Documentation
¶
Index ¶
- Constants
- Variables
- func CanonicalizeSid(sidString string) (string, error)
- func IffInt(condition bool, tVal, fVal int) int
- func OSTranslateSID(SID string) (string, error)
- func QuerySecurityObject(path string, flags SECURITY_INFORMATION) ([]byte, error)
- func SecurityDescriptorFromString(sddlString string) ([]byte, error)
- func SecurityDescriptorToString(sd []byte) (string, error)
- func SetControl(sd []byte, controlBitsOfInterest, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) error
- func SetSecurityObject(path string, flags SECURITY_INFORMATION, sd []byte) error
- type ACCESS_ALLOWED_ACE
- type ACE_HEADER
- type ACL
- type ACLEntry
- type ACLList
- type AnySID
- type BYTE
- type DWORD
- type SDDLString
- type SECURITY_DESCRIPTOR_CONTROL
- type SECURITY_DESCRIPTOR_RELATIVE
- type SECURITY_INFORMATION
- type SID
- type WORD
Constants ¶
View Source
const ( SDDL_REVISION = 1 // SDDL Revision MUST always be 1. SID_REVISION = 1 // SID Revision MUST always be 1. ACL_REVISION = 2 // ACL revision for support basic ACE type used for filesystem ACLs. ACL_REVISION_DS = 4 // ACL revision for supporting stuff like Object ACE. This should ideally not be used with the ACE )
* Valid/supported revision numbers for various object types. * * TODO: Do we need to support ACL_REVISION_DS (4) with support for Object ACEs? * Are they used for filesystem objects?
View Source
const ( OWNER_SECURITY_INFORMATION = 0x00000001 GROUP_SECURITY_INFORMATION = 0x00000002 DACL_SECURITY_INFORMATION = 0x00000004 SACL_SECURITY_INFORMATION = 0x00000008 LABEL_SECURITY_INFORMATION = 0x00000010 ATTRIBUTE_SECURITY_INFORMATION = 0x00000020 SCOPE_SECURITY_INFORMATION = 0x00000040 BACKUP_SECURITY_INFORMATION = 0x00010000 PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000 PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000 UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000 UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000 )
Valid bitmasks contained in type SECURITY_INFORMATION.
View Source
const ( SE_OWNER_DEFAULTED = 0x0001 SE_GROUP_DEFAULTED = 0x0002 SE_DACL_PRESENT = 0x0004 SE_DACL_DEFAULTED = 0x0008 SE_SACL_PRESENT = 0x0010 SE_SACL_DEFAULTED = 0x0020 SE_DACL_AUTO_INHERIT_REQ = 0x0100 SE_SACL_AUTO_INHERIT_REQ = 0x0200 SE_DACL_AUTO_INHERITED = 0x0400 SE_SACL_AUTO_INHERITED = 0x0800 SE_DACL_PROTECTED = 0x1000 SE_SACL_PROTECTED = 0x2000 SE_RM_CONTROL_VALID = 0x4000 SE_SELF_RELATIVE = 0x8000 )
Valid bitmasks contained in type SECURITY_DESCRIPTOR_CONTROL.
View Source
const ( ACCESS_MIN_MS_ACE_TYPE = 0x0 ACCESS_ALLOWED_ACE_TYPE = 0x0 ACCESS_DENIED_ACE_TYPE = 0x1 SYSTEM_AUDIT_ACE_TYPE = 0x2 SYSTEM_ALARM_ACE_TYPE = 0x3 ACCESS_MAX_MS_V2_ACE_TYPE = 0x3 ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 0x4 ACCESS_MAX_MS_V3_ACE_TYPE = 0x4 ACCESS_MIN_MS_OBJECT_ACE_TYPE = 0x5 ACCESS_ALLOWED_OBJECT_ACE_TYPE = 0x5 ACCESS_DENIED_OBJECT_ACE_TYPE = 0x6 SYSTEM_AUDIT_OBJECT_ACE_TYPE = 0x7 SYSTEM_ALARM_OBJECT_ACE_TYPE = 0x8 ACCESS_MAX_MS_OBJECT_ACE_TYPE = 0x8 ACCESS_MAX_MS_V4_ACE_TYPE = 0x8 ACCESS_MAX_MS_ACE_TYPE = 0x8 ACCESS_ALLOWED_CALLBACK_ACE_TYPE = 0x9 ACCESS_DENIED_CALLBACK_ACE_TYPE = 0xA ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE = 0xB ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE = 0xC SYSTEM_AUDIT_CALLBACK_ACE_TYPE = 0xD SYSTEM_ALARM_CALLBACK_ACE_TYPE = 0xE SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE = 0xF SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE = 0x10 SYSTEM_MANDATORY_LABEL_ACE_TYPE = 0x11 SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE = 0x12 SYSTEM_SCOPED_POLICY_ID_ACE_TYPE = 0x13 SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE = 0x14 SYSTEM_ACCESS_FILTER_ACE_TYPE = 0x15 ACCESS_MAX_MS_V5_ACE_TYPE = 0x15 )
Valid AceType values present in ACE_HEADER.
