void Init(bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor) { if (null == rawSecurityDescriptor) { throw new ArgumentNullException("rawSecurityDescriptor"); } SystemAcl sacl = null; if (null != rawSecurityDescriptor.SystemAcl) { sacl = new SystemAcl(isContainer, isDS, rawSecurityDescriptor.SystemAcl); } DiscretionaryAcl dacl = null; if (null != rawSecurityDescriptor.DiscretionaryAcl) { dacl = new DiscretionaryAcl(isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl); } Init(isContainer, isDS, rawSecurityDescriptor.ControlFlags, rawSecurityDescriptor.Owner, rawSecurityDescriptor.Group, sacl, dacl); }
public void PurgeAudit(SecurityIdentifier sid) { if (SystemAcl != null) { SystemAcl.Purge(sid); } }
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { if (systemAcl != null && systemAcl.IsContainer != isContainer) { throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "systemAcl"); } if (discretionaryAcl != null && discretionaryAcl.IsContainer != isContainer) { throw new ArgumentException(Environment.GetResourceString(isContainer ? "AccessControl_MustSpecifyContainerAcl" : "AccessControl_MustSpecifyLeafObjectAcl"), "discretionaryAcl"); } this._isContainer = isContainer; if (systemAcl != null && systemAcl.IsDS != isDS) { throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "systemAcl"); } if (discretionaryAcl != null && discretionaryAcl.IsDS != isDS) { throw new ArgumentException(Environment.GetResourceString(isDS ? "AccessControl_MustSpecifyDirectoryObjectAcl" : "AccessControl_MustSpecifyNonDirectoryObjectAcl"), "discretionaryAcl"); } this._isDS = isDS; this._sacl = systemAcl; if (discretionaryAcl == null) { discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(this._isDS, this._isContainer); } this._dacl = discretionaryAcl; ControlFlags controlFlags = flags | ControlFlags.DiscretionaryAclPresent; this._rawSd = new RawSecurityDescriptor(systemAcl != null ? controlFlags | ControlFlags.SystemAclPresent : controlFlags& ~ControlFlags.SystemAclPresent, owner, group, systemAcl == null ? (RawAcl)null : systemAcl.RawAcl, discretionaryAcl.RawAcl); }
public void AddAuditObjectAceAndCommonAce () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); SystemAcl sacl = new SystemAcl (false, true, 0); sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid (), Guid.Empty); sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual (2, sacl.Count); CommonAce cace = (CommonAce)sacl [0]; Assert.AreEqual (1, cace.AccessMask); Assert.AreEqual ("S-1-5-32-544", cace.SecurityIdentifier.Value); Assert.IsFalse (cace.IsCallback); Assert.IsFalse (cace.IsInherited); ObjectAce oace = (ObjectAce)sacl [1]; Assert.AreEqual (1, oace.AccessMask); Assert.AreEqual ("S-1-5-32-544", oace.SecurityIdentifier.Value); Assert.IsFalse (oace.IsCallback); Assert.IsFalse (oace.IsInherited); sacl.AddAudit (AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual (2, sacl.Count); CommonAce cace2 = (CommonAce)sacl [0]; Assert.AreEqual (3, cace2.AccessMask); }
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { Init(isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl); }
public CommonSecurityDescriptor (bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { Init (isContainer, isDS, flags, owner, group, systemAcl, discretionaryAcl); }
public void PurgeAudit(SecurityIdentifier sid) { ArgumentNullException.ThrowIfNull(sid); if (SystemAcl != null) { SystemAcl.Purge(sid); } }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary> /// <param name="isContainer">true if the new security descriptor is associated with a container object.</param> /// <param name="isDS">true if the new security descriptor is associated with a directory object.</param> /// <param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> /// <param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> /// <param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> /// <param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> /// <param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { this.isContainer = isContainer; this.isDS = isDS; this.flags = flags; this.owner = owner; this.group = group; this.systemAcl = systemAcl; this.discretionaryAcl = discretionaryAcl; throw new NotImplementedException(); }
public void AddAuditMergesFlags () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); SystemAcl sacl = new SystemAcl (false, false, 0); sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None); sacl.AddAudit (AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual (AuditFlags.Success|AuditFlags.Failure, ace.AuditFlags); }
