void Init (bool isContainer, bool isDS, RawAcl rawAcl) { is_container = isContainer; is_ds = isDS; raw_acl = rawAcl; CleanAndRetestCanonicity (); }
public RawSecurityDescriptor (byte[] binaryForm, int offset) { if (binaryForm == null) throw new ArgumentNullException("binaryForm"); if (offset < 0 || offset > binaryForm.Length - 0x14) throw new ArgumentOutOfRangeException("offset", offset, "Offset out of range"); if (binaryForm[offset] != 1) throw new ArgumentException("Unrecognized Security Descriptor revision.", "binaryForm"); resourcemgr_control = binaryForm[offset + 0x01]; control_flags = (ControlFlags)ReadUShort(binaryForm, offset + 0x02); int ownerPos = ReadInt(binaryForm, offset + 0x04); int groupPos = ReadInt(binaryForm, offset + 0x08); int saclPos = ReadInt(binaryForm, offset + 0x0C); int daclPos = ReadInt(binaryForm, offset + 0x10); if (ownerPos != 0) owner_sid = new SecurityIdentifier(binaryForm, ownerPos); if (groupPos != 0) group_sid = new SecurityIdentifier(binaryForm, groupPos); if (saclPos != 0) system_acl = new RawAcl(binaryForm, saclPos); if (daclPos != 0) discretionary_acl = new RawAcl(binaryForm, daclPos); }
public RawSecurityDescriptor (ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { }
// Constructor. internal CommonAcl(RawAcl acl, bool isContainer, bool isDS, bool wasCanonicalInitially, byte revision) { this.acl = acl; this.isContainer = isContainer; this.isDS = isDS; this.wasCanonicalInitially = wasCanonicalInitially; this.revision = revision; }
public void UsesRawAclRevision () { RawAcl acl1 = new RawAcl (RawAcl.AclRevisionDS, 0); DiscretionaryAcl dacl1 = new DiscretionaryAcl (false, false, acl1); Assert.AreEqual (4, dacl1.Revision); RawAcl acl2 = new RawAcl (RawAcl.AclRevision, 0); DiscretionaryAcl dacl2 = new DiscretionaryAcl (false, true, acl2); Assert.AreEqual (2, dacl2.Revision); }
public void BinaryRoundtrip () { RawAcl acl = CreateRoundtripRawAcl (); byte[] binaryForm1 = new byte[acl.BinaryLength]; acl.GetBinaryForm (binaryForm1, 0); RawAcl acl2 = new RawAcl (binaryForm1, 0); byte[] binaryForm2 = new byte[acl2.BinaryLength]; acl2.GetBinaryForm (binaryForm2, 0); CompareBinaryForms (binaryForm1, binaryForm2); }
internal CommonAcl (bool isContainer, bool isDS, RawAcl rawAcl) { if (rawAcl == null) { rawAcl = new RawAcl (isDS ? AclRevisionDS : AclRevision, default_capacity); } else { // The RawAcl ACEs are cloned. byte[] binaryForm = new byte [rawAcl.BinaryLength]; rawAcl.GetBinaryForm (binaryForm, 0); rawAcl = new RawAcl (binaryForm, 0); } Init (isContainer, isDS, rawAcl); }
public void AddAccessFailsOnNonCanonical () { SecurityIdentifier sid = new SecurityIdentifier ("BU"); RawAcl acl = new RawAcl (RawAcl.AclRevision, 0); acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null)); acl.InsertAce (1, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null)); DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl); Assert.IsFalse (dacl.IsCanonical); Assert.AreEqual (2, dacl.Count); dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None); }
private void BuildSecurityDescriptor() { NTAccount account; SecurityIdentifier identifier; CommonAce ace; RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1); int index = 0; if (this.operationRoleMembers != null) { foreach (string str in this.operationRoleMembers) { account = new NTAccount(str); identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier)); ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null); rawAcl.InsertAce(index, ace); index++; } } if (this.contractRoleMembers != null) { foreach (string str2 in this.contractRoleMembers) { account = new NTAccount(str2); identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier)); ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null); rawAcl.InsertAce(index, ace); index++; } } if (this.serviceRoleMembers != null) { foreach (string str3 in this.serviceRoleMembers) { account = new NTAccount(str3); identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier)); ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null); rawAcl.InsertAce(index, ace); index++; } } DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl); this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl); }
public void IndexerMakesCopies () { // This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload. // Turns out it applies to more than just the constructor. SecurityIdentifier worldSid = new SecurityIdentifier ("WD"); // RawAcl does not make copies. RawAcl acl = new RawAcl (RawAcl.AclRevision, 1); CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null); acl.InsertAce (0, ace); Assert.AreSame (acl [0], acl [0]); // CommonAcl does. SystemAcl sacl = new SystemAcl (false, false, acl); Assert.AreNotSame (sacl [0], sacl [0]); // Make sure the copying occurs in the constructor as well as the indexer. ace.AceFlags = AceFlags.FailedAccess; Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags); }
