├── .dockerignore ├── .gitignore ├── .travis.yml ├── http_test.go ├── service └── gosddl │ └── main.go ├── Dockerfile ├── http.go ├── gosddl_test.go ├── README.md ├── gosddl.go ├── maps.go └── LICENSE /.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | 3 | # Binaries for programs and plugins 4 | *.exe 5 | *.exe~ 6 | *.dll 7 | *.so 8 | *.dylib 9 | 10 | # Test binary, build with `go test -c` 11 | *.test 12 | 13 | # Output of the go coverage tool, specifically when used with LiteIDE 14 | *.out -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | 3 | go: 4 | - master 5 | 6 | install: 7 | - go get -t -v ./... 8 | 9 | script: 10 | - go build ./... 11 | - go test -v 12 | - go test -race -coverprofile=coverage.txt -covermode=atomic 13 | 14 | after_success: 15 | - bash <(curl -s https://codecov.io/bash) -------------------------------------------------------------------------------- /http_test.go: -------------------------------------------------------------------------------- 1 | package gosddl 2 | 3 | import ( 4 | "net/http" 5 | "net/http/httptest" 6 | "testing" 7 | ) 8 | 9 | func TestGetInfo(t *testing.T) { 10 | req, err := http.NewRequest("GET", "/sddl", nil) 11 | if err != nil { 12 | t.Fatal(err) 13 | } 14 | rr := httptest.NewRecorder() 15 | handler := http.HandlerFunc(getInfo) 16 | handler.ServeHTTP(rr, req) 17 | if status := rr.Code; status != http.StatusOK { 18 | t.Errorf("handler returned wrong status code: got %v want %v", 19 | status, http.StatusOK) 20 | } 21 | expected := "\"Hello\"\n" 22 | if rr.Body.String() != expected { 23 | t.Errorf("handler returned unexpected body: got %v want %v", 24 | rr.Body.String(), expected) 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /service/gosddl/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | 6 | "fmt" 7 | "github.com/MonaxGT/gosddl" 8 | ) 9 | 10 | func main() { 11 | apiPtr := flag.Bool("api", false, "Use API mode") 12 | apiPortPtr := flag.String("port", ":8000", "Default port 8000") 13 | fileSIDs := flag.String("f", "", "File with users's SIDs") 14 | flag.Parse() 15 | var app gosddl.ACLProcessor 16 | app.File = *fileSIDs 17 | if *apiPtr { 18 | fmt.Println("API Interface started on port", *apiPortPtr) 19 | app.HTTPHandler(*apiPortPtr) 20 | } else if flag.Args() != nil { 21 | err := app.Processor(flag.Args()[0]) 22 | if err != nil { 23 | panic(err) 24 | } 25 | } 26 | panic("You should give me SDDL string or use API mode") 27 | } 28 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine AS build-env 2 | LABEL maintainer "Alexander Makhinov " \ 3 | repository="https://github.com/MonaxGT/gosddl" 4 | 5 | COPY . /go/src/github.com/MonaxGT/gosddl 6 | 7 | RUN apk add --no-cache git mercurial \ 8 | && cd /go/src/github.com/MonaxGT/gosddl/service/gosddl \ 9 | && go get -t . \ 10 | && CGO_ENABLED=0 go build -ldflags="-s -w" \ 11 | -a \ 12 | -installsuffix static \ 13 | -o /gosddl 14 | RUN adduser -D app 15 | 16 | FROM scratch 17 | 18 | COPY --from=build-env /gosddl /app/gosddl 19 | COPY --from=build-env /etc/passwd /etc/passwd 20 | 21 | USER app 22 | 23 | VOLUME /app/data 24 | 25 | WORKDIR /app/data 26 | 27 | ENTRYPOINT ["../gosddl"] -------------------------------------------------------------------------------- /http.go: -------------------------------------------------------------------------------- 