mirror of
https://github.com/samba-team/samba.git
synced 2025-01-19 10:03:58 +03:00
f55b2b9610
- added auto generation of a header with prototypes for public ejs functions - make public functions non-static - fixed allocation of fixed sized arrays - added 'noejs' flag indicating that a typedef will be handled manually by ejs - added manual functions for sid and GUID, so they show up as nice strings in ejs scripts This allows ejs to bring in samr, security, lsa and misc IDL functions (This used to be commit a8cb2dbdcc2871090a26f580f67db8f0636d1e7e)
321 lines
12 KiB
Plaintext
321 lines
12 KiB
Plaintext
#include "idl_types.h"
|
|
|
|
/*
|
|
security IDL structures
|
|
*/
|
|
|
|
[
|
|
pointer_default(unique)
|
|
]
|
|
interface security
|
|
{
|
|
/*
|
|
access masks are divided up like this:
|
|
0xabccdddd
|
|
where
|
|
a = generic rights bits SEC_GENERIC_
|
|
b = flags SEC_FLAG_
|
|
c = standard rights bits SEC_STD_
|
|
d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
|
|
|
|
common combinations of bits are prefixed with SEC_RIGHTS_
|
|
*/
|
|
const int SEC_MASK_GENERIC = 0xF0000000;
|
|
const int SEC_MASK_FLAGS = 0x0F000000;
|
|
const int SEC_MASK_STANDARD = 0x00FF0000;
|
|
const int SEC_MASK_SPECIFIC = 0x0000FFFF;
|
|
|
|
/* generic bits */
|
|
const int SEC_GENERIC_ALL = 0x10000000;
|
|
const int SEC_GENERIC_EXECUTE = 0x20000000;
|
|
const int SEC_GENERIC_WRITE = 0x40000000;
|
|
const int SEC_GENERIC_READ = 0x80000000;
|
|
|
|
/* flag bits */
|
|
const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
|
|
const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
|
|
|
|
/* standard bits */
|
|
const int SEC_STD_DELETE = 0x00010000;
|
|
const int SEC_STD_READ_CONTROL = 0x00020000;
|
|
const int SEC_STD_WRITE_DAC = 0x00040000;
|
|
const int SEC_STD_WRITE_OWNER = 0x00080000;
|
|
const int SEC_STD_SYNCHRONIZE = 0x00100000;
|
|
const int SEC_STD_REQUIRED = 0x000F0000;
|
|
const int SEC_STD_ALL = 0x001F0000;
|
|
|
|
/* file specific bits */
|
|
const int SEC_FILE_READ_DATA = 0x00000001;
|
|
const int SEC_FILE_WRITE_DATA = 0x00000002;
|
|
const int SEC_FILE_APPEND_DATA = 0x00000004;
|
|
const int SEC_FILE_READ_EA = 0x00000008;
|
|
const int SEC_FILE_WRITE_EA = 0x00000010;
|
|
const int SEC_FILE_EXECUTE = 0x00000020;
|
|
const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
|
|
const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
|
|
const int SEC_FILE_ALL = 0x000001ff;
|
|
|
|
/* directory specific bits */
|
|
const int SEC_DIR_LIST = 0x00000001;
|
|
const int SEC_DIR_ADD_FILE = 0x00000002;
|
|
const int SEC_DIR_ADD_SUBDIR = 0x00000004;
|
|
const int SEC_DIR_READ_EA = 0x00000008;
|
|
const int SEC_DIR_WRITE_EA = 0x00000010;
|
|
const int SEC_DIR_TRAVERSE = 0x00000020;
|
|
const int SEC_DIR_DELETE_CHILD = 0x00000040;
|
|
const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
|
|
const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
|
|
|
|
/* registry entry specific bits */
|
|
const int SEC_REG_QUERY_VALUE = 0x00000001;
|
|
const int SEC_REG_SET_VALUE = 0x00000002;
|
|
const int SEC_REG_CREATE_SUBKEY = 0x00000004;
|
|
const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
|
|
const int SEC_REG_NOTIFY = 0x00000010;
|
|
const int SEC_REG_CREATE_LINK = 0x00000020;
|
|
|
|
/* generic->specific mappings for files */
|
|
const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
|
|
SEC_STD_SYNCHRONIZE |
|
|
SEC_FILE_READ_DATA |
|
|
SEC_FILE_READ_ATTRIBUTE |
|
|
SEC_FILE_READ_EA;
|
|
|
|
const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
|
|
SEC_STD_SYNCHRONIZE |
|
|
SEC_FILE_WRITE_DATA |
|
|
SEC_FILE_WRITE_ATTRIBUTE |
|
|
SEC_FILE_WRITE_EA |
|
|
SEC_FILE_APPEND_DATA;
|
|
|
|
const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
|
|
SEC_STD_READ_CONTROL |
|
|
SEC_FILE_READ_ATTRIBUTE |
|
|
SEC_FILE_EXECUTE;
|
|
|
|
const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
|
|
|
|
/* generic->specific mappings for directories (same as files) */
|
|
const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
|
|
