2 * mono-security-windows.c: Windows security support.
4 * Copyright 2016 Microsoft
5 * Licensed under the MIT license. See LICENSE file in the project root for full license information.
10 #if defined(HOST_WIN32)
13 #include "mono/metadata/mono-security-windows-internals.h"
15 #if G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT)
20 #ifndef PROTECTED_DACL_SECURITY_INFORMATION
21 #define PROTECTED_DACL_SECURITY_INFORMATION 0x80000000L
24 #if G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT)
26 GetSidName (gunichar2 *server, PSID sid, gint32 *size)
28 gunichar2 *uniname = NULL;
31 SID_NAME_USE peUse; /* out */
33 LookupAccountSid (server, sid, NULL, &cchName, NULL,
36 if ((cchName > 0) && (cchDomain > 0)) {
37 gunichar2 *user = g_malloc0 ((cchName + 1) * 2);
38 gunichar2 *domain = g_malloc0 ((cchDomain + 1) * 2);
40 LookupAccountSid (server, sid, user, &cchName, domain,
45 /* domain/machine name included (+ sepearator) */
46 *size = cchName + cchDomain + 1;
47 uniname = g_malloc0 ((*size + 1) * 2);
48 memcpy (uniname, domain, cchDomain * 2);
49 *(uniname + cchDomain) = '\\';
50 memcpy (uniname + cchDomain + 1, user, cchName * 2);
54 /* no domain / machine */
60 /* nothing -> return NULL */
71 ves_icall_System_Security_Principal_WindowsIdentity_GetCurrentToken (void)
73 gpointer token = NULL;
75 /* Note: This isn't a copy of the Token - we must not close it!!!
76 * http://www.develop.com/kbrown/book/html/whatis_windowsprincipal.html
79 /* thread may be impersonating somebody */
80 if (OpenThreadToken (GetCurrentThread (), MAXIMUM_ALLOWED, 1, &token) == 0) {
81 /* if not take the process identity */
82 OpenProcessToken (GetCurrentProcess (), MAXIMUM_ALLOWED, &token);
89 mono_security_win_get_token_name (gpointer token, gunichar2 ** uniname)
93 GetTokenInformation (token, TokenUser, NULL, size, (PDWORD)&size);
95 TOKEN_USER *tu = g_malloc0 (size);
96 if (GetTokenInformation (token, TokenUser, tu, size, (PDWORD)&size)) {
97 *uniname = GetSidName (NULL, tu->User.Sid, &size);
104 #endif /* G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT) */
107 ves_icall_System_Security_Principal_WindowsIdentity_GetTokenName (gpointer token)
110 MonoString *result = NULL;
111 gunichar2 *uniname = NULL;
116 size = mono_security_win_get_token_name (token, &uniname);
119 result = mono_string_new_utf16_checked (mono_domain_get (), uniname, size, &error);
122 result = mono_string_new (mono_domain_get (), "");
127 mono_error_set_pending_exception (&error);
132 ves_icall_System_Security_Principal_WindowsIdentity_GetUserToken (MonoString *username)
134 gpointer token = NULL;
136 /* TODO: MS has something like this working in Windows 2003 (client and
137 * server) but works only for domain accounts (so it's quite limiting).