1 | package gosddl 2 | 3 | import ( 4 | "encoding/json" 5 | "log" 6 | "net/http" 7 | 8 | "github.com/gorilla/mux" 9 | ) 10 | 11 | func getInfo(w http.ResponseWriter, r *http.Request) { 12 | json.NewEncoder(w).Encode("Hello") 13 | } 14 | 15 | func (app *ACLProcessor) decode(w http.ResponseWriter, r *http.Request) { 16 | params := mux.Vars(r) 17 | if params["sddl"] != "" { 18 | sddl := params["sddl"] 19 | err := app.findGroupIndex(sddl) 20 | if err != nil { 21 | log.Println("Wrong SDDL string") 22 | } 23 | json.NewEncoder(w).Encode(app.Rights) 24 | app.Rights = permissions{} 25 | return 26 | } 27 | } 28 | 29 | // HTTPHandler start http serve 30 | func (app *ACLProcessor) HTTPHandler(port string) { 31 | router := mux.NewRouter() 32 | router.HandleFunc("/sddl", getInfo).Methods("GET") 33 | router.HandleFunc("/sddl/{sddl}", app.decode).Methods("GET") 34 | log.Fatal(http.ListenAndServe(port, router)) 35 | } 36 | -------------------------------------------------------------------------------- /gosddl_test.go: -------------------------------------------------------------------------------- 1 | package gosddl 2 | 3 | import ( 4 | "testing" 5 | 6 | "io/ioutil" 7 | "os" 8 | ) 9 | 10 | func TestProcessor(t *testing.T) { 11 | var app ACLProcessor 12 | testStr := "{O:WA,G:SA}" 13 | err := app.Processor(testStr) 14 | if err != nil { 15 | t.Error(err) 16 | return 17 | } 18 | } 19 | 20 | func TestFindGroupIndex(t *testing.T) { 21 | var app ACLProcessor 22 | testStr := "{O:WA,G:SA}" 23 | err := app.findGroupIndex(testStr) 24 | if err != nil { 25 | t.Error(err) 26 | return 27 | } 28 | } 29 | 30 | func TestFindGroupIndex2(t *testing.T) { 31 | var app ACLProcessor 32 | testStr := "{O:WA,G:SA,D:(SA;DA;;;;DA),S:AI(SA;DA;;;;ST)}" 33 | err := app.findGroupIndex(testStr) 34 | if err != nil { 35 | t.Error(err) 36 | return 37 | } 38 | } 39 | 40 | func TestSidReplace(t *testing.T) { 41 | data := []byte("S-10-10,User\n") 42 | err := ioutil.WriteFile("test.txt", data, 0644) 43 | if err != nil { 44 | t.Error("can't write data test.txt", err) 45 | return 46 | } 47 | str := checkSIDsFile("test.txt", "S-10-10") 48 | err = os.Remove("test.txt") 49 | if err != nil { 50 | t.Error("can't delete file", err) 51 | return 52 | } 53 | if str == "User" { 54 | return 55 | } 56 | t.Errorf("replaced name doesn't match result: %s", str) 57 | } 58 | 59 | func TestReplacer(t *testing.T) { 60 | var app ACLProcessor 61 | testStr := "S-1-5-2" 62 | str := app.sidReplace(testStr) 63 | if str == "Network" { 64 | return 65 | } 66 | t.Errorf("replaced name doesn't match result: %s", str) 67 | } 68 | 69 | func TestSplitBodyACL(t *testing.T) { 70 | var app ACLProcessor 71 | testStr := "SA;DA;;;;ST" 72 | result := app.splitBodyACL(testStr) 73 | if result.AccountSid == "" { 74 | t.Error("function return nil data") 75 | return 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | GoSDDL (Security Descriptor Definition Language) 2 | =============================================== 3 | [![Build Status](https://travis-ci.org/MonaxGT/gosddl.svg?branch=master)](https://travis-ci.org/MonaxGT/gosddl) 4 | [![Codacy Badge](https://api.codacy.com/project/badge/Grade/70d6bf54dd2547d894ee7ba7a9247285)](https://app.codacy.com/app/MonaxGT/gosddl?utm_source=github.com&utm_medium=referral&utm_content=MonaxGT/gosddl&utm_campaign=Badge_Grade_Dashboard) 