Comments (11)
I guess I'm a little confused. All of those functions you have called are native library calls. Please tell me instead what information you have and what information you would like to retrieve. Maybe then I can point you to the native functions in this library or those in the .NET runtime that will accomplish what you want.
from vanara.
Hi, given a path
, I need to obtain the DACL and for each ACE, I need to obtain the SID, AccesMask and AccessType. All of that is achievable with the code above except for the ACE's associated SID. I am not clear what wrappers your library exposes to facilitate that?
from vanara.
I'm not sure if you've tried yet, but the .NET Framework already provides abstractions to read and update access rights on a file or directory. This article provides some basic info on that. If you are trying to enumerate the SIDs in an ACL, there are multiple examples for the Windows API function to do this. The Vanara libraries expose those functions as managed functions. If there are functions you need which are missing, please let me know.
from vanara.
Hi David,
I am aware I can do this much simpler in purely managed code, however I have other code I need to run with a sid and ace pointers so it is convenient to simply do it all with the same approach.
The component that I cannot seem to locate is a facility to obtain the sid when using the helper, or without making a call to obtain the underlying pointer from the library method, for example:
// How does one use the abstractions to obtain the sid through safe pointers based on the following?
ACCESS_ALLOWED_ACE ace = GetAce(ppDacl, i);
// I can obtain the sid using this approach, however it seems counter to the library to call DangerousGetHandle?
var result = GetAce(ppDacl, i, out PACE pAce);
IntPtr pSid = (IntPtr)((long)pAce.DangerousGetHandle() + (long)Marshal.OffsetOf(typeof(ACCESS_ALLOWED_ACE), "SidStart"));
int size = GetLengthSid(pSid);
byte[] bSID = new byte[size];
Marshal.Copy(pSid, bSID, 0, size);
from vanara.
My apologies. I've misunderstood from the beginning. I can definitely see why this is overly complicated. The ACCESS_ALLOWED_ACE
structure defines a member SidStart
that, according to the documentation, is the first DWORD
of a SID. So, using unsafe code, you can do the following:
unsafe
{
fixed(int* psid = &ace.SidStart)
{
return SafePSID.CreateFromPtr((IntPtr)(void*)psid);
}
}
from vanara.
No problem, however I apologize as I am still having issues;)
The code below results in a corrupt sid, however the acl and each ace are valid as the masks match (the ace
variable is already fixed, so the fixed statement had to be removed).
using System;
using System.Text;
using Vanara.PInvoke;
using static Vanara.PInvoke.AdvApi32;
using static Vanara.Security.AccessControl.AccessControlHelper;
class Program
{
static void Main()
{
var error = GetNamedSecurityInfo(
"\\\\?\\C:\\tmp\\sec",
SE_OBJECT_TYPE.SE_FILE_OBJECT,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out PSID ppsidOwner,
out PSID ppsidGroup,
out PACL ppDacl,
out PACL ppSacl,
out SafeSecurityDescriptor ppSecurityDescriptor);
var aclInfo = GetAclInfo(ppDacl);
for (int i = 0; i < aclInfo.AceCount; i++)
{
ACCESS_ALLOWED_ACE ace = GetAce(ppDacl, i);
byte[] bSid;
unsafe
{
int* psid = &ace.SidStart;
using (var safePsid = SafePSID.CreateFromPtr((IntPtr)(void*)psid))
{
Console.WriteLine(safePsid.ToString());
bSid = safePsid.GetBinaryForm();
}
}
int accountSize = 1024;
int domainSize = 1024;
var account = new StringBuilder(accountSize);
var domain = new StringBuilder(domainSize);
var res = LookupAccountSid(null, bSid, account, ref accountSize, domain, ref domainSize, out SID_NAME_USE snu);
// res is always false and the output is empty.
}
}
}
from vanara.
