windows-acl 0.3.0

Rust crate to simplify Windows ACL operations
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

# Enable security privilege
# Below taken from Set-LHSTokenPrivilege.ps1
$definition = @'
 using System;
 using System.Runtime.InteropServices;
  
 public class AdjPriv
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  {
   bool retVal;
   TokPriv1Luid tp;
   IntPtr hproc = new IntPtr(processHandle);
   IntPtr htok = IntPtr.Zero;
   retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
   tp.Count = 1;
   tp.Luid = 0;
   if(disable)
   {
    tp.Attr = SE_PRIVILEGE_DISABLED;
   }
   else
   {
    tp.Attr = SE_PRIVILEGE_ENABLED;
   }
   retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
   retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
   return retVal;
  }
 }
'@

$processHandle = (Get-Process -id $PID).Handle
    
$type = Add-Type $definition -PassThru
$null = $type[0]::EnablePrivilege($processHandle, "SeSecurityPrivilege", $false)
$null = $type[0]::EnablePrivilege($processHandle, "SeTakeOwnershipPrivilege", $false)

# Setup supportPath
$supportPath = Split-Path $SCRIPT:MyInvocation.MyCommand.Path -Parent
$supportPath = Join-Path -Path $supportPath -ChildPath "testfiles"

# Create a new directory at supportPath by removing the old one (if it exists)
Remove-Item -Recurse -Path $supportPath -ErrorAction SilentlyContinue
$null = New-Item -ItemType directory $supportPath -ErrorAction SilentlyContinue

$testDirs = @(
    "query_test",
    "query_sacl_test"
)

$testFiles = @(
    "dacl_deny_file",
    "dacl_deny_handle",
    "dacl_allow_file",
    "dacl_allow_handle",
    "sacl_audit_file",
    "sacl_mil_file",
    "acl_get_and_remove"
)

ForEach ($testDir in $testDirs) {
    $queryPath = Join-Path -Path $supportPath -ChildPath $testDir
    Remove-Item -Recurse -Path $queryPath -ErrorAction SilentlyContinue
    $null = New-Item -ItemType directory $queryPath -ErrorAction SilentlyContinue
}

ForEach ($testFile in $testFiles) {
    $queryPath = Join-Path -Path $supportPath -ChildPath $testFile
    Remove-Item -Recurse -Path $queryPath -ErrorAction SilentlyContinue
    $null = New-Item -ItemType file $queryPath -ErrorAction SilentlyContinue
    Set-Content -Path $queryPath -Value $testFile
}

function ResetDaclEntries {
    # For a given path, remove all the Everyone and current user access control entries
    param(
        [string] $Path 
    )
    $acl = Get-Acl -Path $Path
    $acl.SetAccessRuleProtection($true, $true)
    $acl | Set-Acl -Path $Path

    $userRule = New-Object System.Security.AccessControl.FileSystemAccessRule $currentUser, "Read", "Allow"
    $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Administrators", "Read", "Allow"
    $everyoneRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Everyone", "Read", "Allow"
    $authusersRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Authenticated Users", "Read", "Allow"
    
    $acl = Get-Acl -Path $Path
    $acl.RemoveAccessRuleAll($userRule)
    $acl.RemoveAccessRuleAll($adminRule)
    $acl.RemoveAccessRuleAll($everyoneRule)
    $acl.RemoveAccessRuleAll($authusersRule)
    $acl | Set-Acl -Path $Path    
}

$currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

# Setup query_test
$queryPath = Join-Path -Path $supportPath -ChildPath "query_test"

$guestRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Guest", "ReadAndExecute", "Deny"
$userRule = New-Object System.Security.AccessControl.FileSystemAccessRule $currentUser, "FullControl", "Allow"

$acl = Get-Acl -Path $queryPath
$acl.SetAccessRule($guestRule)
$acl.SetAccessRule($userRule)
$acl | Set-Acl -Path $queryPath

# Setup query_sacl_test
$queryPath = Join-Path -Path $supportPath -ChildPath "query_sacl_test"

$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule "Everyone", "Read,Write", "Success,Failure"

$acl = Get-Acl -Path $queryPath
$acl.SetAuditRule($auditRule)
$acl | Set-Acl -Path $queryPath

# Setup dacl_deny_file
$queryPath = Join-Path -Path $supportPath -ChildPath "dacl_deny_file"
ResetDaclEntries -Path $queryPath

$userRule = New-Object System.Security.AccessControl.FileSystemAccessRule $currentUser, "Read, Write", "Allow"

$acl = Get-Acl -Path $queryPath
$null = $acl.SetAccessRule($userRule)
$acl | Set-Acl -Path $queryPath

# Setup dacl_deny_handle
$queryPath = Join-Path -Path $supportPath -ChildPath "dacl_deny_handle"
ResetDaclEntries -Path $queryPath

$userRule = New-Object System.Security.AccessControl.FileSystemAccessRule $currentUser, "Read, Write, ChangePermissions", "Allow"

$acl = Get-Acl -Path $queryPath
$null = $acl.SetAccessRule($userRule)
$acl | Set-Acl -Path $queryPath

# Setup dacl_allow_file
$queryPath = Join-Path -Path $supportPath -ChildPath "dacl_allow_file"
ResetDaclEntries -Path $queryPath

$userRule = New-Object System.Security.AccessControl.FileSystemAccessRule $currentUser, "Read", "Allow"

$acl = Get-Acl -Path $queryPath
$null = $acl.SetAccessRule($userRule)
$acl | Set-Acl -Path $queryPath

# Setup dacl_allow_handle
$queryPath = Join-Path -Path $supportPath -ChildPath "dacl_allow_handle"
ResetDaclEntries -Path $queryPath

$userRule = New-Object System.Security.AccessControl.FileSystemAccessRule $currentUser, "Read, ChangePermissions", "Allow"

$acl = Get-Acl -Path $queryPath
$null = $acl.SetAccessRule($userRule)
$acl | Set-Acl -Path $queryPath

# Setup acl_get_and_remove
$queryPath = Join-Path -Path $supportPath -ChildPath "acl_get_and_remove"

$readRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Guest", "Read", "Allow"
$writeRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Guest", "Write", "Deny"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule "Guest", "Read, Write", "Success,Failure"

$acl = Get-Acl -Path $queryPath
$null = $acl.SetAccessRule($writeRule)
$null = $acl.SetAccessRule($readRule)
$null = $acl.SetAuditRule($auditRule)
$acl | Set-Acl -Path $queryPath