mirror of
https://github.com/samba-team/samba.git
synced 2024-12-29 11:21:54 +03:00
21a7a9639c
"Add missing security_secinfo bits as seen while managing security descriptor
inheritance with regedit."
Guenther
(This used to be commit 1c1811c5e3
)
384 lines
14 KiB
Plaintext
384 lines
14 KiB
Plaintext
#include "idl_types.h"
|
|
|
|
/*
|
|
security IDL structures
|
|
*/
|
|
|
|
import "misc.idl";
|
|
|
|
/*
|
|
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
|
|
just a dom sid, but with the sub_auths represented as a conformant
|
|
array. As with all in-structure conformant arrays, the array length
|
|
is placed before the start of the structure. That's what gives rise
|
|
to the extra num_auths elemenent. We don't want the Samba code to
|
|
have to bother with such esoteric NDR details, so its easier to just
|
|
define it as a dom_sid and use pidl magic to make it all work. It
|
|
just means you need to mark a sid as a "dom_sid2" in the IDL when you
|
|
know it is of the conformant array variety
|
|
*/
|
|
cpp_quote("#define dom_sid2 dom_sid")
|
|
|
|
/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
|
|
cpp_quote("#define dom_sid28 dom_sid")
|
|
|
|
[
|
|
pointer_default(unique)
|
|
]
|
|
interface security
|
|
{
|
|
/*
|
|
access masks are divided up like this:
|
|
0xabccdddd
|
|
where
|
|
a = generic rights bits SEC_GENERIC_
|
|
b = flags SEC_FLAG_
|
|
c = standard rights bits SEC_STD_
|
|
d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
|
|
|
|
common combinations of bits are prefixed with SEC_RIGHTS_
|
|
*/
|
|
const int SEC_MASK_GENERIC = 0xF0000000;
|
|
const int SEC_MASK_FLAGS = 0x0F000000;
|
|
const int SEC_MASK_STANDARD = 0x00FF0000;
|
|
const int SEC_MASK_SPECIFIC = 0x0000FFFF;
|
|
|
|
/* generic bits */
|
|
const int SEC_GENERIC_ALL = 0x10000000;
|
|
const int SEC_GENERIC_EXECUTE = 0x20000000;
|
|
const int SEC_GENERIC_WRITE = 0x40000000;
|
|
const int SEC_GENERIC_READ = 0x80000000;
|
|
|
|
/* flag bits */
|
|
const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
|
|
const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
|
|
|
|
/* standard bits */
|
|
const int SEC_STD_DELETE = 0x00010000;
|
|
const int SEC_STD_READ_CONTROL = 0x00020000;
|
|
const int SEC_STD_WRITE_DAC = 0x00040000;
|
|
const int SEC_STD_WRITE_OWNER = 0x00080000;
|
|
const int SEC_STD_SYNCHRONIZE = 0x00100000;
|
|
const int SEC_STD_REQUIRED = 0x000F0000;
|
|
const int SEC_STD_ALL = 0x001F0000;
|
|
|
|
/* file specific bits */
|
|
const int SEC_FILE_READ_DATA = 0x00000001;
|
|
const int SEC_FILE_WRITE_DATA = 0x00000002;
|
|
const int SEC_FILE_APPEND_DATA = 0x00000004;
|
|
const int SEC_FILE_READ_EA = 0x00000008;
|
|
const int SEC_FILE_WRITE_EA = 0x00000010;
|
|
const int SEC_FILE_EXECUTE = 0x00000020;
|
|
const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
|
|
const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
|
|
const int SEC_FILE_ALL = 0x000001ff;
|
|
|
|
/* directory specific bits */
|
|
const int SEC_DIR_LIST = 0x00000001;
|
|
const int SEC_DIR_ADD_FILE = 0x00000002;
|
|
const int SEC_DIR_ADD_SUBDIR = 0x00000004;
|
|
const int SEC_DIR_READ_EA = 0x00000008;
|
|
const int SEC_DIR_WRITE_EA = 0x00000010;
|
|
const int SEC_DIR_TRAVERSE = 0x00000020;
|
|
const int SEC_DIR_DELETE_CHILD = 0x00000040;
|
|
const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
|
|
const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
|
|
|
|
/* registry entry specific bits */
|
|
const int SEC_REG_QUERY_VALUE = 0x00000001;
|
|
const int SEC_REG_SET_VALUE = 0x00000002;
|
|
const int SEC_REG_CREATE_SUBKEY = 0x00000004;
