|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322 |
- using Alphaleonis.Win32.Filesystem;
- using Microsoft.Win32.SafeHandles;
- using System;
- using System.Collections.Generic;
- using System.ComponentModel;
- using System.Runtime.InteropServices;
- using System.Security.AccessControl;
-
- namespace Security2
- {
- internal partial class Win32
- {
- internal const string AUTHZ_OBJECTUUID_WITHCAP = "9a81c2bd-a525-471d-a4ed-49907c0b23da";
- internal const string RCP_OVER_TCP_PROTOCOL = "ncacn_ip_tcp";
-
- IntPtr userClientCtxt = IntPtr.Zero;
- SafeAuthzRMHandle authzRM;
- IntPtr pGrantedAccess = IntPtr.Zero;
- IntPtr pErrorSecObj = IntPtr.Zero;
-
- #region GetInheritedFrom
- public static List<string> GetInheritedFrom(FileSystemInfo item, ObjectSecurity sd)
- {
- var inheritedFrom = new List<string>();
-
- var sdBytes = sd.GetSecurityDescriptorBinaryForm();
- byte[] aclBytes = null;
- var rawSd = new RawSecurityDescriptor(sdBytes, 0);
-
- var aceCount = 0;
-
- if (rawSd.SystemAcl != null)
- {
- aceCount = rawSd.SystemAcl.Count;
- aclBytes = new byte[rawSd.SystemAcl.BinaryLength];
- rawSd.SystemAcl.GetBinaryForm(aclBytes, 0);
-
- try
- {
- inheritedFrom = GetInheritedFrom(item.FullName,
- aclBytes,
- aceCount,
- item is DirectoryInfo ? true : false,
- SECURITY_INFORMATION.SACL_SECURITY_INFORMATION);
- }
- catch
- {
- inheritedFrom = new List<string>();
- for (int i = 0; i < aceCount; i++)
- {
- inheritedFrom.Add("unknown parent");
- }
- }
- }
- else if (rawSd.DiscretionaryAcl != null)
- {
- aceCount = rawSd.DiscretionaryAcl.Count;
- aclBytes = new byte[rawSd.DiscretionaryAcl.BinaryLength];
- rawSd.DiscretionaryAcl.GetBinaryForm(aclBytes, 0);
-
- try
- {
- inheritedFrom = GetInheritedFrom(item.FullName,
- aclBytes,
- aceCount,
- item is DirectoryInfo ? true : false,
- SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
- }
- catch
- {
- inheritedFrom = new List<string>();
- for (int i = 0; i < aceCount; i++)
- {
- inheritedFrom.Add("unknown parent");
- }
- }
- }
-
- return inheritedFrom;
- }
- public static List<string> GetInheritedFrom(string path, byte[] aclBytes, int aceCount, bool isContainer, SECURITY_INFORMATION aclType)
- {
- var inheritedFrom = new List<string>();
- path = Path.GetLongPath(path);
-
- uint returnValue = 0;
- GENERIC_MAPPING genericMap = new GENERIC_MAPPING();
- genericMap.GenericRead = (uint)MappedGenericRights.FILE_GENERIC_READ;
- genericMap.GenericWrite = (uint)MappedGenericRights.FILE_GENERIC_WRITE;
- genericMap.GenericExecute = (uint)MappedGenericRights.FILE_GENERIC_EXECUTE;
- genericMap.GenericAll = (uint)MappedGenericRights.FILE_GENERIC_ALL;
-
- var pInheritInfo = Marshal.AllocHGlobal(aceCount * Marshal.SizeOf(typeof(PINHERITED_FROM)));
-
- returnValue = GetInheritanceSource(
- path,
- ResourceType.FileObject,
- aclType,
- isContainer,
- IntPtr.Zero,
- 0,
- aclBytes,
- IntPtr.Zero,
- ref genericMap,
- pInheritInfo
- );
-
- if (returnValue != 0)
- {
- throw new System.ComponentModel.Win32Exception((int)returnValue);
- }
-
- for (int i = 0; i < aceCount; i++)
- {
- var inheritInfo = pInheritInfo.ElementAt<PINHERITED_FROM>(i);
-
- inheritedFrom.Add(
- !string.IsNullOrEmpty(inheritInfo.AncestorName) && inheritInfo.AncestorName.StartsWith(@"\\?\") ? inheritInfo.AncestorName.Substring(4) : inheritInfo.AncestorName
- );
- }
-
- FreeInheritedFromArray(pInheritInfo, (ushort)aceCount, IntPtr.Zero);
- Marshal.FreeHGlobal(pInheritInfo);
-
- return inheritedFrom;
- }
- #endregion GetInheritedFrom
-
- public int GetEffectiveAccess(ObjectSecurity sd, IdentityReference2 identity, string serverName, out bool remoteServerAvailable, out Exception authzException)
- {
- int effectiveAccess = 0;
- remoteServerAvailable = false;
- authzException = null;
-
- try
- {
- GetEffectivePermissions_AuthzInitializeResourceManager(serverName, out remoteServerAvailable);
-
- try
- {
- GetEffectivePermissions_AuthzInitializeContextFromSid(identity);
- effectiveAccess = GetEffectivePermissions_AuthzAccessCheck(sd);
- }
- catch (Exception ex)
- {
- authzException = ex;
- }
- }
- catch
- { }
- finally
- {
- GetEffectivePermissions_FreeResouces();
- }
-
- return effectiveAccess;
- }
-
- #region Win32 Wrapper
- private void GetEffectivePermissions_AuthzInitializeResourceManager(string serverName, out bool remoteServerAvailable)
- {
- remoteServerAvailable = false;
-
- var rpcInitInfo = new AUTHZ_RPC_INIT_INFO_CLIENT();
-
- rpcInitInfo.version = AuthzRpcClientVersion.V1;
- rpcInitInfo.objectUuid = AUTHZ_OBJECTUUID_WITHCAP;
- rpcInitInfo.protocol = RCP_OVER_TCP_PROTOCOL;
- rpcInitInfo.server = serverName;
-
- SafeHGlobalHandle pRpcInitInfo = SafeHGlobalHandle.AllocHGlobalStruct(rpcInitInfo);
- if (!AuthzInitializeRemoteResourceManager(pRpcInitInfo.ToIntPtr(), out authzRM))
- {
- int error = Marshal.GetLastWin32Error();
-
- if (error != Win32Error.EPT_S_NOT_REGISTERED) //if not RPC server unavailable
- {
- throw new Win32Exception(error);
- }
-
- if (serverName == "localhost")
- {
- remoteServerAvailable = true;
- }
-
- //
- // As a fallback we do AuthzInitializeResourceManager. But the results can be inaccurate.