public void PurgeAudit(SecurityIdentifier sid) { if (sid == null) { throw new ArgumentNullException(nameof(sid)); } if (SystemAcl != null) { SystemAcl.Purge(sid); } }
public void PurgeAudit(SecurityIdentifier sid) { if (sid == null) { throw new ArgumentNullException("sid"); } Contract.EndContractBlock(); if (SystemAcl != null) { SystemAcl.Purge(sid); } }
public void AddAuditCommonAce () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); SystemAcl sacl = new SystemAcl (false, false, 0); sacl.AddAudit (AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual (AuditFlags.Success, ace.AuditFlags); Assert.AreEqual (1, ace.AccessMask); Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse (ace.IsInherited); }
public void SetSystemAclProtection(bool isProtected, bool preserveInheritance) { if (!isProtected) { flags &= ~ControlFlags.SystemAclProtected; return; } flags |= ControlFlags.SystemAclProtected; if (!preserveInheritance && SystemAcl != null) { SystemAcl.RemoveInheritedAces(); } }
public void AddAuditCommonAceUsingDSOverload () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); SystemAcl sacl = new SystemAcl (false, true, 0); sacl.AddAudit (AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.NewGuid (), Guid.NewGuid ()); Assert.AreEqual (1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual (AuditFlags.Failure, ace.AuditFlags); Assert.AreEqual (1, ace.AccessMask); Assert.AreEqual ("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse (ace.IsInherited); }
public void SetSystemAclProtection(bool isProtected, bool preserveInheritance) { if (!isProtected) { RemoveControlFlags(ControlFlags.SystemAclProtected); } else { if (!preserveInheritance && SystemAcl != null) { SystemAcl.RemoveInheritedAces(); } AddControlFlags(ControlFlags.SystemAclProtected); } }
void Init(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { this.flags = flags & ~ControlFlags.SystemAclPresent; this.is_container = isContainer; this.is_ds = isDS; Owner = owner; Group = group; SystemAcl = systemAcl; DiscretionaryAcl = discretionaryAcl; }
public CommonSecurityDescriptor (bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { this.isContainer = isContainer; this.isDS = isDS; this.flags = flags; this.owner = owner; this.group = group; this.systemAcl = systemAcl; this.discretionaryAcl = discretionaryAcl; throw new NotImplementedException (); }
void Init (bool isContainer, bool isDS, RawSecurityDescriptor rawSecurityDescriptor) { if (null == rawSecurityDescriptor) throw new ArgumentNullException ("rawSecurityDescriptor"); SystemAcl sacl = null; if (null != rawSecurityDescriptor.SystemAcl) sacl = new SystemAcl (isContainer, isDS, rawSecurityDescriptor.SystemAcl); DiscretionaryAcl dacl = null; if (null != rawSecurityDescriptor.DiscretionaryAcl) dacl = new DiscretionaryAcl (isContainer, isDS, rawSecurityDescriptor.DiscretionaryAcl); Init (isContainer, isDS, rawSecurityDescriptor.ControlFlags, rawSecurityDescriptor.Owner, rawSecurityDescriptor.Group, sacl, dacl); }
public void IndexerMakesCopies () { // This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload. // Turns out it applies to more than just the constructor. SecurityIdentifier worldSid = new SecurityIdentifier ("WD"); // RawAcl does not make copies. RawAcl acl = new RawAcl (RawAcl.AclRevision, 1); CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null); acl.InsertAce (0, ace); Assert.AreSame (acl [0], acl [0]); // CommonAcl does. SystemAcl sacl = new SystemAcl (false, false, acl); Assert.AreNotSame (sacl [0], sacl [0]); // Make sure the copying occurs in the constructor as well as the indexer. ace.AceFlags = AceFlags.FailedAccess; Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags); }
public void PurgeAudit(SecurityIdentifier sid) { ArgumentNullException.ThrowIfNull(sid); SystemAcl?.Purge(sid); }
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext) { base.WriteLock(); try { SecurityInfos securityInformation = 0; SecurityIdentifier owner = null; SecurityIdentifier group = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; if (((includeSections & AccessControlSections.Owner) != AccessControlSections.None) && (base._securityDescriptor.Owner != null)) { securityInformation |= SecurityInfos.Owner; owner = base._securityDescriptor.Owner; } if (((includeSections & AccessControlSections.Group) != AccessControlSections.None) && (base._securityDescriptor.Group != null)) { securityInformation |= SecurityInfos.Group; group = base._securityDescriptor.Group; } if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None) { securityInformation |= SecurityInfos.SystemAcl; if ((base._securityDescriptor.IsSystemAclPresent && (base._securityDescriptor.SystemAcl != null)) && (base._securityDescriptor.SystemAcl.Count > 0)) { sacl = base._securityDescriptor.SystemAcl; } else { sacl = null; } if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None) { securityInformation |= (SecurityInfos)this.ProtectedSystemAcl; } else { securityInformation |= (SecurityInfos)this.UnprotectedSystemAcl; } } if (((includeSections & AccessControlSections.Access) != AccessControlSections.None) && base._securityDescriptor.IsDiscretionaryAclPresent) { securityInformation |= SecurityInfos.DiscretionaryAcl; if (base._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl) { dacl = null; } else { dacl = base._securityDescriptor.DiscretionaryAcl; } if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None) { securityInformation |= (SecurityInfos)this.ProtectedDiscretionaryAcl; } else { securityInformation |= (SecurityInfos)this.UnprotectedDiscretionaryAcl; } } if (securityInformation == 0) { return; } int errorCode = System.Security.AccessControl.Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, sacl, dacl); if (errorCode == 0) { goto Label_0249; } Exception exception = null; if (this._exceptionFromErrorCode != null) { exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext); } if (exception == null) { switch (errorCode) { case 5: exception = new UnauthorizedAccessException(); goto Label_0246; case 0x51b: exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner")); goto Label_0246; case 0x51c: exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup")); goto Label_0246; case 0x7b: exception = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name"); goto Label_0246; case 6: exception = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle")); goto Label_0246; case 2: exception = new FileNotFoundException(); goto Label_0246; case 0x546: exception = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity")); goto Label_0246; } exception = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { errorCode })); } Label_0246: throw exception; Label_0249: base.OwnerModified = false; base.GroupModified = false; base.AccessRulesModified = false; base.AuditRulesModified = false; } finally { base.WriteUnlock(); } }
public byte[] ToSaclBytes() { SystemAcl sacl = new SystemAcl(false, false, 0); byte[] bytes = new byte[sacl.BinaryLength]; sacl.GetBinaryForm(bytes, 0); return bytes; }
internal static void SetAccessControlExtracted(FileSystemSecurity security, string name) { //security.WriteLock(); AccessControlSections includeSections = AccessControlSections.Audit | AccessControlSections.Owner | AccessControlSections.Group; SecurityInfos securityInfo = (SecurityInfos)0; SecurityIdentifier owner = null; SecurityIdentifier group = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None) { owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier)); if (owner != null) { securityInfo = securityInfo | SecurityInfos.Owner; } } if ((includeSections & AccessControlSections.Group) != AccessControlSections.None) { @group = (SecurityIdentifier)security.GetGroup(typeof(SecurityIdentifier)); if (@group != null) { securityInfo = securityInfo | SecurityInfos.Group; } } var securityDescriptorBinaryForm = security.GetSecurityDescriptorBinaryForm(); RawSecurityDescriptor rawSecurityDescriptor = null; bool isDiscretionaryAclPresent = false; if (securityDescriptorBinaryForm != null) { rawSecurityDescriptor = new RawSecurityDescriptor(securityDescriptorBinaryForm, 0); isDiscretionaryAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None; } if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None) { securityInfo = securityInfo | SecurityInfos.SystemAcl; sacl = null; if (rawSecurityDescriptor != null) { var isSystemAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None; if (isSystemAclPresent && rawSecurityDescriptor.SystemAcl != null && rawSecurityDescriptor.SystemAcl.Count > 0) { // are all system acls on a file not a container? const bool notAContainer = false; const bool notADirectoryObjectACL = false; sacl = new SystemAcl(notAContainer, notADirectoryObjectACL, rawSecurityDescriptor.SystemAcl); } securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ? (uint)securityInfo | UnprotectedSystemAcl : (uint)securityInfo | ProtectedSystemAcl)); } } if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && isDiscretionaryAclPresent) { securityInfo = securityInfo | SecurityInfos.DiscretionaryAcl; dacl = null; if (rawSecurityDescriptor != null) { //if (!this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl) { dacl = new DiscretionaryAcl(false, false, rawSecurityDescriptor.DiscretionaryAcl); } securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ? (uint)securityInfo | UnprotectedDiscretionaryAcl : (uint)securityInfo | ProtectedDiscretionaryAcl)); } } if (securityInfo == 0) return; int errorNum = SetSecurityInfo(ResourceType.FileObject, name, null, securityInfo, owner, @group, sacl, dacl); if (errorNum != 0) { Exception exception = GetExceptionFromWin32Error(errorNum, name); if (exception == null) { if (errorNum == NativeMethods.ERROR_ACCESS_DENIED) { exception = new UnauthorizedAccessException(); } else if (errorNum == NativeMethods.ERROR_INVALID_OWNER) { exception = new InvalidOperationException("Invalid owner"); } else if (errorNum == NativeMethods.ERROR_INVALID_PRIMARY_GROUP) { exception = new InvalidOperationException("Invalid group"); } else if (errorNum == NativeMethods.ERROR_INVALID_NAME) { exception = new ArgumentException("Invalid name", "name"); } else if (errorNum == NativeMethods.ERROR_INVALID_HANDLE) { exception = new NotSupportedException("Invalid Handle"); } else if (errorNum == NativeMethods.ERROR_FILE_NOT_FOUND) { exception = new FileNotFoundException(); } else if (errorNum != NativeMethods.ERROR_NO_SECURITY_ON_OBJECT) { exception = new InvalidOperationException("Unexpected error"); } else { exception = new NotSupportedException("No associated security"); } } throw exception; } //finally //{ //security.WriteLUnlck(); //} }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> class from the specified information.</summary><param name="isContainer">true if the new security descriptor is associated with a container object.</param><param name="isDS">true if the new security descriptor is associated with a directory object.</param><param name="flags">Flags that specify behavior of the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="owner">The owner for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="group">The primary group for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="systemAcl">The System Access Control List (SACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param><param name="discretionaryAcl">The Discretionary Access Control List (DACL) for the new <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" /> object.</param> public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { throw new NotImplementedException(); }
void RemoveSpecificBegin (SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags) { SecurityIdentifier otherSid = new SecurityIdentifier ("BU"); sacl.AddAudit (AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); sacl.RemoveAuditSpecific (AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); sacl.RemoveAuditSpecific (AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); Assert.AreEqual (3, ((CommonAce)sacl [0]).AccessMask); sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, inheritanceFlags ^ InheritanceFlags.ContainerInherit, PropagationFlags.None); Assert.AreEqual (1, sacl.Count); }
private void CreateFromParts(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { if (systemAcl != null && systemAcl.IsContainer != isContainer) { throw new ArgumentException( isContainer ? SR.AccessControl_MustSpecifyContainerAcl : SR.AccessControl_MustSpecifyLeafObjectAcl, nameof(systemAcl)); } if (discretionaryAcl != null && discretionaryAcl.IsContainer != isContainer) { throw new ArgumentException( isContainer ? SR.AccessControl_MustSpecifyContainerAcl : SR.AccessControl_MustSpecifyLeafObjectAcl, nameof(discretionaryAcl)); } _isContainer = isContainer; if (systemAcl != null && systemAcl.IsDS != isDS) { throw new ArgumentException( isDS ? SR.AccessControl_MustSpecifyDirectoryObjectAcl : SR.AccessControl_MustSpecifyNonDirectoryObjectAcl, nameof(systemAcl)); } if (discretionaryAcl != null && discretionaryAcl.IsDS != isDS) { throw new ArgumentException( isDS ? SR.AccessControl_MustSpecifyDirectoryObjectAcl : SR.AccessControl_MustSpecifyNonDirectoryObjectAcl, nameof(discretionaryAcl)); } _isDS = isDS; _sacl = systemAcl; // // Replace null DACL with an allow-all for everyone DACL // if (discretionaryAcl == null) { // // to conform to native behavior, we will add allow everyone ace for DACL // discretionaryAcl = DiscretionaryAcl.CreateAllowEveryoneFullAccess(_isDS, _isContainer); } _dacl = discretionaryAcl; // // DACL is never null. So always set the flag bit on // ControlFlags actualFlags = flags | ControlFlags.DiscretionaryAclPresent; // // Keep SACL and the flag bit in sync. // if (systemAcl == null) { unchecked { actualFlags &= ~(ControlFlags.SystemAclPresent); } } else { actualFlags |= (ControlFlags.SystemAclPresent); } _rawSd = new RawSecurityDescriptor(actualFlags, owner, group, systemAcl == null ? null : systemAcl.RawAcl, discretionaryAcl.RawAcl); }