5 | [![Maintainability](https://api.codeclimate.com/v1/badges/69e05e119408b9f830d4/maintainability)](https://codeclimate.com/github/MonaxGT/gosddl/maintainability) 6 | [![Go Report Card](https://goreportcard.com/badge/github.com/MonaxGT/gosddl)](https://goreportcard.com/report/github.com/MonaxGT/gosddl) 7 | 8 | Converter from SDDL-string to user-friendly JSON. SDDL consist of four part: Owner, Primary Group, DACL, SACL. 9 | This converter works with two mode: 10 | 11 | 1) Direct 12 | 2) API 13 | 14 | You can attach file with SIDs-Username for decoding with replacement SID to Username. 15 | You should attach file with option -f. File should store with format: 16 | 17 | ```sh 18 | S-1-XXXX,Username1 19 | S-1-YYYY,Username2 20 | ``` 21 | 22 | Installing 23 | ------------------------------------------------ 24 | 25 | To start using gosddl, install Go and run go get: 26 | 27 | ```sh 28 | $ go get -u github.com/MonaxGT/gosddl 29 | ``` 30 | 31 | Direct usage example 32 | ------------------------------------------------ 33 | 34 | ```sh 35 | go run gosddl.go "D:(A;;GA;;;S-1-5-21-111111111-1111111111-1111111111-11111)(A;;GA;;;SY)(A;;GXGR;;;S-1-5-5-1-1111111111)(A;;GA;;;BA)" 36 | 37 | {"owner":"","primary":"","dacl":[{"accountsid":"S-1-5-21-111111111-1111111111-1111111111-11111","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_ALL"],"objectguid":"","InheritObjectGuid":""},{"accountsid":"Local system","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_ALL"],"objectguid":"","InheritObjectGuid":""},{"accountsid":"S-1-5-5-1-1111111111","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_EXECUTE","GENERIC_READ"],"objectguid":"","InheritObjectGuid":""},{"accountsid":"Built-in administrators","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_ALL"],"objectguid":"","InheritObjectGuid":""}],"daclInheritFlags":null,"sacl":null,"saclInheritFlags":null} 38 | ``` 39 | 40 | API usage example 41 | ------------------------------------------------ 42 | 43 | ```sh 44 | go run gosddl.go -api 45 | 46 | curl 'http://127.0.0.1:8000/sddl/D:(A;;GA;;;S-1-5-21-111111111-1111111111-1111111111-11111)(A;;GA;;;SY)(A;;GXGR;;;S-1-5-5-1-1111111111)(A;;GA;;;BA)' 47 | {"owner":"","primary":"","dacl":[{"accountsid":"S-1-5-21-111111111-1111111111-1111111111-11111","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_ALL"],"objectguid":"","InheritObjectGuid":""},{"accountsid":"Local system","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_ALL"],"objectguid":"","InheritObjectGuid":""},{"accountsid":"S-1-5-5-1-1111111111","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_EXECUTE","GENERIC_READ"],"objectguid":"","InheritObjectGuid":""},{"accountsid":"Built-in administrators","aceType":"ACCESS ALLOWED","aceflags":[""],"rights":["GENERIC_ALL"],"objectguid":"","InheritObjectGuid":""}],"daclInheritFlags":null,"sacl":null,"saclInheritFlags":null} 48 | ``` 49 | 50 | Additionally you can use Docker 51 | ------------------------------------------------ 52 | 53 | ```docker 54 | docker build -t gosddl . 