无法正确获得ACL
[英]Can't get properly ACLs
问题描述
I'm trying to get ACL for a shared folder. 
我正在尝试获取共享文件夹的ACL。 The code to get security descriptor is following: 获取安全描述符的代码如下:
private static SECURITY_DESCRIPTOR GetSecurityDescriptor(string path)
{
var sdUtil = new ADsSecurityUtility();
Byte[] temp = (Byte[])sdUtil.GetSecurityDescriptor(path, (int)ADS_PATHTYPE_ENUM.ADS_PATH_FILESHARE, (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW);
IntPtr ptr = (IntPtr)0;
SECURITY_DESCRIPTOR sd;
try
{
ptr = Marshal.AllocHGlobal(temp.Length);
Marshal.Copy(temp, 0, ptr, temp.Length);
sd = (SECURITY_DESCRIPTOR)Marshal.PtrToStructure(ptr, typeof(SECURITY_DESCRIPTOR));
return sd;
}
catch (Exception)
{
throw new Exception("Couldn't get security descriptor");
}
finally
{
Marshal.FreeHGlobal(ptr);
}
}
SD is ok, I have no problem with that. SD没问题,我没问题。 Then I'm trying to get DACL and SACL from the SD. 然后,我试图从SD中获取DACL和SACL。
private static List<ACL> GetAcls(SECURITY_DESCRIPTOR sd)
{
List<ACL> result = new List<ACL>(2);
ACL temp = new ACL();
int daclPresent = 0;
int daclDefaulted = 0;
try
{
int res = PInvoke.GetSecurityDescriptorDacl(ref sd, ref daclPresent, ref temp, ref daclDefaulted);
result.Add(temp);
temp = new ACL();
}
catch (Exception) { }
try
{
int res = PInvoke.GetSecurityDescriptorSacl(ref sd, ref daclPresent, ref temp, ref daclDefaulted);
result.Add(temp);
}
catch (Exception) { }
return result;
}
External functions are defined as following: 外部功能定义如下:
[DllImport("advapi32.dll")]
public static extern int GetSecurityDescriptorDacl(
[MarshalAs(UnmanagedType.Struct)] ref SECURITY_DESCRIPTOR pSecurityDescriptor,
ref int lpbDaclPresent,
[MarshalAs(UnmanagedType.Struct)] ref ACL pDacl,
ref int lpbDaclDefaulted
);
[DllImport("advapi32.dll")]
public static extern int GetSecurityDescriptorSacl(
[MarshalAs(UnmanagedType.Struct)] ref SECURITY_DESCRIPTOR pSecurityDescriptor,
ref int lpbDaclPresent,
[MarshalAs(UnmanagedType.Struct)] ref ACL pDacl,
ref int lpbDaclDefaulted
);
When I check properties of SD instance I see following: 当我检查SD实例的属性时,会看到以下内容:
sd.Dacl
{Permission.ACL}
AceCount: 83886080
AclRevision: 169
AclSize: 1281
Sbz1: 0
Sbz2: 21
sd.Sacl
{Permission.ACL}
AceCount: 6
AclRevision: 20
AclSize: 9961474
Sbz1: 0
Sbz2: 2359297
In total ACL contains 6 ACEs. ACL总共包含6个ACE。 So it seems SACL contains all of them. 因此,似乎SACL包含了所有这些。 However it's not recommended by MS to use these properties. 但是,MS建议不要使用这些属性。 Instead GetSecurityDescriptorDacl and GetSecurityDescriptorSacl should be used. 而是应使用GetSecurityDescriptorDacl和GetSecurityDescriptorSacl。 So I use them. 所以我用它们。 And see that count of ACEs in DACL is 0 and count of ACEs in SACL is also 0. 并看到DACL中ACE的计数为0,而SACL中ACE的计数也为0。
So the question is: how to get properly all ACEs from the security descriptor? 所以问题是:如何从安全描述符中正确获取所有ACE?
1 个解决方案
解决方案1
0 2013-03-14 12:58:22
You must treat a SECURITY_DESCRIPTOR as an opaque handle. 您必须将SECURITY_DESCRIPTOR视为不透明的句柄。 You can't cast to one as you have done on the line: 您无法像在线路上那样强制转换为一个:
sd = (SECURITY_DESCRIPTOR)Marshal.PtrToStructure(ptr,
typeof(SECURITY_DESCRIPTOR));
When you did the above cast you lost all the Owner, Group, DACL and SACL information since you have a self-relative SECURITY_DESCRIPTOR but you are not marshaling the data along with your definition of the structure. 执行上述强制转换时,您丢失了所有所有者,组,DACL和SACL信息,因为您具有自相关的SECURITY_DESCRIPTOR,但没有将数据和结构定义一起编组。
Simply change your declarations of the various API calls (ie GetSecurityDescriptorDacl, etc.) to take a byte[] rather than a ref SECURITY_DESCRIPTOR and pass in the byte[] that you received from the ADsSecurityUtility. 只需将各种API调用的声明(即GetSecurityDescriptorDacl等)更改为采用byte []而不是ref SECURITY_DESCRIPTOR并传递从ADsSecurityUtility接收到的byte []。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.