- //
- if (!AuthzInitializeResourceManager(
- AuthzResourceManagerFlags.NO_AUDIT,
- IntPtr.Zero,
- IntPtr.Zero,
- IntPtr.Zero,
- "EffectiveAccessCheck",
- out authzRM))
- {
- throw new Win32Exception(Marshal.GetLastWin32Error());
- }
- }
- else
- {
- remoteServerAvailable = true;
- }
- }
-
- private void GetEffectivePermissions_AuthzInitializeContextFromSid(IdentityReference2 id)
- {
- var rawSid = id.GetBinaryForm();
-
- //
- // Create an AuthZ context based on the user account
- //
- if (!AuthzInitializeContextFromSid(
- AuthzInitFlags.Default,
- rawSid,
- authzRM,
- IntPtr.Zero,
- Win32.LUID.NullLuid,
- IntPtr.Zero,
- out userClientCtxt))
- {
- Win32Exception win32Expn = new Win32Exception(Marshal.GetLastWin32Error());
-
- if (win32Expn.NativeErrorCode != Win32Error.RPC_S_SERVER_UNAVAILABLE)
- {
- throw win32Expn;
- }
- }
- }
-
- private int GetEffectivePermissions_AuthzAccessCheck(ObjectSecurity sd)
- {
- var request = new AUTHZ_ACCESS_REQUEST();
- request.DesiredAccess = StdAccess.MAXIMUM_ALLOWED;
- request.PrincipalSelfSid = null;
- request.ObjectTypeList = IntPtr.Zero;
- request.ObjectTypeListLength = 0;
- request.OptionalArguments = IntPtr.Zero;
-
- var reply = new AUTHZ_ACCESS_REPLY();
- reply.ResultListLength = 1;
- reply.SaclEvaluationResults = IntPtr.Zero;
- reply.GrantedAccessMask = pGrantedAccess = Marshal.AllocHGlobal(sizeof(uint));
- reply.Error = pErrorSecObj = Marshal.AllocHGlobal(sizeof(uint));
-
- byte[] rawSD = sd.GetSecurityDescriptorBinaryForm();
-
- if (!AuthzAccessCheck(
- AuthzACFlags.None,
- userClientCtxt,
- ref request,
- IntPtr.Zero,
- rawSD,
- null,
- 0,
- ref reply,
- IntPtr.Zero))
- {
- var error = Marshal.GetLastWin32Error();
- if (error != 0)
- {
- throw new Win32Exception();
- }
- }
-
- var grantedAccess = Marshal.ReadInt32(pGrantedAccess);
-
- return grantedAccess;
- }
-
- private void GetEffectivePermissions_FreeResouces()
- {
- Marshal.FreeHGlobal(pGrantedAccess);
- Marshal.FreeHGlobal(pErrorSecObj);
-
- if (userClientCtxt != IntPtr.Zero)
- {
- AuthzFreeContext(userClientCtxt);
- userClientCtxt = IntPtr.Zero;
- }
- }
-
- static RawSecurityDescriptor GetRawSecurityDescriptor(SafeFileHandle handle, SecurityInformationClass infoClass)
- {
- return new RawSecurityDescriptor(GetByteSecurityDescriptor(handle, infoClass), 0);
- }
-
- public static byte[] GetByteSecurityDescriptor(SafeFileHandle handle, SecurityInformationClass infoClass)
- {
- var tempSD = IntPtr.Zero;
- var buffer = new byte[0];
- try
- {
- uint error = GetSecurityInfo(handle,
- ObjectType.File,
- infoClass,
- IntPtr.Zero,
- IntPtr.Zero,
- IntPtr.Zero,
- IntPtr.Zero,
- out tempSD);
- if (error != Win32Error.ERROR_SUCCESS)
- {
- throw new Win32Exception(Marshal.GetLastWin32Error());
- }
-
- UInt32 sdLength = GetSecurityDescriptorLength(tempSD);
-
- buffer = new byte[sdLength];
- Marshal.Copy(tempSD, buffer, 0, (int)sdLength);
- }
- finally
- {
- Marshal.FreeHGlobal(tempSD);
- tempSD = IntPtr.Zero;
- }
-
- return buffer;
- }
- #endregion
- }
- }
|