static RawAcl CreateRoundtripRawAcl () { SecurityIdentifier sid = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null); Assert.AreEqual (16, sid.BinaryLength); GenericAce[] aces = new GenericAce[] { new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty, false, new byte[8]), new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 2, sid, ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, Guid.Empty, true, new byte[16]), new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid, ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, new Guid ("{8865FB90-A9EB-422F-A8BA-07ECA611D699}"), true, new byte[4]), new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid, ObjectAceFlags.ObjectAceTypePresent|ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, new Guid ("{B893007C-38D5-4827-A698-BA25F1E30BAC}"), true, new byte[4]), new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid, ObjectAceFlags.None, Guid.Empty, new Guid ("{C0F9DF22-C320-4400-B41F-754F69668640}"), true, new byte[4]) }; // Make sure this created right, first of all. Assert.AreEqual (AceType.AccessAllowedObject, aces [0].AceType); Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [1].AceType); Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [2].AceType); Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [3].AceType); Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [4].AceType); Assert.AreEqual (52, aces [0].BinaryLength); Assert.AreEqual (60, aces [1].BinaryLength); Assert.AreEqual (48, aces [2].BinaryLength); Assert.AreEqual (64, aces [3].BinaryLength); Assert.AreEqual (32, aces [4].BinaryLength); RawAcl acl = new RawAcl (RawAcl.AclRevision, 0); for (int i = 0; i < aces.Length; i ++) acl.InsertAce (i, aces[i]); return acl; }
public void GetBinaryForm () { RawAcl acl = new RawAcl (1, 0); byte[] buffer = new byte[acl.BinaryLength]; acl.GetBinaryForm (buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); acl.InsertAce (0, ace); buffer = new byte[acl.BinaryLength]; acl.GetBinaryForm (buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual (sdBinary, buffer); }
private void SetCurrentProcessTokenDacl(RawAcl dacl) { IntPtr hProcess = IntPtr.Zero; IntPtr hProcessToken = IntPtr.Zero; IntPtr securityDescriptorPtr = IntPtr.Zero; try { hProcess = NativeMethods.GetCurrentProcess(); if (!NativeMethods.OpenProcessToken(hProcess, NativeMethods.TOKEN_ALL_ACCESS, out hProcessToken)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); // Get security descriptor associated with the kernel object and modify it. uint returnLength; NativeMethods.GetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, IntPtr.Zero, 0, out returnLength); int lasterror = Marshal.GetLastWin32Error(); //#pragma warning disable 56523 doesnt recognize 56523 securityDescriptorPtr = Marshal.AllocCoTaskMem((int)returnLength); if (!NativeMethods.GetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, securityDescriptorPtr, returnLength, out returnLength)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); byte[] sdBytes = new byte[returnLength]; Marshal.Copy(securityDescriptorPtr, sdBytes, 0, (int)returnLength); RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(sdBytes, 0); rawSecurityDescriptor.DiscretionaryAcl = dacl; sdBytes = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(sdBytes, 0); Marshal.FreeCoTaskMem(securityDescriptorPtr); securityDescriptorPtr = Marshal.AllocCoTaskMem(rawSecurityDescriptor.BinaryLength); Marshal.Copy(sdBytes, 0, securityDescriptorPtr, rawSecurityDescriptor.BinaryLength); if (!NativeMethods.SetKernelObjectSecurity(hProcessToken, NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, securityDescriptorPtr)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); } finally { if (hProcess != IntPtr.Zero && hProcess != (IntPtr)(-1)) if (!NativeMethods.CloseHandle(hProcess)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); if (hProcessToken != IntPtr.Zero) if (!NativeMethods.CloseHandle(hProcessToken)) Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); if (securityDescriptorPtr != IntPtr.Zero) Marshal.FreeCoTaskMem(securityDescriptorPtr); } }