138 * http://www.develop.com/kbrown/book/html/howto_logonuser.html
140 g_warning ("Unsupported on Win32 (anyway requires W2K3 minimum)");
144 #if G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT)
146 ves_icall_System_Security_Principal_WindowsIdentity_GetRoles (gpointer token)
149 MonoArray *array = NULL;
150 MonoDomain *domain = mono_domain_get ();
154 GetTokenInformation (token, TokenGroups, NULL, size, (PDWORD)&size);
156 TOKEN_GROUPS *tg = g_malloc0 (size);
157 if (GetTokenInformation (token, TokenGroups, tg, size, (PDWORD)&size)) {
159 int num = tg->GroupCount;
161 array = mono_array_new_checked (domain, mono_get_string_class (), num, &error);
162 if (mono_error_set_pending_exception (&error)) {
167 for (i=0; i < num; i++) {
169 gunichar2 *uniname = GetSidName (NULL, tg->Groups [i].Sid, &size);
172 MonoString *str = mono_string_new_utf16_checked (domain, uniname, size, &error);
173 if (!is_ok (&error)) {
176 mono_error_set_pending_exception (&error);
179 mono_array_setref (array, i, str);
188 /* return empty array of string, i.e. string [0] */
189 array = mono_array_new_checked (domain, mono_get_string_class (), 0, &error);
190 mono_error_set_pending_exception (&error);
194 #endif /* G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT) */
197 ves_icall_System_Security_Principal_WindowsImpersonationContext_CloseToken (gpointer token)
199 gboolean result = TRUE;
200 result = (CloseHandle (token) != 0);
204 #if G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT)
206 ves_icall_System_Security_Principal_WindowsImpersonationContext_DuplicateToken (gpointer token)
208 gpointer dupe = NULL;
210 if (DuplicateToken (token, SecurityImpersonation, &dupe) == 0) {
215 #endif /* G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT) */
218 ves_icall_System_Security_Principal_WindowsPrincipal_IsMemberOfGroupId (gpointer user, gpointer group)
220 gboolean result = FALSE;
222 /* The convertion from an ID to a string is done in managed code for Windows */
223 g_warning ("IsMemberOfGroupId should never be called on Win32");
228 ves_icall_System_Security_Principal_WindowsPrincipal_IsMemberOfGroupName (gpointer user, MonoString *group)
230 gboolean result = FALSE;
232 /* Windows version use a cache built using WindowsIdentity._GetRoles */
233 g_warning ("IsMemberOfGroupName should never be called on Win32");
237 #if G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT)
239 GetAdministratorsSid (void)
241 SID_IDENTIFIER_AUTHORITY admins = { SECURITY_NT_AUTHORITY };
243 if (!AllocateAndInitializeSid (&admins, 2, SECURITY_BUILTIN_DOMAIN_RID,
244 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pSid))
246 /* Note: this SID must be freed with FreeSid () */
251 GetEveryoneSid (void)
253 SID_IDENTIFIER_AUTHORITY everyone = { SECURITY_WORLD_SID_AUTHORITY };
255 if (!AllocateAndInitializeSid (&everyone, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSid))
257 /* Note: this SID must be freed with FreeSid () */
262 GetCurrentUserSid (void)
266 gpointer token = ves_icall_System_Security_Principal_WindowsIdentity_GetCurrentToken ();
268 GetTokenInformation (token, TokenUser, NULL, size, (PDWORD)&size);
270 TOKEN_USER *tu = g_malloc0 (size);
271 if (GetTokenInformation (token, TokenUser, tu, size, (PDWORD)&size)) {
272 DWORD length = GetLengthSid (tu->User.Sid);
273 sid = (PSID) g_malloc0 (length);
274 if (!CopySid (length, sid, tu->User.Sid)) {
281 /* Note: this SID must be freed with g_free () */
286 GetRightsFromSid (PSID sid, PACL acl)
288 ACCESS_MASK rights = 0;
291 BuildTrusteeWithSidW (&trustee, sid);
292 if (GetEffectiveRightsFromAcl (acl, &trustee, &rights) != ERROR_SUCCESS)
299 mono_security_win_is_machine_protected (gunichar2 *path)
301 gboolean success = FALSE;
303 PSECURITY_DESCRIPTOR pSD = NULL;
304 PSID pEveryoneSid = NULL;
306 DWORD dwRes = GetNamedSecurityInfoW (path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &pSD);
307 if (dwRes != ERROR_SUCCESS)
310 /* We check that Everyone is still limited to READ-ONLY -
311 but not if new entries have been added by an Administrator */
313 pEveryoneSid = GetEveryoneSid ();
315 ACCESS_MASK rights = GetRightsFromSid (pEveryoneSid, pDACL);
316 /* http://msdn.microsoft.com/library/en-us/security/security/generic_access_rights.asp?frame=true */
317 success = (rights == (READ_CONTROL | SYNCHRONIZE | FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES));
318 FreeSid (pEveryoneSid);
320 /* Note: we don't need to check our own access -
321 we'll know soon enough when reading the file */
330 mono_security_win_is_user_protected (gunichar2 *path)
332 gboolean success = FALSE;
334 PSID pEveryoneSid = NULL;