I'm the process of updating a lot of the AdvApi32 space, but am not ready to publish. With my new updates, I am able to do what you're trying to do here and all the SIDs come through without throwing exceptions. I don't see anything wrong with your code though. What line is throwing an error with a corrupt SID?
from vanara.
Hi David, the call to SafePSID.CreateFromPtr((IntPtr)(void*)psid)
generates an invalid sid, no error is thrown but the value is simply arbitrary.
The ultimate use case I have is computing the effective permissions for a set of users against a remote share incorporating both share and ntfs acls. The older GetEffectiveRightsFromAcl
is known to be unreliable in most cases, so I am hoping to have better luck with authz.
Thanks for all the help!
from vanara.
I just gave AdvApi32 a lot of love. I would recommend against using AccessControlHelper
. I was shortsighted when I wrote it and it can cause memory access problems when the ACE is an object ACE. Here's how I would do the code above using just Vanara.PInvoke.Security
. The GetSid
and similar extension methods will show up in the next release due in the next few days.
using System;
using System.Text;
using Vanara.PInvoke;
using static Vanara.PInvoke.AdvApi32;
class Program
{
static void Main()
{
GetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out _, out _, out var ppDacl, out _, out var ppSecurityDescriptor).ThrowIfFailed();
var aceCount = ppDacl.GetAclInformation<ACL_SIZE_INFORMATION>().AceCount;
for (var i = 0U; i < aceCount; i++)
{
if (!GetAce(ppDacl, i, out var ace)) Win32Error.ThrowLastError();
var accountSize = 1024;
var domainSize = 1024;
var account = new StringBuilder(accountSize, accountSize);
var domain = new StringBuilder(domainSize, domainSize);
if (!LookupAccountSid(null, ace.GetSid(), account, ref accountSize, domain, ref domainSize, out _))
Win32Error.ThrowLastError();
Console.WriteLine($"Ace{i}: {ace.GetHeader().AceType}={domain}\\{account}; {ace.GetMask()}");
}
}
}
from vanara.
The code to perform the above is checked-in if you want to pull and test your own build while you wait for me to publish the next release.
from vanara.
I have pulled the latest version and have it working locally until you generate a release.
Thank you very much for detailed help, your assistance has been valuable!
from vanara.
Related Issues (20)
- OverlappedAsyncBaseResult does not make processed bytes available. HOT 1
- How to use native Win32 Shell ImageList in WinUI3 - Implementing ExplorerBrowser for WinUI3 HOT 17
- Missing unions in FwpUClnt FWPM_* structures HOT 1
- PInvoke.IpHlpApi.GetExtendedUdpTable give wrong port HOT 3
- WTSApi32: Wrong variable used to create dateTime HOT 1
- Wrong Marsha.SizeOf for MODULEENTRY32 HOT 2
- Wrong values in Kernel32.READ_DIRECTORY_NOTIFY_INFORMATION_CLASS enum HOT 1
- SearchApi.IQuerySolution.Resolve() should not require unsafe pointer for parameter "SYSTEMTIME* pstReferenceTime" HOT 7
- Wrong layout of Shell32.STRRET structure in x64 process HOT 1
- False-positive `IsNullOrEmpty` on `StrPtrAuto` HOT 1
- Wrong marshalling for pszVerb in Shell32.IFolderView2.InvokeVerbOnSelection() HOT 1
- The file generated by ShellLink.Create() is not a shortcut file. HOT 1
- Dotnet 5 Error HOT 7
- SafeHANDLE != operator should make parameters nullable HOT 3
- WinINet.InternetSetOption seems breaking change in 4.0.0 HOT 1
- CRYPT_PROVIDER_DATA duplicates CRYPT_PROVUI_DATA HOT 1
- System.TypeInitializationException: The type initializer for '<Module>' threw an exception. HOT 1
- DOSvc unit test fails with 0x80010123 HOT 2
- Unable to create TXT records HOT 3
- ErrorHelper.GetErrorMessage throws System.OverflowException HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vanara.