private void Button_Click(object sender, RoutedEventArgs e) { WindowsIdentity user = WindowsIdentity.GetCurrent(); if (user != null) { int length = 0; IntPtr token = user.Token; GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out length); IntPtr TokenInformation = Marshal.AllocHGlobal((int)length); bool Result = GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, TokenInformation, (uint)length, out length); TOKEN_DEFAULT_DACL dacl = (TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_DEFAULT_DACL)); ACL acl = (ACL)Marshal.PtrToStructure(dacl.DefaultDacl, typeof(ACL)); byte[] aceArr = new byte[acl.AclSize]; Marshal.Copy(dacl.DefaultDacl, aceArr, 0, acl.AclSize); RawAcl rawAcl = new RawAcl(aceArr, 0); DiscretionaryAcl dacl1 = new DiscretionaryAcl(false, false, rawAcl); string titel = "titel"; AclUIAdapter.EditSecurity(new ServiceSecurityModel(System.Environment.MachineName, titel)); } }
// // Creates a security descriptor explicitly // public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) : base() { CreateFromParts(flags, owner, group, systemAcl, discretionaryAcl); }
private CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) : this(isContainer, isDS, flags, owner, group, systemAcl == null ? null : new SystemAcl(isContainer, isDS, systemAcl), discretionaryAcl == null ? null : new DiscretionaryAcl(isContainer, isDS, discretionaryAcl)) { }
// // Internal version - if 'trusted' is true, // takes ownership of the given raw ACL // internal SystemAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted ) : base( isContainer, isDS, rawAcl, trusted, false ) { }
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(default(bool), default(bool), default(byte), default(int)) { }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.SystemAcl" /> class with the specified values from the specified <see cref="T:System.Security.AccessControl.RawAcl" /> object.</summary> /// <param name="isContainer">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a container.</param> /// <param name="isDS">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a directory object Access Control List (ACL).</param> /// <param name="rawAcl">The underlying <see cref="T:System.Security.AccessControl.RawAcl" /> object for the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object. Specify null to create an empty ACL.</param> public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : this(isContainer, isDS, 0) { }
internal SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl, bool trusted) : base(isContainer, isDS, rawAcl, trusted, false) { }
private void CreateFromParts(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { this.SetFlags(flags); this.Owner = owner; this.Group = group; this.SystemAcl = systemAcl; this.DiscretionaryAcl = discretionaryAcl; this.ResourceManagerControl = (byte)0; }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(isContainer, isDS, rawAcl) { }
public RawSecurityDescriptor(System.Security.AccessControl.ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { this.CreateFromParts(flags, owner, group, systemAcl, discretionaryAcl); }
public RawSecurityDescriptor(byte[] binaryForm, int offset) { SecurityIdentifier identifier; SecurityIdentifier identifier2; RawAcl acl; RawAcl acl2; if (binaryForm == null) { throw new ArgumentNullException("binaryForm"); } if (offset < 0) { throw new ArgumentOutOfRangeException("offset", Environment.GetResourceString("ArgumentOutOfRange_NeedNonNegNum")); } if ((binaryForm.Length - offset) < 20) { throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("ArgumentOutOfRange_ArrayTooSmall")); } if (binaryForm[offset] != GenericSecurityDescriptor.Revision) { throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorRevision")); } byte num = binaryForm[offset + 1]; System.Security.AccessControl.ControlFlags flags = (System.Security.AccessControl.ControlFlags)(binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)); if ((flags & System.Security.AccessControl.ControlFlags.SelfRelative) == System.Security.AccessControl.ControlFlags.None) { throw new ArgumentException(Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorSelfRelativeForm"), "binaryForm"); } int num2 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 4); if (num2 != 0) { identifier = new SecurityIdentifier(binaryForm, offset + num2); } else { identifier = null; } int num3 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 8); if (num3 != 0) { identifier2 = new SecurityIdentifier(binaryForm, offset + num3); } else { identifier2 = null; } int num4 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 12); if (((flags & System.Security.AccessControl.ControlFlags.SystemAclPresent) != System.Security.AccessControl.ControlFlags.None) && (num4 != 0)) { acl = new RawAcl(binaryForm, offset + num4); } else { acl = null; } int num5 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 0x10); if (((flags & System.Security.AccessControl.ControlFlags.DiscretionaryAclPresent) != System.Security.AccessControl.ControlFlags.None) && (num5 != 0)) { acl2 = new RawAcl(binaryForm, offset + num5); } else { acl2 = null; } this.CreateFromParts(flags, identifier, identifier2, acl, acl2); if ((flags & System.Security.AccessControl.ControlFlags.RMControlValid) != System.Security.AccessControl.ControlFlags.None) { this.ResourceManagerControl = num; } }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> class with the specified values.</summary><param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param><param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { throw new NotImplementedException(); }
public RawSecurityDescriptor(ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { Contract.Ensures(this.ResourceManagerControl == 0); }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(default(bool), default(bool), default(byte), default(int)) { }
// // Creates an ACL from a raw ACL // - 'trusted' (internal) callers get to pass the raw ACL // that this object will take ownership of // - 'untrusted' callers are handled by creating a local // copy of the ACL passed in // internal CommonAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted, bool isDacl ) : base() { if ( rawAcl == null ) { throw new ArgumentNullException( "rawAcl" ); } Contract.EndContractBlock(); _isContainer = isContainer; _isDS = isDS; if (trusted) { // // In the trusted case, we take over ownership of the ACL passed in // _acl = rawAcl; RemoveMeaninglessAcesAndFlags( isDacl ); } else { // // In the untrusted case, we create our own raw ACL to keep the ACEs in // _acl = new RawAcl( rawAcl.Revision, rawAcl.Count ); for ( int i = 0; i < rawAcl.Count; i++ ) { // // Clone each ACE prior to putting it in // GenericAce ace = rawAcl[i].Copy(); // // Avoid inserting meaningless ACEs // if ( true == InspectAce( ref ace, isDacl )) { _acl.InsertAce( _acl.Count, ace ); } } } // // See whether the ACL is canonical to begin with // if ( true == CanonicalCheck( isDacl )) { // // Sort and compact the array // Canonicalize( true, isDacl ); _isCanonical = true; } else { _isCanonical = false; } }
public SystemAcl (bool isContainer, bool isDS, RawAcl rawAcl) : this (isContainer, isDS, 0) { // this.raw_acl = rawAcl; }
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(isContainer, isDS, rawAcl) { }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(rawAcl, isContainer, isDS, false, rawAcl.Revision) { }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : this(isContainer, isDS, 0) { // this.raw_acl = rawAcl; }
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(rawAcl, isContainer, isDS, false, rawAcl.Revision) { }
private void CreateFromParts(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { SetFlags(flags); Owner = owner; Group = group; SystemAcl = systemAcl; DiscretionaryAcl = discretionaryAcl; ResourceManagerControl = 0; }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> class with the specified values.</summary> /// <param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> /// <param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> /// <param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> /// <param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> /// <param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl) { }
// // Creates a security descriptor from its binary representation // Important: the representation must be in self-relative format // public RawSecurityDescriptor(byte[] binaryForm, int offset) : base() { // // The array passed in must be valid // if (binaryForm == null) { throw new ArgumentNullException(nameof(binaryForm)); } if (offset < 0) { // // Offset must not be negative // throw new ArgumentOutOfRangeException(nameof(offset), SR.ArgumentOutOfRange_NeedNonNegNum); } // // At least make sure the header is in place // if (binaryForm.Length - offset < HeaderLength) { throw new ArgumentOutOfRangeException( nameof(binaryForm), SR.ArgumentOutOfRange_ArrayTooSmall); } // // We only understand revision-1 security descriptors // if (binaryForm[offset + 0] != Revision) { throw new ArgumentOutOfRangeException(nameof(binaryForm), SR.AccessControl_InvalidSecurityDescriptorRevision); } Contract.EndContractBlock(); ControlFlags flags; SecurityIdentifier