Powershell-Modules
/
NTFSSecurity-Module
mirror of https://github.com/raandree/NTFSSecurity
1
0
Fork 0
Code Issues 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
3 Branches
11 MiB
 
 
Tree: 34a13efb74
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '34a13efb74'
${ noResults }
NTFSSecurity-Module/AlphaFS/Filesystem/File Class/File.GetAccessControl.cs

256 lines
14 KiB
Raw Blame History 

  1. /*  Copyright (C) 2008-2016 Peter Palotas, Jeffrey Jangli, Alexandr Normuradov

  2.  *  

  3.  *  Permission is hereby granted, free of charge, to any person obtaining a copy 

  4.  *  of this software and associated documentation files (the "Software"), to deal 

  5.  *  in the Software without restriction, including without limitation the rights 

  6.  *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 

  7.  *  copies of the Software, and to permit persons to whom the Software is 

  8.  *  furnished to do so, subject to the following conditions:

  9.  *  

  10.  *  The above copyright notice and this permission notice shall be included in 

  11.  *  all copies or substantial portions of the Software.

  12.  *  

  13.  *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 

  14.  *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 

  15.  *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 

  16.  *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 

  17.  *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 

  18.  *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 

  19.  *  THE SOFTWARE. 

  20.  */

  21. 

  22. using System;

  23. using System.Diagnostics.CodeAnalysis;

  24. using System.IO;

  25. using System.Runtime.InteropServices;

  26. using System.Security;

  27. using System.Security.AccessControl;

  28. using Alphaleonis.Win32.Security;

  29. using Microsoft.Win32.SafeHandles;

  30. 

  31. namespace Alphaleonis.Win32.Filesystem

  32. {

  33.    partial class File

  34.    {

  35.       /// <summary>Gets a <see cref="FileSecurity"/> object that encapsulates the access control list (ACL) entries for a specified file.</summary>

  36.       /// <returns>A <see cref="FileSecurity"/> object that encapsulates the access control rules for the file described by the <paramref name="path"/> parameter.</returns>      

  37.       /// <exception cref="IOException"/>

  38.       /// <exception cref="ArgumentException"/>

  39.       /// <exception cref="ArgumentNullException"/>

  40.       /// <param name="path">The path to a file containing a <see cref="FileSecurity"/> object that describes the file's access control list (ACL) information.</param>

  41.       [SecurityCritical]

  42.       public static FileSecurity GetAccessControl(string path)

  43.       {

  44.          return GetAccessControlCore<FileSecurity>(false, path, AccessControlSections.Access | AccessControlSections.Group | AccessControlSections.Owner, PathFormat.RelativePath);

  45.       }

  46. 

  47.       /// <summary>Gets a <see cref="FileSecurity"/> object that encapsulates the access control list (ACL) entries for a specified file.</summary>

  48.       /// <returns>A <see cref="FileSecurity"/> object that encapsulates the access control rules for the file described by the <paramref name="path"/> parameter.</returns>      

  49.       /// <exception cref="IOException"/>

  50.       /// <exception cref="ArgumentException"/>

  51.       /// <exception cref="ArgumentNullException"/>

  52.       /// <param name="path">The path to a file containing a <see cref="FileSecurity"/> object that describes the file's access control list (ACL) information.</param>

  53.       /// <param name="includeSections">One (or more) of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to receive.</param>

  54.       [SecurityCritical]

  55.       public static FileSecurity GetAccessControl(string path, AccessControlSections includeSections)

  56.       {

  57.          return GetAccessControlCore<FileSecurity>(false, path, includeSections, PathFormat.RelativePath);

  58.       }

  59. 

  60. 