View Source
const ( OBJECT_INHERIT_ACE = 0x01 CONTAINER_INHERIT_ACE = 0x02 NO_PROPAGATE_INHERIT_ACE = 0x04 INHERIT_ONLY_ACE = 0x08 INHERITED_ACE = 0x10 VALID_INHERIT_FLAGS = 0x1F CRITICAL_ACE_FLAG = 0x20 // AceFlags mask for what events we (should) audit. Used by SACL. SUCCESSFUL_ACCESS_ACE_FLAG = 0x40 FAILED_ACCESS_ACE_FLAG = 0x80 TRUST_PROTECTED_FILTER_ACE_FLAG = 0x40 )
Valid bitmasks contained in AceFlags present in ACE_HEADER.
View Source
const ( // Generic access rights. GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 GENERIC_EXECUTE = 0x20000000 GENERIC_ALL = 0x10000000 DELETE = 0x00010000 READ_CONTROL = 0x00020000 WRITE_DAC = 0x00040000 WRITE_OWNER = 0x00080000 SYNCHRONIZE = 0x00100000 STANDARD_RIGHTS_REQUIRED = 0x000F0000 STANDARD_RIGHTS_READ = READ_CONTROL STANDARD_RIGHTS_WRITE = READ_CONTROL STANDARD_RIGHTS_EXECUTE = READ_CONTROL STANDARD_RIGHTS_ALL = 0x001F0000 SPECIFIC_RIGHTS_ALL = 0x0000FFFF // Access rights for files and directories. FILE_READ_DATA = 0x0001 /* file & pipe */ FILE_READ_ATTRIBUTES = 0x0080 /* all */ FILE_READ_EA = 0x0008 /* file & directory */ FILE_WRITE_DATA = 0x0002 /* file & pipe */ FILE_WRITE_ATTRIBUTES = 0x0100 /* all */ FILE_WRITE_EA = 0x0010 /* file & directory */ FILE_APPEND_DATA = 0x0004 /* file */ FILE_EXECUTE = 0x0020 /* file */ FILE_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) FILE_GENERIC_READ = (STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE) FILE_GENERIC_WRITE = (STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE) FILE_GENERIC_EXECUTE = (STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE) // Access rights for DS objects. ADS_RIGHT_DS_CREATE_CHILD = 0x0001 ADS_RIGHT_DS_DELETE_CHILD = 0x0002 ADS_RIGHT_ACTRL_DS_LIST = 0x0004 ADS_RIGHT_DS_SELF = 0x0008 ADS_RIGHT_DS_READ_PROP = 0x0010 ADS_RIGHT_DS_WRITE_PROP = 0x0020 ADS_RIGHT_DS_DELETE_TREE = 0x0040 ADS_RIGHT_DS_LIST_OBJECT = 0x0080 ADS_RIGHT_DS_CONTROL_ACCESS = 0x0100 // Registry Specific Access Rights. KEY_QUERY_VALUE = 0x0001 KEY_SET_VALUE = 0x0002 KEY_CREATE_SUB_KEY = 0x0004 KEY_ENUMERATE_SUB_KEYS = 0x0008 KEY_NOTIFY = 0x0010 KEY_CREATE_LINK = 0x0020 KEY_WOW64_32KEY = 0x0200 KEY_WOW64_64KEY = 0x0100 KEY_WOW64_RES = 0x0300 KEY_READ = ((STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & (^SYNCHRONIZE)) KEY_WRITE = ((STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY) & (^SYNCHRONIZE)) KEY_EXECUTE = ((KEY_READ) & (^SYNCHRONIZE)) KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_CREATE_LINK) & (^SYNCHRONIZE)) // SYSTEM_ACCESS_FILTER_ACE Access rights. SYSTEM_MANDATORY_LABEL_NO_WRITE_UP = 0x1 SYSTEM_MANDATORY_LABEL_NO_READ_UP = 0x2 SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP = 0x4 )
Valid bitmasks contained in AccessMask present in type ACCESS_ALLOWED_ACE.