55 | docker run -d -p 8000:8000 gosddl -api 56 | docker run --rm -it -v $PWD/store:/app/data gosddl "O:BAG:SYD:(D;;GA;;;AN)(D;;GA;;;BG)(A;;GA;;;SY)(A;;GA;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)" 57 | ``` 58 | 59 | Links: 60 | 61 | [Source](https://docs.microsoft.com/en-us/windows/desktop/secauthz/security-descriptor-definition-language) -------------------------------------------------------------------------------- /gosddl.go: -------------------------------------------------------------------------------- 1 | package gosddl 2 | 3 | import ( 4 | "bufio" 5 | "fmt" 6 | "log" 7 | "os" 8 | "strings" 9 | 10 | "encoding/json" 11 | "github.com/pkg/errors" 12 | ) 13 | 14 | // ACLProcessor main struct with methods 15 | type ACLProcessor struct { 16 | Rights permissions 17 | File string 18 | } 19 | 20 | type entryACL struct { 21 | AccountSid string `json:"accountSID,omitempty"` 22 | AceType string `json:"aceType,omitempty"` 23 | AceFlags []string `json:"aceFlags,omitempty"` 24 | Rights []string `json:"rights,omitempty"` 25 | ObjectGUID string `json:"objectGUID,omitempty"` 26 | InheritObjectGUID string `json:"inheritObjectGUID,omitempty"` 27 | } 28 | 29 | type permissions struct { 30 | Owner string `json:"owner,omitempty"` 31 | Primary string `json:"primary,omitempty"` 32 | Dacl []entryACL `json:"dacl,omitempty"` 33 | DaclInher []string `json:"daclInheritFlags,omitempty"` 34 | Sacl []entryACL `json:"sacl,omitempty"` 35 | SaclInger []string `json:"saclInheritFlags,omitempty"` 36 | } 37 | 38 | // checkSIDsFile check file of SIDs where data saved in SID,User 39 | func checkSIDsFile(filePath string, sid string) string { 40 | file, err := os.Open(filePath) 41 | if err != nil { 42 | log.Fatal(err) 43 | } 44 | defer file.Close() 45 | 46 | scanner := bufio.NewScanner(file) 47 | for scanner.Scan() { 48 | if strings.Split(scanner.Text(), ",")[0] == sid { 49 | return strings.Split(scanner.Text(), ",")[1] 50 | } 51 | } 52 | if err := scanner.Err(); err != nil { 53 | log.Fatal(err) 54 | } 55 | return sid 56 | } 57 | 58 | // sidReplace replace identification account: sid/wellkhownsid/usersid 59 | func (app *ACLProcessor) sidReplace(str string) string { 60 | if len(str) > 2 { 61 | if x, ok := sddlWellKnownSidsRep[str]; ok { 62 | return x 63 | } else if app.File != "" { 64 | return checkSIDsFile(app.File, str) 65 | } 66 | return str 67 | } 68 | return app.replacer(sddlSidsRep, str)[0] 69 | } 70 | 71 | // replacer chunk string with 2 letters, add to array and then resolve 72 | func (app *ACLProcessor) replacer(maps map[string]string, str string) []string { 73 | var temp, result []string 74 | if len(str) > 2 { 75 | for j := 0; j < len(str)-1; j = j + 2 { 76 | temp = append(temp, fmt.Sprintf("%s%s", string(str[j]), string(str[j+1]))) 77 | } 78 | } else { 79 | temp = append(temp, str) 80 | } 81 | for _, v := range temp { 82 | if x, ok := maps[v]; ok { 83 | result = append(result, x) 84 | } else { 85 | result = append(result, v) 86 | } 87 | } 88 | return result 89 | } 90 | 91 | /* splitBodyACL Convert values from string to struct with replace strings 92 | Base format Rights: (ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid) 93 | */ 94 | func (app *ACLProcessor) splitBodyACL(str string) entryACL { 95 | splitACL := strings.Split(str, ";") 96 | return entryACL{ 97 | AceType: app.replacer(sddlAceType, splitACL[0])[0], 98 | AceFlags: app.replacer(sddlAceFlags, splitACL[1]), 99 | Rights: app.replacer(sddlRights, splitACL[2]), 100 | ObjectGUID: splitACL[3], 101 | InheritObjectGUID: splitACL[4], 