How are "absolute" and "self-relative" security descriptors manipulated in C#?

Question

I'm toying with code from here that uses RawSecurityDescriptor class to read a security descriptor from Windows registry, alter it and then store the altered descriptor back. That's basically the same as what "dcomperm" Microsoft SDK sample does.

Yet "dcomperm" sample does two conversions - once the descriptor is read from the registry it is converted from "selt-relative" to "absolute" using MakeAbsoluteSD() and then altered in that form and once the alteration is complete it is converted back to "self-relative" using MakeSelfRelativeSD() and stored in "self-relative" form.

In the code I link to there're no such conversions.

How are they done in C#? Are they done internally by the .NET framework or do I have to do them on my own with P/Invoke?

Answer 1

As I understand it, the classes in the System.Security.AccessControl namespace like RawSecurityDescriptor, RawAcl etc provide managed representatons of the information in the corresponding Win32 constructs. So an instance of RawSecurityDescriptor is a .NET object, with fields which are also .NET objects (including, for example, two RawAcl objects for the DACL and the SACL). This managed representation is not directly related to either the absolute or the self-relative form of unmanaged SecurityDescriptor.

The RawSecurityDescriptor class provides conversions to and from the managed representation, one to the textual SDDL representation (not relevant to your question) and one to what it calls "BinaryForm", which corresponds to the Win32 self-relative structure, representing the SD as a contiguous array of bytes.

Your managed code sample uses the ctor for RawSecurityDescriptor which converts from the self-relative byte array stored in the registry, to the managed representation. The changes are then made to the managed representation using .NET code, and at the end the GetBinaryForm method is called to convert the amended SD back to the self-relative unmanaged form to store in the registry. Thus the managed code never needs to concern itself with any absolute SD structure.

Unmanaged code does need to make the conversion each way because some of the Win32 APIs called to change the SD require the absolute form.