mirror of https://github.com/raandree/NTFSSecurity
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
264 lines
14 KiB
264 lines
14 KiB
/* Copyright (C) 2008-2016 Peter Palotas, Jeffrey Jangli, Alexandr Normuradov
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
* THE SOFTWARE.
|
|
*/
|
|
|
|
using System;
|
|
using System.Diagnostics.CodeAnalysis;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security;
|
|
using System.Security.AccessControl;
|
|
using Alphaleonis.Win32.Security;
|
|
using Microsoft.Win32.SafeHandles;
|
|
|
|
namespace Alphaleonis.Win32.Filesystem
|
|
{
|
|
partial class File
|
|
{
|
|
/// <summary>Applies access control list (ACL) entries described by a <see cref="FileSecurity"/> FileSecurity object to the specified file.</summary>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="path">A file to add or remove access control list (ACL) entries from.</param>
|
|
/// <param name="fileSecurity">A <see cref="FileSecurity"/> object that describes an ACL entry to apply to the file described by the <paramref name="path"/> parameter.</param>
|
|
[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
|
|
[SecurityCritical]
|
|
public static void SetAccessControl(string path, FileSecurity fileSecurity)
|
|
{
|
|
SetAccessControlCore(path, null, fileSecurity, AccessControlSections.All, PathFormat.RelativePath);
|
|
}
|
|
|
|
/// <summary>Applies access control list (ACL) entries described by a <see cref="DirectorySecurity"/> object to the specified directory.</summary>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="path">A directory to add or remove access control list (ACL) entries from.</param>
|
|
/// <param name="fileSecurity">A <see cref="FileSecurity "/> object that describes an ACL entry to apply to the directory described by the path parameter.</param>
|
|
/// <param name="includeSections">One or more of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to set.</param>
|
|
[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
|
|
[SecurityCritical]
|
|
public static void SetAccessControl(string path, FileSecurity fileSecurity, AccessControlSections includeSections)
|
|
{
|
|
SetAccessControlCore(path, null, fileSecurity, includeSections, PathFormat.RelativePath);
|
|
}
|
|
|
|
|
|
/// <summary>[AlphaFS] Applies access control list (ACL) entries described by a <see cref="FileSecurity"/> FileSecurity object to the specified file.</summary>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="path">A file to add or remove access control list (ACL) entries from.</param>
|
|
/// <param name="fileSecurity">A <see cref="FileSecurity"/> object that describes an ACL entry to apply to the file described by the <paramref name="path"/> parameter.</param>
|
|
/// <param name="pathFormat">Indicates the format of the path parameter(s).</param>
|
|
[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
|
|
[SecurityCritical]
|
|
public static void SetAccessControl(string path, FileSecurity fileSecurity, PathFormat pathFormat)
|
|
{
|
|
SetAccessControlCore(path, null, fileSecurity, AccessControlSections.All, pathFormat);
|
|
}
|
|
|
|
/// <summary>[AlphaFS] Applies access control list (ACL) entries described by a <see cref="DirectorySecurity"/> object to the specified directory.</summary>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="path">A directory to add or remove access control list (ACL) entries from.</param>
|
|
/// <param name="fileSecurity">A <see cref="FileSecurity "/> object that describes an ACL entry to apply to the directory described by the path parameter.</param>
|
|
/// <param name="includeSections">One or more of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to set.</param>
|
|
/// <param name="pathFormat">Indicates the format of the path parameter(s).</param>
|
|
[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
|
|
[SecurityCritical]
|
|
