Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/trailofbits/windows-acl

Rust crate to simplify Windows ACL operations
https://github.com/trailofbits/windows-acl

access-control acl windows

Last synced: 3 months ago
JSON representation

Rust crate to simplify Windows ACL operations

Host: GitHub
URL: https://github.com/trailofbits/windows-acl
Owner: trailofbits
License: mit
Created: 2018-04-12T17:50:47.000Z (almost 7 years ago)
Default Branch: master
Last Pushed: 2023-06-09T18:42:36.000Z (over 1 year ago)
Last Synced: 2024-10-06T17:36:31.765Z (4 months ago)
Topics: access-control, acl, windows
Language: Rust
Homepage: https://blog.trailofbits.com/2018/08/23/introducing-windows-acl-working-with-acls-in-rust/
Size: 656 KB
Stars: 18
Watchers: 33
Forks: 7
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # windows-acl

[![CI](https://github.com/trailofbits/windows-acl/actions/workflows/ci.yml/badge.svg)](https://github.com/trailofbits/windows-acl/actions/workflows/ci.yml)

[![Crates.io](https://img.shields.io/crates/v/windows-acl)](https://crates.io/crates/windows-acl)

Rust library to simplify Windows ACL operations.

## Using windows-acl

First, add the following line to the dependencies section of the project’s `Cargo.toml` file.

```

winapi = “0.3.5”

windows-acl = “0.3.0”

```

In the main Rust source code file, add the _windows-acl_ external crate and import the symbols as follows:

```rust

extern crate winapi;

extern crate windows_acl;

use winapi::um::winnt::{

    PSID, FILE_GENERIC_READ, FILE_GENERIC_EXECUTE, FILE_GENERIC_WRITE,

    FILE_ALL_ACCESS, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,

    SYSTEM_MANDATORY_LABEL_NO_READ_UP, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP

};

use windows_acl::acl::ACL;

```

**NOTE:** Altering system ACL entries require either Administrator privileges or the ability to acquire the `SeSecurityPrivilege` privilege.

### Adding a mandatory integrity label

```rust

    let high_integrity_level_sid = string_to_sid("S-1-16-12288").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\high_il", true).unwrap();

    // Set high_il to be a high integrity level directory

    match acl.integrity_level(

                high_integrity_level_sid.as_ptr() as PSID,

                true,

                SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |

                    SYSTEM_MANDATORY_LABEL_NO_READ_UP |

                    SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP

            ) {

        Ok(status) => {

            if !status {

                println!("We had an internal issue trying to add high integrity level to high_il");

            }

        },

        Err(code) => {

            println!("Failed to add high integrity level to high_il: error={}", code);

        }

    }

```

### Adding an audit entry

```rust

    let world_sid = string_to_sid("S-1-1-0").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", true).unwrap();

    // Audit every file operation in sensitive_files from anyone in the Everyone group

    match acl.audit(

                world_sid.as_ptr() as PSID,

                true,

                FILE_ALL_ACCESS,

                true,

                true

            ) {

        Ok(status) => {

            if !status {

                println!("We had an internal issue trying to add audit entry to sensitive_files");

            }

        },

        Err(code) => {

            println!("Failed to add audit entry to sensitive_files: error={}", code);

        }

    }

```

### Denying guest access to a directory

```rust

    let guests = string_to_sid("S-1-5-32-546").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", false).unwrap();

    // Guests cannot read anything in this directory. However, they can still drop files there

    match acl.deny(guests.as_ptr() as PSID, true, FILE_GENERIC_READ) {

        Ok(status) => {

            if !status {

                println!("We had an internal issue trying to add a deny entry to sensitive_files");

            }

        },

        Err(code) => {

            println!("Failed to add deny entry: error={}", code);

        }

    }

```

### Removing entries

```rust

    let world_sid = string_to_sid("S-1-1-0").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", true).unwrap();

    // Remove a SystemAudit entry; remove() can also remove DACL entries as well

    match acl.remove(world_sid.as_ptr() as PSID, Some(AceType::SystemAudit), None) {

        Ok(removed) => {

            println!("Removed {} entries", removed);

        },

        Err(code) => {

            println!("Failed to remove entry: error={}", code);

        }

    }

```

## Example Applications

See `query_acl.rs` in the `example/` directory.

## Unit Tests

The current unit tests expect to be run in a single threaded environment with elevated privileges. By default, Rust executes unit tests with multiple threads. To successfully run tests, the following must be done:

 1. Open an elevated privilege/Administrator Command Prompt or Powershell Terminal.

 2. Set the `RUST_TEST_THREADS` environment variable to 1.

 3. Run `cargo test`