View Source
const ( SECURITY_NULL_RID = 0 SECURITY_WORLD_RID = 0 SECURITY_LOCAL_RID = 0 SECURITY_CREATOR_OWNER_RID = 0 SECURITY_CREATOR_GROUP_RID = 1 SECURITY_DIALUP_RID = 1 SECURITY_NETWORK_RID = 2 SECURITY_BATCH_RID = 3 SECURITY_INTERACTIVE_RID = 4 SECURITY_LOGON_IDS_RID = 5 SECURITY_SERVICE_RID = 6 SECURITY_LOCAL_SYSTEM_RID = 18 SECURITY_BUILTIN_DOMAIN_RID = 32 SECURITY_PRINCIPAL_SELF_RID = 10 SECURITY_CREATOR_OWNER_SERVER_RID = 0x2 SECURITY_CREATOR_GROUP_SERVER_RID = 0x3 SECURITY_LOGON_IDS_RID_COUNT = 0x3 SECURITY_ANONYMOUS_LOGON_RID = 0x7 SECURITY_PROXY_RID = 0x8 SECURITY_ENTERPRISE_CONTROLLERS_RID = 0x9 SECURITY_SERVER_LOGON_RID = SECURITY_ENTERPRISE_CONTROLLERS_RID SECURITY_AUTHENTICATED_USER_RID = 0xb SECURITY_RESTRICTED_CODE_RID = 0xc SECURITY_NT_NON_UNIQUE_RID = 0x15 SECURITY_CREATOR_OWNER_RIGHTS_RID = 0x00000004 SECURITY_LOCAL_SERVICE_RID = 0x00000013 SECURITY_NETWORK_SERVICE_RID = 0x00000014 SECURITY_WRITE_RESTRICTED_CODE_RID = 0x00000021 SECURITY_MANDATORY_LOW_RID = 0x00001000 SECURITY_MANDATORY_MEDIUM_RID = 0x00002000 SECURITY_MANDATORY_MEDIUM_PLUS_RID = (SECURITY_MANDATORY_MEDIUM_RID + 0x100) SECURITY_MANDATORY_HIGH_RID = 0x00003000 SECURITY_MANDATORY_SYSTEM_RID = 0x00004000 SECURITY_APP_PACKAGE_BASE_RID = 0x00000002 SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = 0x00000001 )
View Source
const ( DOMAIN_ALIAS_RID_ADMINS = 0x220 DOMAIN_ALIAS_RID_USERS = 0x221 DOMAIN_ALIAS_RID_GUESTS = 0x222 DOMAIN_ALIAS_RID_POWER_USERS = 0x223 DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224 DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225 DOMAIN_ALIAS_RID_PRINT_OPS = 0x226 DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227 DOMAIN_ALIAS_RID_REPLICATOR = 0x228 DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229 DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22A DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS = 0x22B DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS = 0x22C DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS = 0x22D DOMAIN_ALIAS_RID_MONITORING_USERS = 0x22E DOMAIN_ALIAS_RID_LOGGING_USERS = 0x22F DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS = 0x230 DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS = 0x231 DOMAIN_ALIAS_RID_DCOM_USERS = 0x232 DOMAIN_ALIAS_RID_IUSERS = 0x238 DOMAIN_ALIAS_RID_CRYPTO_OPERATORS = 0x239 DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP = 0x23B DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP = 0x23C DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP = 0x23D DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP = 0x23E DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS = 0x23F DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS = 0x240 DOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS = 0x241 DOMAIN_ALIAS_RID_HYPER_V_ADMINS = 0x242 DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 0x243 DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS = 0x244 DOMAIN_ALIAS_RID_DEFAULT_ACCOUNT = 0x245 DOMAIN_ALIAS_RID_STORAGE_REPLICA_ADMINS = 0x246 DOMAIN_ALIAS_RID_DEVICE_OWNERS = 0x247 )
Predefined domain-relative RIDs for local groups. See https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
View Source
const ( DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS = 0x1F2 // 498 DOMAIN_USER_RID_ADMIN = 0x1F4 // 500 DOMAIN_USER_RID_GUEST = 0x1F5 DOMAIN_GROUP_RID_ADMINS = 0x200 // 512 DOMAIN_GROUP_RID_USERS = 0x201 DOMAIN_GROUP_RID_GUESTS = 0x202 DOMAIN_GROUP_RID_COMPUTERS = 0x203 DOMAIN_GROUP_RID_CONTROLLERS = 0x204 DOMAIN_GROUP_RID_CERT_ADMINS = 0x205 DOMAIN_GROUP_RID_SCHEMA_ADMINS = 0x206 DOMAIN_GROUP_RID_ENTERPRISE_ADMINS = 0x207 DOMAIN_GROUP_RID_POLICY_ADMINS = 0x208 DOMAIN_GROUP_RID_READONLY_CONTROLLERS = 0x209 DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS = 0x20A DOMAIN_GROUP_RID_CDC_RESERVED = 0x20C DOMAIN_GROUP_RID_PROTECTED_USERS = 0x20D DOMAIN_GROUP_RID_KEY_ADMINS = 0x20E DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS = 0x20F )
View Source
const ( SECURITY_AUTHENTICATION_AUTHORITY_ASSERTED_RID = 0x1 SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID = 0x2 SECURITY_AUTHENTICATION_FRESH_KEY_AUTH_RID = 0x3 SECURITY_AUTHENTICATION_KEY_TRUST_RID = 0x4 SECURITY_AUTHENTICATION_KEY_PROPERTY_MFA_RID = 0x5 SECURITY_AUTHENTICATION_KEY_PROPERTY_ATTESTATION_RID = 0x6 )
View Source
const SID_MAX_SUB_AUTHORITIES = 15
Maximum sub authority values present in a SID.
Variables ¶
View Source
var ( SECURITY_NULL_SID_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 0} SECURITY_WORLD_SID_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 1} SECURITY_LOCAL_SID_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 2} SECURITY_CREATOR_SID_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 3} SECURITY_NON_UNIQUE_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 4} SECURITY_NT_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 5} SECURITY_APP_PACKAGE_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 15} SECURITY_MANDATORY_LABEL_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 16} SECURITY_SCOPED_POLICY_ID_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 17} SECURITY_AUTHENTICATION_AUTHORITY = [6]byte{0, 0, 0, 0, 0, 18} )
View Source
var LiteralSIDRegex = regexp.MustCompile(`SID\(.*?\)`)
View Source
var StringRegex = regexp.MustCompile(`("")|(".*?[^\\]")`)
Functions ¶
func CanonicalizeSid ¶
Convert a possibly non-numeric SID to numeric SID.
func OSTranslateSID ¶
Note that all usages of OSTranslateSID gracefully handle the error, rather than throwing the error.
func QuerySecurityObject ¶
func QuerySecurityObject(path string, flags SECURITY_INFORMATION) ([]byte, error)
QuerySecurityObject is the equivalent of ntdll.NtQuerySecurityObject method. It fetches the binary SECURITY_DESCRIPTOR for the given file. 'flags' instructs what parts of the Security Descriptor needs to be queried. Returns a valid binary SECURITY_DESCRIPTOR_RELATIVE structure as a byte slice.
func SecurityDescriptorFromString ¶
SecurityDescriptorFromString converts a SDDL formatted string into a binary Security Descriptor in SECURITY_DESCRIPTOR_RELATIVE format.
func SecurityDescriptorToString ¶
SecurityDescriptorToString returns an SDDL format string corresponding to the passed in binary Security Descriptor in SECURITY_DESCRIPTOR_RELATIVE format.
func SetControl ¶
func SetControl(sd []byte, controlBitsOfInterest, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) error
SetControl sets the requested control bits in the given security descriptor.
func SetSecurityObject ¶
func SetSecurityObject(path string, flags SECURITY_INFORMATION, sd []byte) error
SetSecurityObject is the equivalent of ntdll.NtSetSecurityObject method. It sets the given SECURITY_DESCRIPTOR for the given file. flags instructs what all needs to be set. sd should be a valid binary SECURITY_DESCRIPTOR_RELATIVE structure as a byte slice.