public void AddSystemAcl(byte revision, int trusted) { SystemAcl = new SystemAcl (IsContainer, IsDS, revision, trusted); flags |= ControlFlags.SystemAclPresent; }
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, System.Security.Principal.SecurityIdentifier owner, System.Security.Principal.SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { }
public void AddSystemAcl(byte revision, int trusted) { SystemAcl = new SystemAcl(IsContainer, IsDS, revision, trusted); flags |= ControlFlags.SystemAclPresent; }
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext) { base.WriteLock(); try { SecurityInfos securityInfos = (SecurityInfos)0; SecurityIdentifier owner = null; SecurityIdentifier group = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != null) { securityInfos |= SecurityInfos.Owner; owner = this._securityDescriptor.Owner; } if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != null) { securityInfos |= SecurityInfos.Group; group = this._securityDescriptor.Group; } if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None) { securityInfos |= SecurityInfos.SystemAcl; if (this._securityDescriptor.IsSystemAclPresent && this._securityDescriptor.SystemAcl != null && this._securityDescriptor.SystemAcl.Count > 0) { sacl = this._securityDescriptor.SystemAcl; } else { sacl = null; } if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != ControlFlags.None) { securityInfos |= (SecurityInfos)this.ProtectedSystemAcl; } else { securityInfos |= (SecurityInfos)this.UnprotectedSystemAcl; } } if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent) { securityInfos |= SecurityInfos.DiscretionaryAcl; if (this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl) { dacl = null; } else { dacl = this._securityDescriptor.DiscretionaryAcl; } if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != ControlFlags.None) { securityInfos |= (SecurityInfos)this.ProtectedDiscretionaryAcl; } else { securityInfos |= (SecurityInfos)this.UnprotectedDiscretionaryAcl; } } if (securityInfos != (SecurityInfos)0) { int num = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInfos, owner, group, sacl, dacl); if (num != 0) { Exception ex = null; if (this._exceptionFromErrorCode != null) { ex = this._exceptionFromErrorCode(num, name, handle, exceptionContext); } if (ex == null) { if (num == 5) { ex = new UnauthorizedAccessException(); } else if (num == 1307) { ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner")); } else if (num == 1308) { ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup")); } else if (num == 123) { ex = new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name"); } else if (num == 6) { ex = new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle")); } else if (num == 2) { ex = new FileNotFoundException(); } else if (num == 1350) { ex = new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity")); } else { ex = new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", new object[] { num })); } } throw ex; } base.OwnerModified = false; base.GroupModified = false; base.AccessRulesModified = false; base.AuditRulesModified = false; } } finally { base.WriteUnlock(); } }
public void SetAudit () { SecurityIdentifier adminSid = new SecurityIdentifier ("BA"); // S-1-5-32-544 SecurityIdentifier userSid = new SecurityIdentifier ("BU"); // S-1-5-32-545 SystemAcl sacl = new SystemAcl (true, false, 0); sacl.SetAudit (AuditFlags.Success, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None); sacl.SetAudit (AuditFlags.Success, userSid, 2, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual (2, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual (adminSid, ace.SecurityIdentifier); Assert.AreEqual (1, ace.AccessMask); sacl.SetAudit (AuditFlags.Success, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None); Assert.AreNotEqual (4, ace.AccessMask); ace = (CommonAce)sacl [0]; Assert.AreEqual (4, ace.AccessMask); sacl.SetAudit (AuditFlags.Failure, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None); Assert.AreEqual (2, sacl.Count); ace = (CommonAce)sacl [0]; Assert.AreEqual (AuditFlags.Failure, ace.AuditFlags); Assert.AreEqual (adminSid, ace.SecurityIdentifier); ace = (CommonAce)sacl [1]; Assert.AreEqual (AuditFlags.Success, ace.AuditFlags); Assert.AreEqual (userSid, ace.SecurityIdentifier); }