public static void SetAccessControl(string path, FileSecurity fileSecurity, AccessControlSections includeSections, PathFormat pathFormat)
|
|
{
|
|
SetAccessControlCore(path, null, fileSecurity, includeSections, pathFormat);
|
|
}
|
|
|
|
|
|
/// <summary>Applies access control list (ACL) entries described by a <see cref="FileSecurity"/> FileSecurity object to the specified file.</summary>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="handle">A <see cref="SafeFileHandle"/> to a file to add or remove access control list (ACL) entries from.</param>
|
|
/// <param name="fileSecurity">A <see cref="FileSecurity"/> object that describes an ACL entry to apply to the file described by the <paramref name="handle"/> parameter.</param>
|
|
[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
|
|
[SecurityCritical]
|
|
public static void SetAccessControl(SafeFileHandle handle, FileSecurity fileSecurity)
|
|
{
|
|
SetAccessControlCore(null, handle, fileSecurity, AccessControlSections.All, PathFormat.LongFullPath);
|
|
}
|
|
|
|
/// <summary>Applies access control list (ACL) entries described by a <see cref="FileSecurity"/> FileSecurity object to the specified file.</summary>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="handle">A <see cref="SafeFileHandle"/> to a file to add or remove access control list (ACL) entries from.</param>
|
|
/// <param name="fileSecurity">A <see cref="FileSecurity"/> object that describes an ACL entry to apply to the file described by the <paramref name="handle"/> parameter.</param>
|
|
/// <param name="includeSections">One or more of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to set.</param>
|
|
[SuppressMessage("Microsoft.Design", "CA1011:ConsiderPassingBaseTypesAsParameters")]
|
|
[SecurityCritical]
|
|
public static void SetAccessControl(SafeFileHandle handle, FileSecurity fileSecurity, AccessControlSections includeSections)
|
|
{
|
|
SetAccessControlCore(null, handle, fileSecurity, includeSections, PathFormat.LongFullPath);
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <summary>[AlphaFS] Applies access control list (ACL) entries described by a <see cref="FileSecurity"/>/<see cref="DirectorySecurity"/> object to the specified file or directory.</summary>
|
|
/// <remarks>Use either <paramref name="path"/> or <paramref name="handle"/>, not both.</remarks>
|
|
/// <exception cref="ArgumentNullException"/>
|
|
/// <exception cref="ArgumentException"/>
|
|
/// <exception cref="NotSupportedException"/>
|
|
/// <param name="path">A file/directory to add or remove access control list (ACL) entries from. This parameter This parameter may be <see langword="null"/>.</param>
|
|
/// <param name="handle">A <see cref="SafeFileHandle"/> to add or remove access control list (ACL) entries from. This parameter This parameter may be <see langword="null"/>.</param>
|
|
/// <param name="objectSecurity">A <see cref="FileSecurity"/>/<see cref="DirectorySecurity"/> object that describes an ACL entry to apply to the file/directory described by the <paramref name="path"/>/<paramref name="handle"/> parameter.</param>
|
|
/// <param name="includeSections">One or more of the <see cref="AccessControlSections"/> values that specifies the type of access control list (ACL) information to set.</param>
|
|
/// <param name="pathFormat">Indicates the format of the path parameter(s).</param>
|
|
[SuppressMessage("Microsoft.Maintainability", "CA1502:AvoidExcessiveComplexity")]
|
|
[SecurityCritical]
|
|
internal static void SetAccessControlCore(string path, SafeFileHandle handle, ObjectSecurity objectSecurity, AccessControlSections includeSections, PathFormat pathFormat)
|
|
{
|
|
if (pathFormat == PathFormat.RelativePath)
|
|
Path.CheckSupportedPathFormat(path, true, true);
|
|
|
|
if (objectSecurity == null)
|
|
throw new ArgumentNullException("objectSecurity");
|
|
|
|
|
|