102 | AccountSid: app.sidReplace(splitACL[5]), 103 | } 104 | } 105 | 106 | func (app *ACLProcessor) splitBody(body string) []entryACL { 107 | var entryACLInternalArr []entryACL 108 | for _, y := range strings.Split(body, "(") { 109 | if y != "" { 110 | ace := strings.TrimSuffix(y, ")") 111 | entryACLInternalArr = append(entryACLInternalArr, app.splitBodyACL(ace)) 112 | } 113 | } 114 | return entryACLInternalArr 115 | } 116 | 117 | func (app *ACLProcessor) parseBody(body string) ([]string, []entryACL) { 118 | var inheritFlagArr []string 119 | var entryACLInternalArr []entryACL 120 | if strings.Index(body, "(") != 0 { 121 | inheritFlag := body[0:strings.Index(body, "(")] 122 | ace := body[strings.Index(body, "("):] 123 | if len(inheritFlag) > 2 { 124 | for j := 0; j < len(inheritFlag)-1; j = j + 2 { 125 | inheritFlagArr = append(inheritFlagArr, app.replacer(sddlInheritanceFlags, fmt.Sprintf("%s%s", string(inheritFlag[j]), string(inheritFlag[j+1])))[0]) 126 | } 127 | } 128 | entryACLInternalArr = app.splitBody(ace) 129 | } else { 130 | entryACLInternalArr = app.splitBody(body) 131 | } 132 | return inheritFlagArr, entryACLInternalArr 133 | } 134 | 135 | func (app *ACLProcessor) parseSDDL(sddrArr []string) { 136 | for _, y := range sddrArr { 137 | sddlSplit := strings.Split(y, ":") 138 | letter := sddlSplit[0] 139 | body := sddlSplit[1] 140 | switch letter { 141 | case "O": 142 | app.Rights.Owner = app.sidReplace(body) 143 | case "G": 144 | app.Rights.Primary = app.sidReplace(body) 145 | case "D": 146 | app.Rights.DaclInher, app.Rights.Dacl = app.parseBody(body) 147 | case "S": 148 | app.Rights.SaclInger, app.Rights.Sacl = app.parseBody(body) 149 | default: 150 | log.Fatal("Unresolved group") 151 | } 152 | } 153 | } 154 | 155 | // slice SDDL create slice objects from str to array of strings 156 | func (app *ACLProcessor) sliceSDDL(indecs []int, str string) { 157 | var sddlArr []string 158 | for i := 0; i < len(indecs)-1; i++ { 159 | sl := str[indecs[i]:indecs[i+1]] 160 | sddlArr = append(sddlArr, sl) 161 | } 162 | app.parseSDDL(sddlArr) 163 | } 164 | 165 | // FindGroupIndex used for find index of group Owner, Primary, DACL, SACL 166 | func (app *ACLProcessor) findGroupIndex(str string) error { 167 | groups := []string{"O:", "G:", "D:", "S:"} 168 | var result []int 169 | for _, i := range groups { 170 | if strings.Index(str, i) != -1 { 171 | result = append(result, strings.Index(str, i)) 172 | } 173 | } 174 | if result == nil { 175 | return errors.New("Can't find any group") 176 | } 177 | result = append(result, len(str)) 178 | app.sliceSDDL(result, str) 179 | return nil 180 | } 181 | 182 | // Processor main function in gosddl package 183 | func (app *ACLProcessor) Processor(str string) error { 184 | err := app.findGroupIndex(str) 185 | if err != nil { 186 | return err 187 | } 188 | body, err := json.Marshal(app.Rights) 189 | if err != nil { 190 | log.Fatal(err) 191 | return err 192 | } 193 | fmt.Println(string(body)) 194 | return nil 195 | } 196 | -------------------------------------------------------------------------------- /maps.go: -------------------------------------------------------------------------------- 1 | package gosddl 2 | 3 | var sddlRights = map[string]string{ 4 | // Generic access rights 5 | "GA": "GENERIC_ALL", 6 | "GR": "GENERIC_READ", 