const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
|
|
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
|
|
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
|
|
|
|
|
|
/***************************************************************/
|
|
/* WELL KNOWN SIDS */
|
|
|
|
/* a NULL sid */
|
|
const string SID_NULL = "S-1-0-0";
|
|
|
|
/* the world domain */
|
|
const string SID_WORLD_DOMAIN = "S-1-1";
|
|
const string SID_WORLD = "S-1-1-0";
|
|
|
|
/* SECURITY_CREATOR_SID_AUTHORITY */
|
|
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
|
|
const string SID_CREATOR_OWNER = "S-1-3-0";
|
|
const string SID_CREATOR_GROUP = "S-1-3-1";
|
|
|
|
/* SECURITY_NT_AUTHORITY */
|
|
const string SID_NT_AUTHORITY = "S-1-5";
|
|
const string SID_NT_DIALUP = "S-1-5-1";
|
|
const string SID_NT_NETWORK = "S-1-5-2";
|
|
const string SID_NT_BATCH = "S-1-5-3";
|
|
const string SID_NT_INTERACTIVE = "S-1-5-4";
|
|
const string SID_NT_SERVICE = "S-1-5-6";
|
|
const string SID_NT_ANONYMOUS = "S-1-5-7";
|
|
const string SID_NT_PROXY = "S-1-5-8";
|
|
const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
|
|
const string SID_NT_SELF = "S-1-5-10";
|
|
const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
|
|
const string SID_NT_RESTRICTED = "S-1-5-12";
|
|
const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
|
|
const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
|
|
const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
|
|
const string SID_NT_SYSTEM = "S-1-5-18";
|
|
const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
|
|
const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
|
|
|
|
/* SECURITY_BUILTIN_DOMAIN_RID */
|
|
const string SID_BUILTIN = "S-1-5-32";
|
|
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
|
|
const string SID_BUILTIN_USERS = "S-1-5-32-545";
|
|
const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
|
|
const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
|
|
const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
|
|
const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
|
|
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
|
|
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
|
|
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
|
|
|
|
|
|
/*
|
|
privilege IDs. Please keep the IDs below 64. If we get more
|
|
than 64 then we need to change security_token
|
|
*/
|
|
typedef enum {
|
|
SEC_PRIV_SECURITY = 1,
|
|
SEC_PRIV_BACKUP = 2,
|
|
SEC_PRIV_RESTORE = 3,
|
|
SEC_PRIV_SYSTEMTIME = 4,
|
|
SEC_PRIV_SHUTDOWN = 5,
|
|
SEC_PRIV_REMOTE_SHUTDOWN = 6,
|
|
SEC_PRIV_TAKE_OWNERSHIP = 7,
|
|
SEC_PRIV_DEBUG = 8,
|
|
SEC_PRIV_SYSTEM_ENVIRONMENT = 9,
|
|
SEC_PRIV_SYSTEM_PROFILE = 10,
|
|
SEC_PRIV_PROFILE_SINGLE_PROCESS = 11,
|
|
SEC_PRIV_INCREASE_BASE_PRIORITY = 12,
|
|
SEC_PRIV_LOAD_DRIVER = 13,
|
|
SEC_PRIV_CREATE_PAGEFILE = 14,
|
|
SEC_PRIV_INCREASE_QUOTA = 15,
|
|
SEC_PRIV_CHANGE_NOTIFY = 16,
|
|
SEC_PRIV_UNDOCK = 17,
|
|
SEC_PRIV_MANAGE_VOLUME = 18,
|
|
SEC_PRIV_IMPERSONATE = 19,
|
|
SEC_PRIV_CREATE_GLOBAL = 20,
|
|
SEC_PRIV_ENABLE_DELEGATION = 21,
|
|
SEC_PRIV_INTERACTIVE_LOGON = 22,
|
|
SEC_PRIV_NETWORK_LOGON = 23,
|
|
SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24
|
|
} sec_privilege;
|
|
|
|
|
|
/* a domain SID. Note that unlike Samba3 this contains a pointer,
|
|
so you can't copy them using assignment */
|
|
typedef [public,noprint,noejs] struct {
|
|
uint8 sid_rev_num; /**< SID revision number */
|
|
[range(0,15)] int8 num_auths; /**< Number of sub-authorities */
|
|
uint8 id_auth[6]; /**< Identifier Authority */
|
|
uint32 sub_auths[num_auths];
|
|
} dom_sid;
|
|
|
|
typedef [bitmap8bit] bitmap {
|
|
SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
|
|
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
|
|
SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
|
|
SEC_ACE_FLAG_INHERITED_ACE = 0x10,
|
|
SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
|
|
SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
|
|
SEC_ACE_FLAG_FAILED_ACCESS = 0x80
|
|