public void RemoveSpecific () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); SystemAcl sacl = new SystemAcl (false, false, 0); RemoveSpecificBegin (sid, sacl, InheritanceFlags.None); sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual (0, sacl.Count); }
public void SaclPresent () { SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null); SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); SystemAcl sacl = new SystemAcl (false, false, 0); CommonSecurityDescriptor csd; csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, null, null); Assert.IsNull (csd.SystemAcl); Assert.IsTrue (csd.IsSystemAclCanonical); csd = new CommonSecurityDescriptor (false, false, ControlFlags.SystemAclPresent, userSid, groupSid, null, null); Assert.IsNull (csd.SystemAcl); Assert.IsTrue (csd.IsSystemAclCanonical); Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, sacl, null); Assert.AreSame (sacl, csd.SystemAcl); Assert.IsTrue (csd.IsSystemAclCanonical); Assert.AreEqual (0, csd.SystemAcl.Count); Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); csd.SystemAcl = null; Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); }
void Init (bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl) { this.flags = flags & ~ControlFlags.SystemAclPresent; this.is_container = isContainer; this.is_ds = isDS; Owner = owner; Group = group; SystemAcl = systemAcl; DiscretionaryAcl = discretionaryAcl; }
public void RemoveSpecificUsingDSOverload () { SecurityIdentifier sid = new SecurityIdentifier ("BA"); SystemAcl sacl = new SystemAcl (false, true, 0); RemoveSpecificBegin (sid, sacl, InheritanceFlags.None); sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty); Assert.AreEqual (1, sacl.Count); sacl.RemoveAuditSpecific (AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual (0, sacl.Count); }
// // Attempts to persist the security descriptor onto the object // private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext) { WriteLock(); try { int error; SecurityInfos securityInfo = 0; SecurityIdentifier owner = null, group = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; if ((includeSections & AccessControlSections.Owner) != 0 && _securityDescriptor.Owner != null) { securityInfo |= SecurityInfos.Owner; owner = _securityDescriptor.Owner; } if ((includeSections & AccessControlSections.Group) != 0 && _securityDescriptor.Group != null) { securityInfo |= SecurityInfos.Group; group = _securityDescriptor.Group; } if ((includeSections & AccessControlSections.Audit) != 0) { securityInfo |= SecurityInfos.SystemAcl; if (_securityDescriptor.IsSystemAclPresent && _securityDescriptor.SystemAcl != null && _securityDescriptor.SystemAcl.Count > 0) { sacl = _securityDescriptor.SystemAcl; } else { sacl = null; } if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != 0) { securityInfo = (SecurityInfos)((uint)securityInfo | ProtectedSystemAcl); } else { securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedSystemAcl); } } if ((includeSections & AccessControlSections.Access) != 0 && _securityDescriptor.IsDiscretionaryAclPresent) { securityInfo |= SecurityInfos.DiscretionaryAcl; // if the DACL is in fact a crafted replaced for NULL replacement, then we will persist it as NULL if (_securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl) { dacl = null; } else { dacl = _securityDescriptor.DiscretionaryAcl; } if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != 0) { securityInfo = unchecked ((SecurityInfos)((uint)securityInfo | ProtectedDiscretionaryAcl)); } else { securityInfo = (SecurityInfos)((uint)securityInfo | UnprotectedDiscretionaryAcl); } } if (securityInfo == 0) { // // Nothing to persist // return; } error = Win32.SetSecurityInfo(_resourceType, name, handle, securityInfo, owner, group, sacl, dacl); if (error != Interop.Errors.ERROR_SUCCESS) { System.Exception exception = null; if (_exceptionFromErrorCode != null) { exception = _exceptionFromErrorCode(error, name, handle, exceptionContext); } if (exception == null) { if (error == Interop.Errors.ERROR_ACCESS_DENIED) { exception = new UnauthorizedAccessException(); } else if (error == Interop.Errors.ERROR_INVALID_OWNER) { exception = new InvalidOperationException(SR.AccessControl_InvalidOwner); } else if (error == Interop.Errors.ERROR_INVALID_PRIMARY_GROUP) { exception = new InvalidOperationException(SR.AccessControl_InvalidGroup); } else if (error == Interop.Errors.ERROR_INVALID_NAME) { exception = new ArgumentException(SR.Argument_InvalidName, nameof(name)); } else if (error == Interop.Errors.ERROR_INVALID_HANDLE) { exception = new