owner, group; RawAcl sacl, dacl; byte rmControl; // // Extract the ResourceManagerControl field // rmControl = binaryForm[offset + 1]; // // Extract the control flags // flags = (ControlFlags)((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8)); // // Make sure that the input is in self-relative format // if ((flags & ControlFlags.SelfRelative) == 0) { throw new ArgumentException( SR.AccessControl_InvalidSecurityDescriptorSelfRelativeForm, nameof(binaryForm)); } // // Extract the owner SID // int ownerOffset = UnmarshalInt(binaryForm, offset + OwnerFoundAt); if (ownerOffset != 0) { owner = new SecurityIdentifier(binaryForm, offset + ownerOffset); } else { owner = null; } // // Extract the group SID // int groupOffset = UnmarshalInt(binaryForm, offset + GroupFoundAt); if (groupOffset != 0) { group = new SecurityIdentifier(binaryForm, offset + groupOffset); } else { group = null; } // // Extract the SACL // int saclOffset = UnmarshalInt(binaryForm, offset + SaclFoundAt); if (((flags & ControlFlags.SystemAclPresent) != 0) && saclOffset != 0) { sacl = new RawAcl(binaryForm, offset + saclOffset); } else { sacl = null; } // // Extract the DACL // int daclOffset = UnmarshalInt(binaryForm, offset + DaclFoundAt); if (((flags & ControlFlags.DiscretionaryAclPresent) != 0) && daclOffset != 0) { dacl = new RawAcl(binaryForm, offset + daclOffset); } else { dacl = null; } // // Create the resulting security descriptor // CreateFromParts(flags, owner, group, sacl, dacl); // // In the offchance that the flags indicate that the rmControl // field is meaningful, remember what was there. // if ((flags & ControlFlags.RMControlValid) != 0) { ResourceManagerControl = rmControl; } }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.SystemAcl" /> class with the specified values from the specified <see cref="T:System.Security.AccessControl.RawAcl" /> object.</summary><param name="isContainer">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a container.</param><param name="isDS">true if the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object is a directory object Access Control List (ACL).</param><param name="rawAcl">The underlying <see cref="T:System.Security.AccessControl.RawAcl" /> object for the new <see cref="T:System.Security.AccessControl.SystemAcl" /> object. Specify null to create an empty ACL.</param> public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) { throw new NotImplementedException(); }
private static void CanonicalizeDacl(NativeObjectSecurity objectSecurity) { if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); } if (objectSecurity.AreAccessRulesCanonical) { return; } // A canonical ACL must have ACES sorted according to the following order: // 1. Access-denied on the object // 2. Access-denied on a child or property // 3. Access-allowed on the object // 4. Access-allowed on a child or property // 5. All inherited ACEs RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access)); List<CommonAce> implicitDenyDacl = new List<CommonAce>(); List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>(); List<CommonAce> inheritedDacl = new List<CommonAce>(); List<CommonAce> implicitAllowDacl = new List<CommonAce>(); List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>(); foreach (CommonAce ace in descriptor.DiscretionaryAcl) { if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); } else { switch (ace.AceType) { case AceType.AccessAllowed: implicitAllowDacl.Add(ace); break; case AceType.AccessDenied: implicitDenyDacl.Add(ace); break; case AceType.AccessAllowedObject: implicitAllowObjectDacl.Add(ace); break; case AceType.AccessDeniedObject: implicitDenyObjectDacl.Add(ace); break; } } } Int32 aceIndex = 0; RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count); implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); if (aceIndex != descriptor.DiscretionaryAcl.Count) { System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information"); return; } descriptor.DiscretionaryAcl = newDacl; objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access); }
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) { throw new NotImplementedException(); }