} security_ace_flags;
|
|
|
|
typedef [enum8bit] enum {
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
|
|
SEC_ACE_TYPE_ACCESS_DENIED = 1,
|
|
SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
|
|
SEC_ACE_TYPE_SYSTEM_ALARM = 3,
|
|
SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
|
|
SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
|
|
SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
|
|
SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
|
|
} security_ace_type;
|
|
|
|
typedef bitmap {
|
|
SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
|
|
SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
|
|
} security_ace_object_flags;
|
|
|
|
typedef [nodiscriminant] union {
|
|
/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
|
|
[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
|
|
[default];
|
|
} security_ace_object_type;
|
|
|
|
typedef [nodiscriminant] union {
|
|
/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
|
|
* (of the parent container)
|
|
*/
|
|
[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
|
|
[default];
|
|
} security_ace_object_inherited_type;
|
|
|
|
typedef struct {
|
|
security_ace_object_flags flags;
|
|
[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
|
|
[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
|
|
} security_ace_object;
|
|
|
|
typedef [nodiscriminant] union {
|
|
[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
|
|
[default];
|
|
} security_ace_object_ctr;
|
|
|
|
typedef [public] struct {
|
|
security_ace_type type; /* SEC_ACE_TYPE_* */
|
|
security_ace_flags flags; /* SEC_ACE_FLAG_* */
|
|
[value(ndr_size_security_ace(r))] uint16 size;
|
|
uint32 access_mask;
|
|
[switch_is(type)] security_ace_object_ctr object;
|
|
dom_sid trustee;
|
|
} security_ace;
|
|
|
|
typedef enum {
|
|
SECURITY_ACL_REVISION_NT4 = 2,
|
|
SECURITY_ACL_REVISION_ADS = 4
|
|
} security_acl_revision;
|
|
|
|
const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
|
|
|
|
typedef [public] struct {
|
|
security_acl_revision revision;
|
|
[value(ndr_size_security_acl(r))] uint16 size;
|
|
[range(0,1000)] uint32 num_aces;
|
|
security_ace aces[num_aces];
|
|
} security_acl;
|
|
|
|
/* default revision for new ACLs */
|
|
typedef [enum8bit] enum {
|
|
SECURITY_DESCRIPTOR_REVISION_1 = 1
|
|
} security_descriptor_revision;
|
|
|
|
const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
|
|
|
|
/* security_descriptor->type bits */
|
|
typedef [bitmap16bit] bitmap {
|
|
SEC_DESC_OWNER_DEFAULTED = 0x0001,
|
|
SEC_DESC_GROUP_DEFAULTED = 0x0002,
|
|
SEC_DESC_DACL_PRESENT = 0x0004,
|
|
SEC_DESC_DACL_DEFAULTED = 0x0008,
|
|
SEC_DESC_SACL_PRESENT = 0x0010,
|
|
SEC_DESC_SACL_DEFAULTED = 0x0020,
|
|
SEC_DESC_DACL_TRUSTED = 0x0040,
|
|
SEC_DESC_SERVER_SECURITY = 0x0080,
|
|
SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
|
|
SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
|
|
SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
|
|
SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
|
|
SEC_DESC_DACL_PROTECTED = 0x1000,
|
|
SEC_DESC_SACL_PROTECTED = 0x2000,
|
|
SEC_DESC_RM_CONTROL_VALID = 0x4000,
|
|
SEC_DESC_SELF_RELATIVE = 0x8000
|
|
} security_descriptor_type;
|
|
|
|
/* bits that determine which parts of a security descriptor
|
|
are being queried/set */
|
|
const int SECINFO_OWNER = 0x00000001;
|
|
const int SECINFO_GROUP = 0x00000002;
|
|
const int SECINFO_DACL = 0x00000004;
|
|
const int SECINFO_SACL = 0x00000008;
|
|
|
|
typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
|
|
security_descriptor_revision revision;
|
|
security_descriptor_type type; /* SEC_DESC_xxxx flags */
|
|
[relative] dom_sid *owner_sid;
|
|
[relative] dom_sid *group_sid;
|
|
[relative] security_acl *sacl; /* system ACL */
|
|
[relative] security_acl *dacl; /* user (discretionary) ACL */
|
|
} security_descriptor;
|
|
|
|
typedef [public] struct {
|
|
[range(0,0x40000),value(ndr_size_security_descriptor(sd))] uint32 sd_size;
|
|
[subcontext(4)] security_descriptor *sd;
|
|
} sec_desc_buf;
|
|
}
|