NotSupportedException(SR.AccessControl_InvalidHandle); } else if (error == Interop.Errors.ERROR_FILE_NOT_FOUND) { exception = new FileNotFoundException(); } else if (error == Interop.Errors.ERROR_NO_SECURITY_ON_OBJECT) { exception = new NotSupportedException(SR.AccessControl_NoAssociatedSecurity); } else { Debug.Fail($"Unexpected error code {error}"); exception = new InvalidOperationException(SR.Format(SR.AccessControl_UnexpectedError, error)); } } throw exception; } // // Everything goes well, let us clean the modified flags. // We are in proper write lock, so just go ahead // this.OwnerModified = false; this.GroupModified = false; this.AccessRulesModified = false; this.AuditRulesModified = false; } finally { WriteUnlock(); } }
private void Persist(string name, SafeHandle handle, AccessControlSections includeSections, object exceptionContext) { this.WriteLock(); try { SecurityInfos securityInformation = (SecurityInfos)0; SecurityIdentifier owner = (SecurityIdentifier)null; SecurityIdentifier group = (SecurityIdentifier)null; SystemAcl systemAcl = (SystemAcl)null; DiscretionaryAcl discretionaryAcl = (DiscretionaryAcl)null; if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None && this._securityDescriptor.Owner != (SecurityIdentifier)null) { securityInformation |= SecurityInfos.Owner; owner = this._securityDescriptor.Owner; } if ((includeSections & AccessControlSections.Group) != AccessControlSections.None && this._securityDescriptor.Group != (SecurityIdentifier)null) { securityInformation |= SecurityInfos.Group; group = this._securityDescriptor.Group; } if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None) { SecurityInfos securityInfos = securityInformation | SecurityInfos.SystemAcl; systemAcl = !this._securityDescriptor.IsSystemAclPresent || this._securityDescriptor.SystemAcl == null || this._securityDescriptor.SystemAcl.Count <= 0 ? (SystemAcl)null : this._securityDescriptor.SystemAcl; securityInformation = (this._securityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ? securityInfos | (SecurityInfos)this.UnprotectedSystemAcl : securityInfos | (SecurityInfos)this.ProtectedSystemAcl; } if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && this._securityDescriptor.IsDiscretionaryAclPresent) { SecurityInfos securityInfos = securityInformation | SecurityInfos.DiscretionaryAcl; discretionaryAcl = !this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl ? this._securityDescriptor.DiscretionaryAcl : (DiscretionaryAcl)null; securityInformation = (this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ? securityInfos | (SecurityInfos)this.UnprotectedDiscretionaryAcl : securityInfos | (SecurityInfos)this.ProtectedDiscretionaryAcl; } if (securityInformation == (SecurityInfos)0) { return; } int errorCode = Win32.SetSecurityInfo(this._resourceType, name, handle, securityInformation, owner, group, (GenericAcl)systemAcl, (GenericAcl)discretionaryAcl); if (errorCode != 0) { Exception exception = (Exception)null; if (this._exceptionFromErrorCode != null) { exception = this._exceptionFromErrorCode(errorCode, name, handle, exceptionContext); } if (exception == null) { if (errorCode == 5) { exception = (Exception) new UnauthorizedAccessException(); } else if (errorCode == 1307) { exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidOwner")); } else if (errorCode == 1308) { exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_InvalidGroup")); } else if (errorCode == 123) { exception = (Exception) new ArgumentException(Environment.GetResourceString("Argument_InvalidName"), "name"); } else if (errorCode == 6) { exception = (Exception) new NotSupportedException(Environment.GetResourceString("AccessControl_InvalidHandle")); } else if (errorCode == 2) { exception = (Exception) new FileNotFoundException(); } else if (errorCode == 1350) { exception = (Exception) new NotSupportedException(Environment.GetResourceString("AccessControl_NoAssociatedSecurity")); } else { exception = (Exception) new InvalidOperationException(Environment.GetResourceString("AccessControl_UnexpectedError", (object)errorCode)); } } throw exception; } this.OwnerModified = false; this.GroupModified = false; this.AccessRulesModified = false; this.AuditRulesModified = false; } finally { this.WriteUnlock(); } }
public void ContainerAndDSConsistencyEnforcedB () { SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null); SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null); SystemAcl sacl = new SystemAcl (false, false, 0); new CommonSecurityDescriptor (true, false, ControlFlags.None, userSid, groupSid, sacl, null); }