boolean canWrite)
{
var rules = authorizationRules
.OfType<FileSystemAccessRule>()
.Where(x => User.IsInRole(x.IdentityReference as SecurityIdentifier) || x.IdentityReference == ((WindowsIdentity)User.Identity).User)
.ToList();
canRead = true;
canWrite = true;
canRead &= rules.Any(x => x.AccessControlType == AccessControlType.Allow &&
x.FileSystemRights.HasFlag(FileSystemRights.Read));
canWrite &= rules.Any(x => x.AccessControlType == AccessControlType.Allow &&
x.FileSystemRights.HasFlag(FileSystemRights.Write));
canRead &= !rules.Any(x => x.AccessControlType == AccessControlType.Deny &&
x.FileSystemRights.HasFlag(FileSystemRights.Read));
canWrite &= !rules.Any(x => x.AccessControlType == AccessControlType.Deny &&
x.FileSystemRights.HasFlag(FileSystemRights.Write));
}
/// <summary>
/// Check an Access Control List.
/// </summary>
/// <para>
/// No ordinary user should able to modify the corresponding file.
/// </para>
/// <param name="acl">An ACL</param>
private void checkAcl(AuthorizationRuleCollection acl)
{
Dictionary<IdentityReference, FileSystemRights> userAllowRights = new Dictionary<IdentityReference, FileSystemRights>();
Dictionary<IdentityReference, FileSystemRights> userDenyRights = new Dictionary<IdentityReference, FileSystemRights>();
for (int i = 0; i < acl.Count; i++) {
log.Debug("Authorization rule type: " + acl[i].GetType());
FileSystemAccessRule ace = acl[i] as FileSystemAccessRule;
if (ace != null) {
log.Debug("Access type: " + ace.AccessControlType);
log.Debug("Access mask: " + ace.FileSystemRights);
log.Debug("Identity: " + ace.IdentityReference);
}
// If rule is not a FileSystemSecurityRule then it is ignored.
if (ace == null)
continue;
// Computes allowance of the identity:
if (ace.AccessControlType == AccessControlType.Allow) {
if (!userAllowRights.ContainsKey(ace.IdentityReference))
userAllowRights.Add(ace.IdentityReference, 0);
userAllowRights[ace.IdentityReference] |= ace.FileSystemRights;
}
if (ace.AccessControlType == AccessControlType.Deny) {
if (!userDenyRights.ContainsKey(ace.IdentityReference))
userDenyRights.Add(ace.IdentityReference, 0);
userDenyRights[ace.IdentityReference] |= ace.FileSystemRights;
}
}
foreach (KeyValuePair<IdentityReference, FileSystemRights> keyval in userAllowRights) {
// Authorized users can do whatever they want:
try {
checkUser(keyval.Key);
continue;
} catch (UnauthorizedAccessException) {
}
// Computes real user rights:
FileSystemRights rights = keyval.Value;
if (userDenyRights.ContainsKey(keyval.Key))
rights &= (~userDenyRights[keyval.Key]);
// Check user rights
if (((rights & FileSystemRights.WriteData) != 0)
|| ((rights & FileSystemRights.AppendData) != 0)
|| ((rights & FileSystemRights.WriteAttributes) != 0)
|| ((rights & FileSystemRights.WriteExtendedAttributes) != 0)
|| ((rights & FileSystemRights.ChangePermissions) != 0)
|| ((rights & FileSystemRights.Delete) != 0)
|| ((rights & FileSystemRights.TakeOwnership) != 0))
throw new UnauthorizedAccessException("Users should not be able to modify the config file.");
}
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
AuthorizationRuleCollection rules2;
base.ReadLock();
try
{
AuthorizationRuleCollection rules = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl discretionaryAcl = null;
if (access)
{
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.DiscretionaryAcl;
}
}
else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.SystemAcl;
}
if (discretionaryAcl == null)
{
return rules;
}
IdentityReferenceCollection references = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count);
for (int j = 0; j < discretionaryAcl.Count; j++)
{
CommonAce ace = discretionaryAcl[j] as CommonAce;
if (this.AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
references2.Add(ace.SecurityIdentifier);
}
}
references = references2.Translate(targetType);
}
int num2 = 0;
for (int i = 0; i < discretionaryAcl.Count; i++)
{
CommonAce ace2 = discretionaryAcl[i] as CommonAce;
if (this.AceNeedsTranslation(ace2, access, includeExplicit, includeInherited))
{
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[num2++];
if (access)
{
AccessControlType allow;
if (ace2.AceQualifier == AceQualifier.AccessAllowed)
{
allow = AccessControlType.Allow;
}
else
{
allow = AccessControlType.Deny;
}
rules.AddRule(this.AccessRuleFactory(identityReference, ace2.AccessMask, ace2.IsInherited, ace2.InheritanceFlags, ace2.PropagationFlags, allow));
}
else
{
rules.AddRule(this.AuditRuleFactory(identityReference, ace2.AccessMask, ace2.IsInherited, ace2.InheritanceFlags, ace2.PropagationFlags, ace2.AuditFlags));
}
}
}
rules2 = rules;
}
finally
{
base.ReadUnlock();
}
return rules2;
}