|
|
const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
|
|
const int SEC_REG_NOTIFY = 0x00000010;
|
|
const int SEC_REG_CREATE_LINK = 0x00000020;
|
|
|
|
/* ldap specific access bits */
|
|
const int SEC_ADS_CREATE_CHILD = 0x00000001;
|
|
const int SEC_ADS_DELETE_CHILD = 0x00000002;
|
|
const int SEC_ADS_LIST = 0x00000004;
|
|
const int SEC_ADS_SELF_WRITE = 0x00000008;
|
|
const int SEC_ADS_READ_PROP = 0x00000010;
|
|
const int SEC_ADS_WRITE_PROP = 0x00000020;
|
|
const int SEC_ADS_DELETE_TREE = 0x00000040;
|
|
const int SEC_ADS_LIST_OBJECT = 0x00000080;
|
|
const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
|
|
|
|
/* generic->specific mappings for files */
|
|
const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
|
|
SEC_STD_SYNCHRONIZE |
|
|
SEC_FILE_READ_DATA |
|
|
SEC_FILE_READ_ATTRIBUTE |
|
|
SEC_FILE_READ_EA;
|
|
|
|
const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
|
|
SEC_STD_SYNCHRONIZE |
|
|
SEC_FILE_WRITE_DATA |
|
|
SEC_FILE_WRITE_ATTRIBUTE |
|
|
SEC_FILE_WRITE_EA |
|
|
SEC_FILE_APPEND_DATA;
|
|
|
|
const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
|
|
SEC_STD_READ_CONTROL |
|
|
SEC_FILE_READ_ATTRIBUTE |
|
|
SEC_FILE_EXECUTE;
|
|
|
|
const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
|
|
|
|
/* generic->specific mappings for directories (same as files) */
|
|
const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
|
|
const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
|
|
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
|
|
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
|
|
|
|
|
|
/***************************************************************/
|
|
/* WELL KNOWN SIDS */
|
|
|
|
/* a NULL sid */
|
|
const string SID_NULL = "S-1-0-0";
|
|
|
|
/* the world domain */
|
|
const string NAME_WORLD = "WORLD";
|
|
|
|
const string SID_WORLD_DOMAIN = "S-1-1";
|
|
const string SID_WORLD = "S-1-1-0";
|
|
|
|
/* SECURITY_CREATOR_SID_AUTHORITY */
|
|
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
|
|
const string SID_CREATOR_OWNER = "S-1-3-0";
|
|
const string SID_CREATOR_GROUP = "S-1-3-1";
|
|
|
|
/* SECURITY_NT_AUTHORITY */
|
|
const string NAME_NT_AUTHORITY = "NT AUTHORITY";
|
|
|
|
const string SID_NT_AUTHORITY = "S-1-5";
|
|
const string SID_NT_DIALUP = "S-1-5-1";
|
|
const string SID_NT_NETWORK = "S-1-5-2";
|
|
const string SID_NT_BATCH = "S-1-5-3";
|
|
const string SID_NT_INTERACTIVE = "S-1-5-4";
|
|
const string SID_NT_SERVICE = "S-1-5-6";
|
|
const string SID_NT_ANONYMOUS = "S-1-5-7";
|
|
const string SID_NT_PROXY = "S-1-5-8";
|
|
const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
|
|
const string SID_NT_SELF = "S-1-5-10";
|
|
const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
|
|
const string SID_NT_RESTRICTED = "S-1-5-12";
|
|
const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
|
|
const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
|
|
const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
|
|
const string SID_NT_SYSTEM = "S-1-5-18";
|
|
const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
|
|
const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
|
|
|
|
/* SECURITY_BUILTIN_DOMAIN_RID */
|
|
const string NAME_BUILTIN = "BUILTIN";
|
|
|
|
const string SID_BUILTIN = "S-1-5-32";
|
|
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
|
|
const string SID_BUILTIN_USERS = "S-1-5-32-545";
|
|
const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
|
|
const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
|
|
const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