335 PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
337 DWORD dwRes = GetNamedSecurityInfoW (path, SE_FILE_OBJECT,
338 DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &pSecurityDescriptor);
339 if (dwRes != ERROR_SUCCESS)
342 /* We check that our original entries in the ACL are in place -
343 but not if new entries have been added by the user */
345 /* Everyone should be denied */
346 pEveryoneSid = GetEveryoneSid ();
348 ACCESS_MASK rights = GetRightsFromSid (pEveryoneSid, pDACL);
349 success = (rights == 0);
350 FreeSid (pEveryoneSid);
352 /* Note: we don't need to check our own access -
353 we'll know soon enough when reading the file */
355 if (pSecurityDescriptor)
356 LocalFree (pSecurityDescriptor);
362 mono_security_win_protect_machine (gunichar2 *path)
364 PSID pEveryoneSid = GetEveryoneSid ();
365 PSID pAdminsSid = GetAdministratorsSid ();
368 if (pEveryoneSid && pAdminsSid) {
370 EXPLICIT_ACCESS ea [2];
371 ZeroMemory (&ea, 2 * sizeof (EXPLICIT_ACCESS));
373 /* grant all access to the BUILTIN\Administrators group */
374 BuildTrusteeWithSidW (&ea [0].Trustee, pAdminsSid);
375 ea [0].grfAccessPermissions = GENERIC_ALL;
376 ea [0].grfAccessMode = SET_ACCESS;
377 ea [0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
378 ea [0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
379 ea [0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
381 /* read-only access everyone */
382 BuildTrusteeWithSidW (&ea [1].Trustee, pEveryoneSid);
383 ea [1].grfAccessPermissions = GENERIC_READ;
384 ea [1].grfAccessMode = SET_ACCESS;
385 ea [1].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
386 ea [1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
387 ea [1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
389 retval = SetEntriesInAcl (2, ea, NULL, &pDACL);
390 if (retval == ERROR_SUCCESS) {
391 /* with PROTECTED_DACL_SECURITY_INFORMATION we */
392 /* remove any existing ACL (like inherited ones) */
393 retval = SetNamedSecurityInfo (path, SE_FILE_OBJECT,
394 DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
395 NULL, NULL, pDACL, NULL);
402 FreeSid (pEveryoneSid);
404 FreeSid (pAdminsSid);
405 return (retval == ERROR_SUCCESS);
409 mono_security_win_protect_user (gunichar2 *path)
413 PSID pCurrentSid = GetCurrentUserSid ();
417 ZeroMemory (&ea, sizeof (EXPLICIT_ACCESS));
419 /* grant exclusive access to the current user */
420 BuildTrusteeWithSidW (&ea.Trustee, pCurrentSid);
421 ea.grfAccessPermissions = GENERIC_ALL;
422 ea.grfAccessMode = SET_ACCESS;
423 ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
424 ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
425 ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
427 retval = SetEntriesInAcl (1, &ea, NULL, &pDACL);
428 if (retval == ERROR_SUCCESS) {
429 /* with PROTECTED_DACL_SECURITY_INFORMATION we
430 remove any existing ACL (like inherited ones) */
431 retval = SetNamedSecurityInfo (path, SE_FILE_OBJECT,
432 DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
433 NULL, NULL, pDACL, NULL);
438 g_free (pCurrentSid); /* g_malloc0 */
441 return (retval == ERROR_SUCCESS);
443 #endif /* G_HAVE_API_SUPPORT(HAVE_CLASSIC_WINAPI_SUPPORT) */
446 ves_icall_Mono_Security_Cryptography_KeyPairPersistence_CanSecure (MonoString *root)
450 /* ACL are nice... unless you have FAT or other uncivilized filesystem */
451 if (!GetVolumeInformation (mono_string_chars (root), NULL, 0, NULL, NULL, (LPDWORD)&flags, NULL, 0))
453 return ((flags & FS_PERSISTENT_ACLS) == FS_PERSISTENT_ACLS);
457 ves_icall_Mono_Security_Cryptography_KeyPairPersistence_IsMachineProtected (MonoString *path)
459 gboolean ret = FALSE;
461 /* no one, but the owner, should have write access to the directory */
462 ret = mono_security_win_is_machine_protected (mono_string_chars (path));
463 return (MonoBoolean)ret;
467 ves_icall_Mono_Security_Cryptography_KeyPairPersistence_IsUserProtected (MonoString *path)
469 gboolean ret = FALSE;
471 /* no one, but the user, should have access to the directory */
472 ret = mono_security_win_is_user_protected (mono_string_chars (path));
473 return (MonoBoolean)ret;
477 ves_icall_Mono_Security_Cryptography_KeyPairPersistence_ProtectMachine (MonoString *path)
479 gboolean ret = FALSE;
481 /* read/write to owner, read to everyone else */
482 ret = mono_security_win_protect_machine (mono_string_chars (path));
483 return (MonoBoolean)ret;
487 ves_icall_Mono_Security_Cryptography_KeyPairPersistence_ProtectUser (MonoString *path)
489 gboolean ret = FALSE;
491 /* read/write to user, no access to everyone else */
492 ret = mono_security_win_protect_user (mono_string_chars (path));
493 return (MonoBoolean)ret;
495 #endif /* HOST_WIN32 */