7 | "GW": "GENERIC_WRITE", 8 | "GX": "GENERIC_EXECUTE", 9 | // Standard access rights 10 | "RC": "READ_CONTROL", 11 | "SD": "DELETE", 12 | "WD": "WRITE_DAC", 13 | "WO": "WRITE_OWNER", 14 | // Directory service object access rights 15 | "RP": "ADS_RIGHT_DS_READ_PROP", 16 | "WP": "ADS_RIGHT_DS_WRITE_PROP", 17 | "CC": "ADS_RIGHT_DS_CREATE_CHILD", 18 | "DC": "ADS_RIGHT_DS_DELETE_CHILD", 19 | "LC": "ADS_RIGHT_ACTRL_DS_LIST", 20 | "SW": "ADS_RIGHT_DS_SELF", 21 | "LO": "ADS_RIGHT_DS_LIST_OBJECT", 22 | "DT": "ADS_RIGHT_DS_DELETE_TREE", 23 | "CR": "ADS_RIGHT_DS_CONTROL_ACCESS", 24 | // File access rights 25 | "FA": "FILE_ALL_ACCESS", 26 | "FR": "FILE_GENERIC_READ", 27 | "FW": "FILE_GENERIC_WRITE", 28 | "FX": "FILE_GENERIC_EXECUTE", 29 | // Registry key access rights 30 | "KA": "KEY_ALL_ACCESS", 31 | "KR": "KEY_READ", 32 | "KW": "KEY_WRITE", 33 | "KX": "KEY_EXECUTE", 34 | // Mandatory label rights 35 | "NR": "SYSTEM_MANDATORY_LABEL_NO_READ_UP", 36 | "NW": "SYSTEM_MANDATORY_LABEL_NO_WRITE_UP", 37 | "NX": "SYSTEM_MANDATORY_LABEL_NO_EXECUTE", 38 | } 39 | 40 | var sddlInheritanceFlags = map[string]string{ 41 | "P": "DDL_PROTECTED", 42 | "AI": "SDDL_AUTO_INHERITED", 43 | "AR": "SDDL_AUTO_INHERIT_REQ", 44 | } 45 | 46 | var sddlAceType = map[string]string{ 47 | "D": "ACCESS DENIED", 48 | "OA": "OBJECT ACCESS ALLOWED", 49 | "OD": "OBJECT ACCESS DENIED", 50 | "AU": "SYSTEM AUDIT", 51 | "OU": "OBJECT SYSTEM AUDIT", 52 | "OL": "OBJECT SYSTEM ALARM", 53 | "A": "ACCESS ALLOWED", 54 | } 55 | 56 | var sddlAceFlags = map[string]string{ 57 | "CI": "CONTAINER INHERIT", 58 | "OI": "OBJECT INHERIT", 59 | "NP": "NO PROPAGATE", 60 | "IO": "INHERITANCE ONLY", 61 | "ID": "ACE IS INHERITED", 62 | "SA": "SUCCESSFUL ACCESS AUDIT", 63 | "FA": "FAILED ACCESS AUDIT", 64 | } 65 | 66 | var sddlSidsRep = map[string]string{ 67 | "O": "Owner", 68 | "AO": "Account operators", 69 | "PA": "Group Policy administrators", 70 | "RU": "Alias to allow previous Windows 2000", 71 | "IU": "Interactively logged-on user", 72 | "AN": "Anonymous logon", 73 | "LA": "Local administrator", 74 | "AU": "Authenticated users", 75 | "LG": "Local guest", 76 | "BA": "Built-in administrators", 77 | "LS": "Local service account", 78 | "BG": "Built-in guests", 79 | "SY": "Local system", 80 | "BO": "Backup operators", 81 | "NU": "Network logon user", 82 | "BU": "Built-in users", 83 | "NO": "Network configuration operators", 84 | "CA": "Certificate server administrators", 85 | "NS": "Network service account", 86 | "CG": "Creator group", 87 | "PO": "Printer operators", 88 | "CO": "Creator owner", 89 | "PS": "Personal self", 90 | "DA": "Domain administrators", 91 | "PU": "Power users", 92 | "DC": "Domain computers", 93 | "RS": "RAS servers group", 94 | "DD": "Domain controllers", 95 | "RD": "Terminal server users", 96 | "DG": "Domain guests", 97 | "RE": "Replicator", 98 | "DU": "Domain users", 99 | "RC": "Restricted code", 100 | "EA": "Enterprise administrators", 101 | "SA": "Schema administrators", 102 | "ED": "Enterprise domain controllers", 103 | "SO": "Server operators", 104 | "WD": "Everyone", 105 | "SU": "Service logon user", 106 | } 107 | 108 | var sddlWellKnownSidsRep = map[string]string{ 109 | "S-1-0": "Null Authority", 110 | "S-1-0-0": "Nobody", 111 | "S-1-1": "World Authority", 112 | "S-1-1-0": "Everyone", 