  61.       /// <summary>[AlphaFS] Gets a <see cref="FileSecurity"/> object that encapsulates the access control list (ACL) entries for a specified file.</summary>

  62.       /// <returns>A <see cref="FileSecurity"/> object that encapsulates the access control rules for the file described by the <paramref name="path"/> parameter.</returns>      

  63.       /// <exception cref="IOException"/>

  64.       /// <exception cref="ArgumentException"/>

  65.       /// <exception cref="ArgumentNullException"/>

  66.       /// <param name="path">The path to a file containing a <see cref="FileSecurity"/> object that describes the file's access control list (ACL) information.</param>

  67.       /// <param name="pathFormat">Indicates the format of the path parameter(s).</param>

  68.       [SecurityCritical]

  69.       public static FileSecurity GetAccessControl(string path, PathFormat pathFormat)

  70.       {

  71.          return GetAccessControlCore<FileSecurity>(false, path, AccessControlSections.Access | AccessControlSections.Group | AccessControlSections.Owner, pathFormat);

  72.       }

  73. 

  74.       /// <summary>[AlphaFS] Gets a <see cref="FileSecurity"/> object that encapsulates the access control list (ACL) entries for a specified file.</summary>

  75.       /// <returns>A <see cref="FileSecurity"/> object that encapsulates the access control rules for the file described by the <paramref name="path"/> parameter.</returns>

  76.       /// <exception cref="IOException"/>

  77.       /// <exception cref="ArgumentException"/>

  78.       /// <exception cref="ArgumentNullException"/>

  79.       /// <param name="path">The path to a file containing a <see cref="FileSecurity"/> object that describes the file's access control list (ACL) information.</param>

  80.       /// <param name="includeSections">One (or more) of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to receive.</param>

  81.       /// <param name="pathFormat">Indicates the format of the path parameter(s).</param>

  82.       [SecurityCritical]

  83.       public static FileSecurity GetAccessControl(string path, AccessControlSections includeSections, PathFormat pathFormat)

  84.       {

  85.          return GetAccessControlCore<FileSecurity>(false, path, includeSections, pathFormat);

  86.       }

  87. 

  88. 

  89.       /// <summary>[AlphaFS] Gets a <see cref="FileSecurity"/> object that encapsulates the access control list (ACL) entries for a specified file handle.</summary>

  90.       /// <returns>A <see cref="FileSecurity"/> object that encapsulates the access control rules for the file described by the <paramref name="handle"/> parameter.</returns>      

  91.       /// <exception cref="IOException"/>

  92.       /// <exception cref="ArgumentException"/>

  93.       /// <exception cref="ArgumentNullException"/>

  94.       /// <param name="handle">A <see cref="SafeHandle"/> to a file containing a <see cref="FileSecurity"/> object that describes the file's access control list (ACL) information.</param>

  95.       [SecurityCritical]

  96.       public static FileSecurity GetAccessControl(SafeFileHandle handle)

  97.       {

  98.          return GetAccessControlHandleCore<FileSecurity>(false, false, handle, AccessControlSections.Access | AccessControlSections.Group | AccessControlSections.Owner, SecurityInformation.None);

  99.       }

  100. 

  101.       /// <summary>[AlphaFS] Gets a <see cref="FileSecurity"/> object that encapsulates the access control list (ACL) entries for a specified file handle.</summary>

  102.       /// <returns>A <see cref="FileSecurity"/> object that encapsulates the access control rules for the file described by the <paramref name="handle"/> parameter.</returns>      

  103.       /// <exception cref="IOException"/>

  104.       /// <exception cref="ArgumentException"/>

  105.       /// <exception cref="ArgumentNullException"/>

  106.       /// <param name="handle">A <see cref="SafeHandle"/> to a file containing a <see cref="FileSecurity"/> object that describes the file's access control list (ACL) information.</param>

  107.       /// <param name="includeSections">One (or more) of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to receive.</param>

  108.       [SecurityCritical]

  109.       public static FileSecurity GetAccessControl(SafeFileHandle handle, AccessControlSections includeSections)

  110.       {

  111.          return GetAccessControlHandleCore<FileSecurity>(false, false, handle, includeSections, SecurityInformation.None);

  112.       }

  113. 

