-
Notifications
You must be signed in to change notification settings - Fork 1
/
security_info.go
94 lines (76 loc) · 1.96 KB
/
security_info.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
//go:build windows
package acl
import (
"unsafe"
"golang.org/x/sys/windows"
)
type securityArgs struct {
path string
owner *windows.SID
group *windows.SID
access []windows.EXPLICIT_ACCESS
}
func (a *securityArgs) ToSecurityAttributes() (*windows.SecurityAttributes, error) {
// define empty security descriptor
sd, err := windows.NewSecurityDescriptor()
if err != nil {
return nil, err
}
err = sd.SetOwner(a.owner, false)
if err != nil {
return nil, err
}
err = sd.SetGroup(a.group, false)
if err != nil {
return nil, err
}
// define security attributes using descriptor
var sa windows.SecurityAttributes
sa.Length = uint32(unsafe.Sizeof(sa))
sa.SecurityDescriptor = sd
if len(a.access) == 0 {
// security attribute should simply inherit parent rules
sa.InheritHandle = 1
return &sa, nil
}
// apply provided access rules to the DACL
dacl, err := a.ToDACL()
if err != nil {
return nil, err
}
err = sd.SetDACL(dacl, true, false)
if err != nil {
return nil, err
}
// set the protected DACL flag to prevent the DACL of the security descriptor from being modified by inheritable ACEs
// (i.e. prevent parent folders from modifying this ACL)
err = sd.SetControl(windows.SE_DACL_PROTECTED, windows.SE_DACL_PROTECTED)
if err != nil {
return nil, err
}
return &sa, nil
}
func (a *securityArgs) ToSecurityInfo() windows.SECURITY_INFORMATION {
var securityInfo windows.SECURITY_INFORMATION
if a.owner != nil {
// override owner
securityInfo |= windows.OWNER_SECURITY_INFORMATION
}
if a.group != nil {
// override group
securityInfo |= windows.GROUP_SECURITY_INFORMATION
}
if len(a.access) != 0 {
// override DACL
securityInfo |= windows.DACL_SECURITY_INFORMATION
securityInfo |= windows.PROTECTED_DACL_SECURITY_INFORMATION
}
return securityInfo
}
func (a *securityArgs) ToDACL() (*windows.ACL, error) {
if len(a.access) == 0 {
// No rules were specified
return nil, nil
}
return windows.ACLFromEntries(a.access, nil)
}