Types ¶
type ACCESS_ALLOWED_ACE ¶
type ACCESS_ALLOWED_ACE struct {
Header ACE_HEADER
// What permissions is this ACE controlling?
AccessMask DWORD
// SID to which these permissions apply.
Sid SID
}
* Single ACE (Access Check Entry). * One or more of these are contained in ACL. * The Linux equivalent struct is "struct cifs_ace".
type ACE_HEADER ¶
* Header at the beginning of every ACE.
type ACL ¶
* Binary ACL format. Used for both DACL and SACL. * The Linux equivalent struct is "struct cifs_acl".
type ACLEntry ¶
type ACLEntry struct {
Sections []string
}
field 5 and field 6 will contain SIDs. field 5 is a lone SID, but field 6 will contain SIDs under SID(.*)
type ACLList ¶
func (*ACLList) PortableString ¶
PortableString returns a SDDL that's been ported from non-descript, well known SID strings (such as DU, DA, etc.) to domain-specific strings. This allows us to not mix up the admins from one domain to another. Azure Files requires that we do this.
type BYTE ¶
type BYTE byte
* Define some Windows type names for increased readability of various Windows structs we use here.
type SDDLString ¶
Owner and group SIDs need replacement
func ParseSDDL ¶
func ParseSDDL(input string) (sddl SDDLString, err error)
func (SDDLString) Compare ¶
func (s SDDLString) Compare(other SDDLString) bool
func (*SDDLString) PortableString ¶
func (s *SDDLString) PortableString() string
func (*SDDLString) String ¶
func (s *SDDLString) String() string
type SECURITY_DESCRIPTOR_CONTROL ¶
type SECURITY_DESCRIPTOR_CONTROL WORD
* This is NT Security Descriptor in "Self Relative" format. * This is returned when common.CIFS_XATTR_CIFS_NTSD xattr is queried for a file. * The Linux equivalent struct is "struct cifs_ntsd".
func GetControl ¶
func GetControl(sd []byte) (SECURITY_DESCRIPTOR_CONTROL, error)
GetControl returns the security descriptor control bits.
type SECURITY_DESCRIPTOR_RELATIVE ¶
type SECURITY_DESCRIPTOR_RELATIVE struct {
// Revision number of this SECURITY_DESCRIPTOR. Must be 1.
Revision BYTE
// Zero byte.
Sbz1 BYTE
// Flag bits describing this SECURITY_DESCRIPTOR.
Control SECURITY_DESCRIPTOR_CONTROL
// Offset of owner sid. There's a SID structure at this offset.
OffsetOwner DWORD
// Offset of primary group sid. There's a SID structure at this offset.
OffsetGroup DWORD
// Offset of SACL. There's an ACL structure at this offset.
OffsetSacl DWORD
// Offset of DACL. There's an ACL structure at this offset.
OffsetDacl DWORD
// 0 or more bytes (depending on the various offsets above) follow this structure.
Data [0]BYTE
}
type SECURITY_INFORMATION ¶
type SECURITY_INFORMATION uint32
type SID ¶
type SID struct {
Revision BYTE
// How many DWORD SubAuthority values? Cannot be 0, max possible value is SID_MAX_SUB_AUTHORITIES.
SubAuthorityCount BYTE
// IdentifierAuthority is in big endian format.
IdentifierAuthority [6]BYTE
// SubAuthorityCount SubAuthority DWORDs.
SubAuthority [1]DWORD
}
* SID structure. * The Linux equivalent struct is "struct cifs_sid".
Source Files
Click to show internal directories.
Click to hide internal directories.