  114. 

  115. 

  116. 

  117.       /// <summary>[AlphaFS] Gets an <see cref="ObjectSecurity"/> object for a particular file or directory.</summary>

  118.       /// <returns>An <see cref="ObjectSecurity"/> object that encapsulates the access control rules for the file or directory described by the <paramref name="path"/> parameter.</returns>

  119.       /// <exception cref="IOException"/>

  120.       /// <exception cref="ArgumentException"/>

  121.       /// <exception cref="ArgumentNullException"/>

  122.       /// <typeparam name="T">Generic type parameter.</typeparam>

  123.       /// <param name="isFolder">Specifies that <paramref name="path"/> is a file or directory.</param>

  124.       /// <param name="path">The path to a file/directory containing a <see cref="FileSecurity"/>/<see cref="DirectorySecurity"/> object that describes the file's/directory's access control list (ACL) information.</param>

  125.       /// <param name="includeSections">One (or more) of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to receive.</param>

  126.       /// <param name="pathFormat">Indicates the format of the path parameter(s).</param>

  127.       [SuppressMessage("Microsoft.Usage", "CA2202:Do not dispose objects multiple times", Justification = "Disposing is controlled.")]

  128.       [SecurityCritical]

  129.       internal static T GetAccessControlCore<T>(bool isFolder, string path, AccessControlSections includeSections, PathFormat pathFormat)

  130.       {

  131.          SecurityInformation securityInfo = CreateSecurityInformation(includeSections);

  132. 

  133. 

  134.          // We need the SE_SECURITY_NAME privilege enabled to be able to get the SACL descriptor.

  135.          // So we enable it here for the remainder of this function.

  136. 

  137.          PrivilegeEnabler privilege = null;

  138. 

  139.          if ((includeSections & AccessControlSections.Audit) != 0)

  140.             privilege = new PrivilegeEnabler(Privilege.Security);

  141. 

  142.          using (privilege)

  143.          {

  144.             IntPtr pSidOwner, pSidGroup, pDacl, pSacl;

  145.             SafeGlobalMemoryBufferHandle pSecurityDescriptor;

  146. 

  147.             string pathLp = Path.GetExtendedLengthPathCore(null, path, pathFormat, GetFullPathOptions.RemoveTrailingDirectorySeparator | GetFullPathOptions.FullCheck);

  148. 

  149. 

  150.             // Get/SetNamedSecurityInfo does not work with a handle but with a path, hence does not honor the privileges.

  151.             // It magically does since Windows Server 2012 / 8 but not in previous OS versions.

  152. 

  153.             uint lastError = Security.NativeMethods.GetNamedSecurityInfo(pathLp, ObjectType.FileObject, securityInfo,

  154.                out pSidOwner, out pSidGroup, out pDacl, out pSacl, out pSecurityDescriptor);

  155. 

  156. 

  157.             // When GetNamedSecurityInfo() fails with ACCESS_DENIED, try again using GetSecurityInfo().

  158. 

  159.             if (lastError == Win32Errors.ERROR_ACCESS_DENIED)

  160.                using (SafeFileHandle handle = CreateFileCore(null, pathLp, ExtendedFileAttributes.BackupSemantics, null, FileMode.Open, FileSystemRights.Read, FileShare.Read, false, PathFormat.LongFullPath))

  161.                   return GetAccessControlHandleCore<T>(true, isFolder, handle, includeSections, securityInfo);

  162. 

  163.             return GetSecurityDescriptor<T>(lastError, isFolder, pathLp, pSecurityDescriptor);

  164.          }

  165.       }

  166. 

  167. 

  168.       internal static T GetAccessControlHandleCore<T>(bool internalCall, bool isFolder, SafeFileHandle handle, AccessControlSections includeSections, SecurityInformation securityInfo)

  169.       {

  170.          if (!internalCall)

  171.             securityInfo = CreateSecurityInformation(includeSections);

  172. 

  173. 