byte[] managedDescriptor = objectSecurity.GetSecurityDescriptorBinaryForm();
|
|
|
|
using (var safeBuffer = new SafeGlobalMemoryBufferHandle(managedDescriptor.Length))
|
|
{
|
|
string pathLp = Path.GetExtendedLengthPathCore(null, path, pathFormat, GetFullPathOptions.RemoveTrailingDirectorySeparator | GetFullPathOptions.CheckInvalidPathChars);
|
|
|
|
safeBuffer.CopyFrom(managedDescriptor, 0, managedDescriptor.Length);
|
|
|
|
SecurityDescriptorControl control;
|
|
uint revision;
|
|
|
|
if (!Security.NativeMethods.GetSecurityDescriptorControl(safeBuffer, out control, out revision))
|
|
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
|
|
|
|
|
|
PrivilegeEnabler privilegeEnabler = null;
|
|
|
|
try
|
|
{
|
|
var securityInfo = SecurityInformation.None;
|
|
IntPtr pDacl = IntPtr.Zero;
|
|
|
|
if ((includeSections & AccessControlSections.Access) != 0)
|
|
{
|
|
bool daclDefaulted, daclPresent;
|
|
|
|
if (!Security.NativeMethods.GetSecurityDescriptorDacl(safeBuffer, out daclPresent, out pDacl, out daclDefaulted))
|
|
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
|
|
|
|
if (daclPresent)
|
|
{
|
|
securityInfo |= SecurityInformation.Dacl;
|
|
securityInfo |= (control & SecurityDescriptorControl.DaclProtected) != 0
|
|
? SecurityInformation.ProtectedDacl
|
|
: SecurityInformation.UnprotectedDacl;
|
|
}
|
|
}
|
|
|
|
|
|
IntPtr pSacl = IntPtr.Zero;
|
|
|
|
if ((includeSections & AccessControlSections.Audit) != 0)
|
|
{
|
|
bool saclDefaulted, saclPresent;
|
|
|
|
if (!Security.NativeMethods.GetSecurityDescriptorSacl(safeBuffer, out saclPresent, out pSacl, out saclDefaulted))
|
|
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
|
|
|
|
if (saclPresent)
|
|
{
|
|
securityInfo |= SecurityInformation.Sacl;
|
|
securityInfo |= (control & SecurityDescriptorControl.SaclProtected) != 0
|
|
? SecurityInformation.ProtectedSacl
|
|
: SecurityInformation.UnprotectedSacl;
|
|
|
|
privilegeEnabler = new PrivilegeEnabler(Privilege.Security);
|
|
}
|
|
}
|
|
|
|
|
|
IntPtr pOwner = IntPtr.Zero;
|
|
|
|
if ((includeSections & AccessControlSections.Owner) != 0)
|
|
{
|
|
bool ownerDefaulted;
|
|
|
|
if (!Security.NativeMethods.GetSecurityDescriptorOwner(safeBuffer, out pOwner, out ownerDefaulted))
|
|
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
|
|
|
|
if (pOwner != IntPtr.Zero)
|
|
securityInfo |= SecurityInformation.Owner;
|
|
}
|
|
|
|
|
|
IntPtr pGroup = IntPtr.Zero;
|
|
|
|
if ((includeSections & AccessControlSections.Group) != 0)
|
|
{
|
|
bool groupDefaulted;
|
|
|
|
if (!Security.NativeMethods.GetSecurityDescriptorGroup(safeBuffer, out pGroup, out groupDefaulted))
|
|
NativeError.ThrowException(Marshal.GetLastWin32Error(), pathLp);
|
|
|
|
if (pGroup != IntPtr.Zero)
|
|
securityInfo |= SecurityInformation.Group;
|
|
}
|
|
|
|
|
|
uint lastError;
|
|
|
|
if (!Utils.IsNullOrWhiteSpace(pathLp))
|
|
{
|
|
// SetNamedSecurityInfo()
|
|
// In the ANSI version of this function, the name is limited to MAX_PATH characters.
|
|
// To extend this limit to 32,767 wide characters, call the Unicode version of the function and prepend "\\?\" to the path.
|
|
// 2013-01-13: MSDN does not confirm LongPath usage but a Unicode version of this function exists.
|
|
|
|
lastError = Security.NativeMethods.SetNamedSecurityInfo(pathLp, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl);
|
|
|
|
if (lastError != Win32Errors.ERROR_SUCCESS)
|
|
NativeError.ThrowException(lastError, pathLp);
|
|
}
|
|
else
|
|
{
|
|
if (NativeMethods.IsValidHandle(handle))
|
|
{
|
|
lastError = Security.NativeMethods.SetSecurityInfo(handle, ObjectType.FileObject, securityInfo, pOwner, pGroup, pDacl, pSacl);
|
|
|
|
if (lastError != Win32Errors.ERROR_SUCCESS)
|
|
NativeError.ThrowException((int) lastError);
|
|
}
|
|
}
|
|
}
|
|
finally
|
|
{
|
|
if (privilegeEnabler != null)
|
|
privilegeEnabler.Dispose();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|