113 | "S-1-2": "Local Authority", 114 | "S-1-2-0": "Local ", 115 | "S-1-2-1": "Console Logon ", 116 | "S-1-3": "Creator Authority", 117 | "S-1-3-0": "Creator Owner", 118 | "S-1-3-1": "Creator Group", 119 | "S-1-3-2": "Creator Owner Server", 120 | "S-1-3-3": "Creator Group Server", 121 | "S-1-3-4": "Owner Rights ", 122 | "S-1-4": "Non-unique Authority", 123 | "S-1-5": "NT Authority", 124 | "S-1-5-1": "Dialup", 125 | "S-1-5-2": "Network", 126 | "S-1-5-3": "Batch", 127 | "S-1-5-4": "Interactive", 128 | "S-1-5-6": "Service", 129 | "S-1-5-7": "Anonymous", 130 | "S-1-5-8": "Proxy", 131 | "S-1-5-9": "Enterprise Domain Controllers", 132 | "S-1-5-10": "Principal Self", 133 | "S-1-5-11": "Authenticated Users", 134 | "S-1-5-12": "Restricted Code", 135 | "S-1-5-13": "Terminal Server Users", 136 | "S-1-5-14": "Remote Interactive Logon ", 137 | "S-1-5-15": "This Organization ", 138 | "S-1-5-17": "This Organization ", 139 | "S-1-5-18": "Local System", 140 | "S-1-5-19": "NT Authority", 141 | "S-1-5-20": "NT Authority", 142 | "S-1-5-32-544": "Administrators", 143 | "S-1-5-32-545": "Users", 144 | "S-1-5-32-546": "Guests", 145 | "S-1-5-32-547": "Power Users", 146 | "S-1-5-32-548": "Account Operators", 147 | "S-1-5-32-549": "Server Operators", 148 | "S-1-5-32-550": "Print Operators", 149 | "S-1-5-32-551": "Backup Operators", 150 | "S-1-5-32-552": "Replicators", 151 | "S-1-5-64-10": "NTLM Authentication ", 152 | "S-1-5-64-14": "SChannel Authentication ", 153 | "S-1-5-64-21": "Digest Authentication ", 154 | "S-1-5-80": "NT Service ", 155 | "S-1-5-80-0": "All Services ", 156 | "S-1-5-83-0": "NT VIRTUAL MACHINE\\Virtual Machines", 157 | "S-1-16-0": "Untrusted Mandatory Level ", 158 | "S-1-16-4096": "Low Mandatory Level ", 159 | "S-1-16-8192": "Medium Mandatory Level ", 160 | "S-1-16-8448": "Medium Plus Mandatory Level ", 161 | "S-1-16-12288": "High Mandatory Level ", 162 | "S-1-16-16384": "System Mandatory Level ", 163 | "S-1-16-20480": "Protected Process Mandatory Level ", 164 | "S-1-16-28672": "Secure Process Mandatory Level ", 165 | "S-1-5-32-554": "BUILTIN\\Pre-Windows 2000 Compatible Access", 166 | "S-1-5-32-555": "BUILTIN\\Remote Desktop Users", 167 | "S-1-5-32-556": "BUILTIN\\Network Configuration Operators", 168 | "S-1-5-32-557": "BUILTIN\\Incoming Forest Trust Builders", 169 | "S-1-5-32-558": "BUILTIN\\Performance Monitor Users", 170 | "S-1-5-32-559": "BUILTIN\\Performance Log Users", 171 | "S-1-5-32-560": "BUILTIN\\Windows Authorization Access Group", 172 | "S-1-5-32-561": "BUILTIN\\Terminal Server License Servers", 173 | "S-1-5-32-562": "BUILTIN\\Distributed COM Users", 174 | "S-1-5-32-569": "BUILTIN\\Cryptographic Operators", 175 | "S-1-5-32-573": "BUILTIN\\Event Log Readers ", 176 | "S-1-5-32-574": "BUILTIN\\Certificate Service DCOM Access ", 177 | "S-1-5-32-575": "BUILTIN\\RDS Remote Access Servers", 178 | "S-1-5-32-576": "BUILTIN\\RDS Endpoint Servers", 179 | "S-1-5-32-577": "BUILTIN\\RDS Management Servers", 180 | "S-1-5-32-578": "BUILTIN\\Hyper-V Administrators", 181 | "S-1-5-32-579": "BUILTIN\\Access Control Assistance Operators", 182 | "S-1-5-32-580": "BUILTIN\\Remote Management Users", 183 | "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464": "Trusted Installer", 184 | } 185 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------