|
|
const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
|
|
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
|
|
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
|
|
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
|
|
const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
|
|
const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
|
|
|
|
/* well-known domain RIDs */
|
|
const int DOMAIN_RID_LOGON = 9;
|
|
const int DOMAIN_RID_ADMINISTRATOR = 500;
|
|
const int DOMAIN_RID_GUEST = 501;
|
|
const int DOMAIN_RID_ADMINS = 512;
|
|
const int DOMAIN_RID_USERS = 513;
|
|
const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
|
|
const int DOMAIN_RID_DCS = 516;
|
|
const int DOMAIN_RID_CERT_ADMINS = 517;
|
|
const int DOMAIN_RID_SCHEMA_ADMINS = 518;
|
|
const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
|
|
|
|
|
|
/*
|
|
privilege IDs. Please keep the IDs below 64. If we get more
|
|
than 64 then we need to change security_token
|
|
*/
|
|
typedef enum {
|
|
SEC_PRIV_SECURITY = 1,
|
|
SEC_PRIV_BACKUP = 2,
|
|
SEC_PRIV_RESTORE = 3,
|
|
SEC_PRIV_SYSTEMTIME = 4,
|
|
SEC_PRIV_SHUTDOWN = 5,
|
|
SEC_PRIV_REMOTE_SHUTDOWN = 6,
|
|
SEC_PRIV_TAKE_OWNERSHIP = 7,
|
|
SEC_PRIV_DEBUG = 8,
|
|
SEC_PRIV_SYSTEM_ENVIRONMENT = 9,
|
|
SEC_PRIV_SYSTEM_PROFILE = 10,
|
|
SEC_PRIV_PROFILE_SINGLE_PROCESS = 11,
|
|
SEC_PRIV_INCREASE_BASE_PRIORITY = 12,
|
|
SEC_PRIV_LOAD_DRIVER = 13,
|
|
SEC_PRIV_CREATE_PAGEFILE = 14,
|
|
SEC_PRIV_INCREASE_QUOTA = 15,
|
|
SEC_PRIV_CHANGE_NOTIFY = 16,
|
|
SEC_PRIV_UNDOCK = 17,
|
|
SEC_PRIV_MANAGE_VOLUME = 18,
|
|
SEC_PRIV_IMPERSONATE = 19,
|
|
SEC_PRIV_CREATE_GLOBAL = 20,
|
|
SEC_PRIV_ENABLE_DELEGATION = 21,
|
|
SEC_PRIV_INTERACTIVE_LOGON = 22,
|
|
SEC_PRIV_NETWORK_LOGON = 23,
|
|
SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24
|
|
} sec_privilege;
|
|
|
|
|
|
/* a domain SID. Note that unlike Samba3 this contains a pointer,
|
|
so you can't copy them using assignment */
|
|
typedef [public,gensize,noprint,noejs,nosize] struct {
|
|
uint8 sid_rev_num; /**< SID revision number */
|
|
[range(0,15)] int8 num_auths; /**< Number of sub-authorities */
|
|
uint8 id_auth[6]; /**< Identifier Authority */
|
|
uint32 sub_auths[num_auths];
|
|
} dom_sid;
|
|
|
|
typedef [bitmap8bit] bitmap {
|
|
SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
|
|
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
|
|
SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
|
|
SEC_ACE_FLAG_INHERITED_ACE = 0x10,
|
|
SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
|
|
SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
|
|
SEC_ACE_FLAG_FAILED_ACCESS = 0x80
|
|
} security_ace_flags;
|
|
|
|
typedef [enum8bit] enum {
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
|
|
SEC_ACE_TYPE_ACCESS_DENIED = 1,
|
|
SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
|
|
SEC_ACE_TYPE_SYSTEM_ALARM = 3,
|
|
SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
|
|
SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
|
|
SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
|
|
SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
|
|
} security_ace_type;
|
|
|
|
typedef [bitmap32bit] bitmap {
|
|
SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
|
|
SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
|
|
} security_ace_object_flags;
|
|
|
|
typedef [nodiscriminant] union {
|
|
/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
|
|
[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
|
|
[default];
|
|
} security_ace_object_type;
|
|
|
