Unable to obtain sid from ace

[jcasale]

I am trying to utilize the provided methods to obtain the SID from an ACE without utilizing direct native code:

var error = GetNamedSecurityInfo(
    "\\\\?\\C:\\tmp\\sec",
    SE_OBJECT_TYPE.SE_FILE_OBJECT,
    SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
    out PSID ppsidOwner,
    out PSID ppsidGroup,
    out PACL ppDacl,
    out PACL ppSacl,
    out SafeSecurityDescriptor ppSecurityDescriptor);

var aclSizeInformation = new ACL_SIZE_INFORMATION();
var result = GetAclInformation(ppDacl, ref aclSizeInformation);
for (int i = 0; i < aclSizeInformation.AceCount; i++)
{
    ACCESS_ALLOWED_ACE ace = GetAce(ppDacl, i);
    // Obtain sid?
}

However, when using AdvApi32.GetAce(PACL pAcl, int dwAceIndex, out PACE pAce) instead of the helper above, I can use the underlying handle and obtain the binary sid for use with LookupAccountSid(string lpSystemName, byte[] lpSid, StringBuilder lpName, ref int cchName, StringBuilder lpReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse).

What facility exists utilizing the library without any direct native calls?

[dahall]

I guess I'm a little confused. All of those functions you have called are native library calls. Please tell me instead what information you have and what information you would like to retrieve. Maybe then I can point you to the native functions in this library or those in the .NET runtime that will accomplish what you want.

[jcasale]

Hi, given a path, I need to obtain the DACL and for each ACE, I need to obtain the SID, AccesMask and AccessType. All of that is achievable with the code above except for the ACE's associated SID. I am not clear what wrappers your library exposes to facilitate that?

[dahall]

I'm not sure if you've tried yet, but the .NET Framework already provides abstractions to read and update access rights on a file or directory. This article provides some basic info on that. If you are trying to enumerate the SIDs in an ACL, there are multiple examples for the Windows API function to do this. The Vanara libraries expose those functions as managed functions. If there are functions you need which are missing, please let me know.

[jcasale]

Hi David, I am aware I can do this much simpler in purely managed code, however I have other code I need to run with a sid and ace pointers so it is convenient to simply do it all with the same approach.

The component that I cannot seem to locate is a facility to obtain the sid when using the helper, or without making a call to obtain the underlying pointer from the library method, for example:

// How does one use the abstractions to obtain the sid through safe pointers based on the following?
ACCESS_ALLOWED_ACE ace = GetAce(ppDacl, i);

// I can obtain the sid using this approach, however it seems counter to the library to call DangerousGetHandle?
var result = GetAce(ppDacl, i, out PACE pAce);
IntPtr pSid = (IntPtr)((long)pAce.DangerousGetHandle() + (long)Marshal.OffsetOf(typeof(ACCESS_ALLOWED_ACE), "SidStart"));
int size = GetLengthSid(pSid);
byte[] bSID = new byte[size];
Marshal.Copy(pSid, bSID, 0, size);

[dahall]

My apologies. I've misunderstood from the beginning. I can definitely see why this is overly complicated. The ACCESS_ALLOWED_ACE structure defines a member SidStart that, according to the documentation, is the first DWORD of a SID. So, using unsafe code, you can do the following:

unsafe
{
   fixed(int* psid = &ace.SidStart)
   {
      return SafePSID.CreateFromPtr((IntPtr)(void*)psid);
   }
}

[jcasale]

No problem, however I apologize as I am still having issues;) The code below results in a corrupt sid, however the acl and each ace are valid as the masks match (the ace variable is already fixed, so the fixed statement had to be removed).

    using System;
    using System.Text;
    using Vanara.PInvoke;
    using static Vanara.PInvoke.AdvApi32;
    using static Vanara.Security.AccessControl.AccessControlHelper;

    class Program
    {
        static void Main()
        {
            var error = GetNamedSecurityInfo(
                "\\\\?\\C:\\tmp\\sec",
                SE_OBJECT_TYPE.SE_FILE_OBJECT,
                SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
                out PSID ppsidOwner,
                out PSID ppsidGroup,
                out PACL ppDacl,
                out PACL ppSacl,
                out SafeSecurityDescriptor ppSecurityDescriptor);

            var aclInfo = GetAclInfo(ppDacl);
            for (int i = 0; i < aclInfo.AceCount; i++)
            {
                ACCESS_ALLOWED_ACE ace = GetAce(ppDacl, i);
                byte[] bSid;
                unsafe
                {
                    int* psid = &ace.SidStart;
                    using (var safePsid = SafePSID.CreateFromPtr((IntPtr)(void*)psid))
                    {
                        Console.WriteLine(safePsid.ToString());
                        bSid = safePsid.GetBinaryForm();
                    }
                }

                int accountSize = 1024;
                int domainSize = 1024;
                var account = new StringBuilder(accountSize);
                var domain = new StringBuilder(domainSize);
                var res = LookupAccountSid(null, bSid, account, ref accountSize, domain, ref domainSize, out SID_NAME_USE snu);
                // res is always false and the output is empty.
            }
        }
    }

[dahall]

I'm the process of updating a lot of the AdvApi32 space, but am not ready to publish. With my new updates, I am able to do what you're trying to do here and all the SIDs come through without throwing exceptions. I don't see anything wrong with your code though. What line is throwing an error with a corrupt SID?

[jcasale]

Hi David, the call to SafePSID.CreateFromPtr((IntPtr)(void*)psid) generates an invalid sid, no error is thrown but the value is simply arbitrary.

The ultimate use case I have is computing the effective permissions for a set of users against a remote share incorporating both share and ntfs acls. The older GetEffectiveRightsFromAcl is known to be unreliable in most cases, so I am hoping to have better luck with authz.

Thanks for all the help!

[dahall]

I just gave AdvApi32 a lot of love. I would recommend against using AccessControlHelper. I was shortsighted when I wrote it and it can cause memory access problems when the ACE is an object ACE. Here's how I would do the code above using just Vanara.PInvoke.Security. The GetSid and similar extension methods will show up in the next release due in the next few days.

using System;
using System.Text;
using Vanara.PInvoke;
using static Vanara.PInvoke.AdvApi32;

class Program
{
   static void Main()
   {
      GetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
         out _, out _, out var ppDacl, out _, out var ppSecurityDescriptor).ThrowIfFailed();

      var aceCount = ppDacl.GetAclInformation<ACL_SIZE_INFORMATION>().AceCount;
      for (var i = 0U; i < aceCount; i++)
      {
         if (!GetAce(ppDacl, i, out var ace)) Win32Error.ThrowLastError();
         var accountSize = 1024;
         var domainSize = 1024;
         var account = new StringBuilder(accountSize, accountSize);
         var domain = new StringBuilder(domainSize, domainSize);
         if (!LookupAccountSid(null, ace.GetSid(), account, ref accountSize, domain, ref domainSize, out _))
            Win32Error.ThrowLastError();
         Console.WriteLine($"Ace{i}: {ace.GetHeader().AceType}={domain}\\{account}; {ace.GetMask()}");
      }
   }
}

[dahall]

The code to perform the above is checked-in if you want to pull and test your own build while you wait for me to publish the next release.

[jcasale]

I have pulled the latest version and have it working locally until you generate a release.

Thank you very much for detailed help, your assistance has been valuable!