// The preferred order in which ACEs are added to DACLs is // documented here: http://search.msdn.microsoft.com/search/results.aspx?qu=Order+of+ACEs+in+a+DACL&View=msdn&st=b. // This routine follows that logic to determine the position of an ACE in the DACL. private int FindIndexInDacl(CommonAce newAce, RawAcl dacl) { int i = 0; for (i = 0; i < dacl.Count; i++) { if (dacl[i] is CommonAce && ((CommonAce)dacl[i]).SecurityIdentifier.Value == newAce.SecurityIdentifier.Value && dacl[i].AceType == newAce.AceType) { i = -1; break; } if (newAce.AceType == AceType.AccessDenied && dacl[i].AceType == AceType.AccessDenied && !newAce.IsInherited && !dacl[i].IsInherited) continue; if (newAce.AceType == AceType.AccessDenied && !newAce.IsInherited) break; if (newAce.AceType == AceType.AccessAllowed && dacl[i].AceType == AceType.AccessAllowed && !newAce.IsInherited && !dacl[i].IsInherited) continue; if (newAce.AceType == AceType.AccessAllowed && !newAce.IsInherited) break; } return i; }
// // Internal version - if 'trusted' is true, // takes ownership of the given raw ACL // internal DiscretionaryAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted ) : base( isContainer, isDS, rawAcl == null ? new RawAcl( isDS ? AclRevisionDS : AclRevision, 0 ) : rawAcl, trusted, true ) { }
public byte[] GetSecurity(SecurityInformation requestedInformation, bool wantDefault) { //FileSecurity fsec= new FileSecurity(@"c:\Test1\test.txt",~AccessControlSections.Audit); //return fsec.GetSecurityDescriptorBinaryForm(); WindowsIdentity user = WindowsIdentity.GetCurrent(); if (user != null) { int length = 0; IntPtr token = user.Token; GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out length); IntPtr TokenInformation = Marshal.AllocHGlobal((int) length); bool Result = GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenDefaultDacl, TokenInformation, (uint) length, out length); TOKEN_DEFAULT_DACL dacl = (TOKEN_DEFAULT_DACL) Marshal.PtrToStructure(TokenInformation, typeof (TOKEN_DEFAULT_DACL)); ACL acl = (ACL) Marshal.PtrToStructure(dacl.DefaultDacl, typeof (ACL)); byte[] aceArr = new byte[acl.AclSize]; Marshal.Copy(dacl.DefaultDacl, aceArr, 0, acl.AclSize); RawAcl rawAcl = new RawAcl(aceArr, 0); Marshal.FreeHGlobal(TokenInformation); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out length); TokenInformation = Marshal.AllocHGlobal((int) length); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenOwner, TokenInformation, (uint)length, out length); TOKEN_OWNER tokOwner = (TOKEN_OWNER) Marshal.PtrToStructure(TokenInformation, typeof (TOKEN_OWNER)); SecurityIdentifier ownerSID= new SecurityIdentifier(tokOwner.Owner); Marshal.FreeHGlobal(TokenInformation); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, IntPtr.Zero, 0, out length); TokenInformation = Marshal.AllocHGlobal((int)length); GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, TokenInformation, (uint)length, out length); TOKEN_PRIMARY_GROUP tokGroup= (TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_PRIMARY_GROUP)); SecurityIdentifier groupSID = new SecurityIdentifier(tokGroup.PrimaryGroup); RawSecurityDescriptor rawDesc = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, ownerSID, groupSID, null, rawAcl); byte[] ret = new byte[rawDesc.BinaryLength]; rawDesc.GetBinaryForm(ret, 0); return ret; } return null; }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> class from the specified array of byte values.</summary> /// <param name="binaryForm">The array of byte values from which to create the new <see cref="T:System.Security.AccessControl.RawSecurityDescriptor" /> object.</param> /// <param name="offset">The offset in the <paramref name="binaryForm" /> array at which to begin copying.</param> // Token: 0x06002063 RID: 8291 RVA: 0x0007194C File Offset: 0x0006FB4C public RawSecurityDescriptor(byte[] binaryForm, int offset) { if (binaryForm == null) { throw new ArgumentNullException("binaryForm"); } if (offset < 0) { throw new ArgumentOutOfRangeException("offset", Environment.GetResourceString("ArgumentOutOfRange_NeedNonNegNum")); } if (binaryForm.Length - offset < 20) { throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("ArgumentOutOfRange_ArrayTooSmall")); } if (binaryForm[offset] != GenericSecurityDescriptor.Revision) { throw new ArgumentOutOfRangeException("binaryForm", Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorRevision")); } byte resourceManagerControl = binaryForm[offset + 1]; ControlFlags controlFlags = (ControlFlags)((int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8)); if ((controlFlags & ControlFlags.SelfRelative) == ControlFlags.None) { throw new ArgumentException(Environment.GetResourceString("AccessControl_InvalidSecurityDescriptorSelfRelativeForm"), "binaryForm"); } int num = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 4); SecurityIdentifier owner; if (num != 0) { owner = new SecurityIdentifier(binaryForm, offset + num); } else { owner = null; } int num2 