|
typedef [nodiscriminant] union {
|
|
/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
|
|
* (of the parent container)
|
|
*/
|
|
[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
|
|
[default];
|
|
} security_ace_object_inherited_type;
|
|
|
|
typedef struct {
|
|
security_ace_object_flags flags;
|
|
[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
|
|
[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
|
|
} security_ace_object;
|
|
|
|
typedef [nodiscriminant] union {
|
|
[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
|
|
[default];
|
|
} security_ace_object_ctr;
|
|
|
|
typedef [public,gensize,nosize] struct {
|
|
security_ace_type type; /* SEC_ACE_TYPE_* */
|
|
security_ace_flags flags; /* SEC_ACE_FLAG_* */
|
|
[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
|
|
uint32 access_mask;
|
|
[switch_is(type)] security_ace_object_ctr object;
|
|
dom_sid trustee;
|
|
} security_ace;
|
|
|
|
typedef enum {
|
|
SECURITY_ACL_REVISION_NT4 = 2,
|
|
SECURITY_ACL_REVISION_ADS = 4
|
|
} security_acl_revision;
|
|
|
|
const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
|
|
|
|
typedef [public,gensize,nosize] struct {
|
|
security_acl_revision revision;
|
|
[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
|
|
[range(0,1000)] uint32 num_aces;
|
|
security_ace aces[num_aces];
|
|
} security_acl;
|
|
|
|
/* default revision for new ACLs */
|
|
typedef [enum8bit] enum {
|
|
SECURITY_DESCRIPTOR_REVISION_1 = 1
|
|
} security_descriptor_revision;
|
|
|
|
const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
|
|
|
|
/* security_descriptor->type bits */
|
|
typedef [bitmap16bit] bitmap {
|
|
SEC_DESC_OWNER_DEFAULTED = 0x0001,
|
|
SEC_DESC_GROUP_DEFAULTED = 0x0002,
|
|
SEC_DESC_DACL_PRESENT = 0x0004,
|
|
SEC_DESC_DACL_DEFAULTED = 0x0008,
|
|
SEC_DESC_SACL_PRESENT = 0x0010,
|
|
SEC_DESC_SACL_DEFAULTED = 0x0020,
|
|
SEC_DESC_DACL_TRUSTED = 0x0040,
|
|
SEC_DESC_SERVER_SECURITY = 0x0080,
|
|
SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
|
|
SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
|
|
SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
|
|
SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
|
|
SEC_DESC_DACL_PROTECTED = 0x1000,
|
|
SEC_DESC_SACL_PROTECTED = 0x2000,
|
|
SEC_DESC_RM_CONTROL_VALID = 0x4000,
|
|
SEC_DESC_SELF_RELATIVE = 0x8000
|
|
} security_descriptor_type;
|
|
|
|
typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
|
|
security_descriptor_revision revision;
|
|
security_descriptor_type type; /* SEC_DESC_xxxx flags */
|
|
[relative] dom_sid *owner_sid;
|
|
[relative] dom_sid *group_sid;
|
|
[relative] security_acl *sacl; /* system ACL */
|
|
[relative] security_acl *dacl; /* user (discretionary) ACL */
|
|
} security_descriptor;
|
|
|
|
typedef [public] struct {
|
|
[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
|
|
[subcontext(4)] security_descriptor *sd;
|
|
} sec_desc_buf;
|
|
|
|
typedef [public] struct {
|
|
dom_sid *user_sid;
|
|
dom_sid *group_sid;
|
|
uint32 num_sids;
|
|
[size_is(num_sids)] dom_sid *sids[*];
|
|
udlong privilege_mask;
|
|
} security_token;
|
|
|
|
/* bits that determine which parts of a security descriptor
|
|
are being queried/set */
|
|
typedef [public,bitmap32bit] bitmap {
|
|
SECINFO_OWNER = 0x00000001,
|
|
SECINFO_GROUP = 0x00000002,
|
|
SECINFO_DACL = 0x00000004,
|
|
SECINFO_SACL = 0x00000008,
|
|
SECINFO_UNPROTECTED_SACL = 0x10000000,
|
|
SECINFO_UNPROTECTED_DACL = 0x20000000,
|
|
SECINFO_PROTECTED_SACL = 0x40000000,
|
|
SECINFO_PROTECTED_DACL = 0x80000000
|
|
} security_secinfo;
|
|
}
|