  174.          // We need the SE_SECURITY_NAME privilege enabled to be able to get the SACL descriptor.

  175.          // So we enable it here for the remainder of this function.

  176.          

  177.          PrivilegeEnabler privilege = null;

  178. 

  179.          if (!internalCall && (includeSections & AccessControlSections.Audit) != 0)

  180.             privilege = new PrivilegeEnabler(Privilege.Security);

  181.          

  182.          using (privilege)

  183.          {

  184.             IntPtr pSidOwner, pSidGroup, pDacl, pSacl;

  185.             SafeGlobalMemoryBufferHandle pSecurityDescriptor;

  186. 

  187.             uint lastError = Security.NativeMethods.GetSecurityInfo(handle, ObjectType.FileObject, securityInfo,

  188.                out pSidOwner, out pSidGroup, out pDacl, out pSacl, out pSecurityDescriptor);

  189. 

  190.             return GetSecurityDescriptor<T>(lastError, isFolder, null, pSecurityDescriptor);

  191.          }

  192.       }

  193. 

  194. 

  195.       private static SecurityInformation CreateSecurityInformation(AccessControlSections includeSections)

  196.       {

  197.          var securityInfo = SecurityInformation.None;

  198. 

  199. 

  200.          if ((includeSections & AccessControlSections.Access) != 0)

  201.             securityInfo |= SecurityInformation.Dacl;

  202. 

  203.          if ((includeSections & AccessControlSections.Audit) != 0)

  204.             securityInfo |= SecurityInformation.Sacl;

  205. 

  206.          if ((includeSections & AccessControlSections.Group) != 0)

  207.             securityInfo |= SecurityInformation.Group;

  208. 

  209.          if ((includeSections & AccessControlSections.Owner) != 0)

  210.             securityInfo |= SecurityInformation.Owner;

  211.          

  212. 

  213.          return securityInfo;

  214.       }

  215. 

  216. 

  217.       private static T GetSecurityDescriptor<T>(uint lastError, bool isFolder, string path, SafeGlobalMemoryBufferHandle securityDescriptor)

  218.       {

  219.          ObjectSecurity objectSecurity;

  220. 

  221.          using (securityDescriptor)

  222.          {

  223.             if (lastError == Win32Errors.ERROR_FILE_NOT_FOUND || lastError == Win32Errors.ERROR_PATH_NOT_FOUND)

  224.                lastError = isFolder ? Win32Errors.ERROR_PATH_NOT_FOUND : Win32Errors.ERROR_FILE_NOT_FOUND;

  225. 

  226. 

  227.             // If the function fails, the return value is zero.

  228.             if (lastError != Win32Errors.ERROR_SUCCESS)

  229.             {

  230.                if (!Utils.IsNullOrWhiteSpace(path))

  231.                   NativeError.ThrowException(lastError, path);

  232.                else

  233.                   NativeError.ThrowException((int) lastError);

  234.             }

  235. 

  236.             if (!NativeMethods.IsValidHandle(securityDescriptor, false))

  237.                throw new IOException(Resources.Returned_Invalid_Security_Descriptor);

  238. 

  239. 

  240.             uint length = Security.NativeMethods.GetSecurityDescriptorLength(securityDescriptor);

  241. 

  242.             // Seems not to work: Method .CopyTo: length > Capacity, so an Exception is thrown.

  243.             //byte[] managedBuffer = new byte[length];

  244.             //pSecurityDescriptor.CopyTo(managedBuffer, 0, (int) length);

  245. 

  246.             byte[] managedBuffer = securityDescriptor.ToByteArray(0, (int) length);

  247. 

  248.             objectSecurity = isFolder ? (ObjectSecurity) new DirectorySecurity() : new FileSecurity();

  249.             objectSecurity.SetSecurityDescriptorBinaryForm(managedBuffer);

  250.          }

  251. 

  252.          return (T) (object) objectSecurity;

  253.       }

  254.    }

  255. }