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 8); SecurityIdentifier group; if (num2 != 0) { group = new SecurityIdentifier(binaryForm, offset + num2); } else { group = null; } int num3 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 12); RawAcl systemAcl; if ((controlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None && num3 != 0) { systemAcl = new RawAcl(binaryForm, offset + num3); } else { systemAcl = null; } int num4 = GenericSecurityDescriptor.UnmarshalInt(binaryForm, offset + 16); RawAcl discretionaryAcl; if ((controlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None && num4 != 0) { discretionaryAcl = new RawAcl(binaryForm, offset + num4); } else { discretionaryAcl = null; } this.CreateFromParts(controlFlags, owner, group, systemAcl, discretionaryAcl); if ((controlFlags & ControlFlags.RMControlValid) != ControlFlags.None) { this.ResourceManagerControl = resourceManagerControl; } }
// Token: 0x06001EE7 RID: 7911 RVA: 0x0006CCD6 File Offset: 0x0006AED6 internal DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl, bool trusted) : base(isContainer, isDS, (rawAcl == null) ? new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 0) : rawAcl, trusted, true) { }
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(isContainer, isDS, 0) { // this.raw_acl = rawAcl; }
// // Creates an empty ACL // internal CommonAcl( bool isContainer, bool isDS, byte revision, int capacity ) : base() { _isContainer = isContainer; _isDS = isDS; _acl = new RawAcl( revision, capacity ); _isCanonical = true; // since it is empty }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) : base(rawAcl, isContainer, isDS, false, rawAcl.Revision) {}
// // Creates an ACL from a given raw ACL // after canonicalizing it // public SystemAcl( bool isContainer, bool isDS, RawAcl rawAcl ) : this( isContainer, isDS, rawAcl, false ) { }
static RawAcl MakeRawAcl (GenericAce[] aces) { RawAcl acl = new RawAcl (RawAcl.AclRevision, 0); for (int i = 0; i < aces.Length; i ++) { acl.InsertAce (i, aces [i]); } return acl; }
// // Creates an ACL from a given raw ACL // after canonicalizing it // public DiscretionaryAcl( bool isContainer, bool isDS, RawAcl rawAcl ) : this( isContainer, isDS, rawAcl, false ) { }
// // Summary: // Initializes a new instance of the System.Security.AccessControl.DiscretionaryAcl // class with the specified values from the specified System.Security.AccessControl.RawAcl // object. // // Parameters: // isContainer: // true if the new System.Security.AccessControl.DiscretionaryAcl object is // a container. // // isDS: // true if the new System.Security.AccessControl.DiscretionaryAcl object is // a directory object Access Control List (ACL). // // rawAcl: // The underlying System.Security.AccessControl.RawAcl object for the new System.Security.AccessControl.DiscretionaryAcl // object. Specify null to create an empty ACL. public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl);
// // Summary: // Initializes a new instance of the System.Security.AccessControl.SystemAcl // class with the specified values from the specified System.Security.AccessControl.RawAcl // object. // // Parameters: // isContainer: // true if the new System.Security.AccessControl.SystemAcl object is a container. // // isDS: // true if the new System.Security.AccessControl.SystemAcl object is a directory // object Access Control List (ACL). // // rawAcl: // The underlying System.Security.AccessControl.RawAcl object for the new System.Security.AccessControl.SystemAcl // object. Specify null to create an empty ACL. extern public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl);
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> class with the specified values from the specified <see cref="T:System.Security.AccessControl.RawAcl" /> object.</summary> /// <param name="isContainer"> /// <see langword="true" /> if the new <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> object is a container.</param> /// <param name="isDS"> /// <see langword="true" /> if the new <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> object is a directory object Access Control List (ACL).</param> /// <param name="rawAcl">The underlying <see cref="T:System.Security.AccessControl.RawAcl" /> object for the new <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> object. Specify <see langword="null" /> to create an empty ACL.</param> // Token: 0x06001EE6 RID: 7910 RVA: 0x0006CCCA File Offset: 0x0006AECA public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl) : this(isContainer, isDS, rawAcl, false) { }