mirror of
https://github.com/samba-team/samba.git
synced 2025-01-27 14:04:05 +03:00
81240b13b3
These CARs need to be checked on password change and password reset operations. Apparently the password attributes are not influenced by Write Property. Single detele operations and modifications of dBCSPwd are let through to the password_hash module. This is determined experimentally.
550 lines
22 KiB
Plaintext
550 lines
22 KiB
Plaintext
#include "idl_types.h"
|
|
|
|
/*
|
|
security IDL structures
|
|
*/
|
|
|
|
import "misc.idl";
|
|
|
|
/*
|
|
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
|
|
just a dom sid, but with the sub_auths represented as a conformant
|
|
array. As with all in-structure conformant arrays, the array length
|
|
is placed before the start of the structure. That's what gives rise
|
|
to the extra num_auths elemenent. We don't want the Samba code to
|
|
have to bother with such esoteric NDR details, so its easier to just
|
|
define it as a dom_sid and use pidl magic to make it all work. It
|
|
just means you need to mark a sid as a "dom_sid2" in the IDL when you
|
|
know it is of the conformant array variety
|
|
*/
|
|
cpp_quote("#define dom_sid2 dom_sid")
|
|
|
|
/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
|
|
cpp_quote("#define dom_sid28 dom_sid")
|
|
|
|
/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
|
|
cpp_quote("#define dom_sid0 dom_sid")
|
|
|
|
[
|
|
pyhelper("librpc/ndr/py_security.c"),
|
|
pointer_default(unique)
|
|
]
|
|
interface security
|
|
{
|
|
|
|
typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
|
|
uint8 sid_rev_num; /**< SID revision number */
|
|
[range(0,15)] int8 num_auths; /**< Number of sub-authorities */
|
|
uint8 id_auth[6]; /**< Identifier Authority */
|
|
uint32 sub_auths[15];
|
|
} dom_sid;
|
|
/*
|
|
access masks are divided up like this:
|
|
0xabccdddd
|
|
where
|
|
a = generic rights bits SEC_GENERIC_
|
|
b = flags SEC_FLAG_
|
|
c = standard rights bits SEC_STD_
|
|
d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
|
|
|
|
common combinations of bits are prefixed with SEC_RIGHTS_
|
|
*/
|
|
const int SEC_MASK_GENERIC = 0xF0000000;
|
|
const int SEC_MASK_FLAGS = 0x0F000000;
|
|
const int SEC_MASK_STANDARD = 0x00FF0000;
|
|
const int SEC_MASK_SPECIFIC = 0x0000FFFF;
|
|
|
|
/* generic bits */
|
|
const int SEC_GENERIC_ALL = 0x10000000;
|
|
const int SEC_GENERIC_EXECUTE = 0x20000000;
|
|
const int SEC_GENERIC_WRITE = 0x40000000;
|
|
const int SEC_GENERIC_READ = 0x80000000;
|
|
|
|
/* flag bits */
|
|
const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
|
|
const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
|
|
|
|
/* standard bits */
|
|
const int SEC_STD_DELETE = 0x00010000;
|
|
const int SEC_STD_READ_CONTROL = 0x00020000;
|
|
const int SEC_STD_WRITE_DAC = 0x00040000;
|
|
const int SEC_STD_WRITE_OWNER = 0x00080000;
|
|
const int SEC_STD_SYNCHRONIZE = 0x00100000;
|
|
const int SEC_STD_REQUIRED = 0x000F0000;
|
|
const int SEC_STD_ALL = 0x001F0000;
|
|
|
|
/* file specific bits */
|
|
const int SEC_FILE_READ_DATA = 0x00000001;
|
|
const int SEC_FILE_WRITE_DATA = 0x00000002;
|
|
const int SEC_FILE_APPEND_DATA = 0x00000004;
|
|
const int SEC_FILE_READ_EA = 0x00000008;
|
|
const int SEC_FILE_WRITE_EA = 0x00000010;
|
|
const int SEC_FILE_EXECUTE = 0x00000020;
|
|
const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
|
|
const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
|
|
const int SEC_FILE_ALL = 0x000001ff;
|
|
|
|
/* directory specific bits */
|
|
const int SEC_DIR_LIST = 0x00000001;
|
|
const int SEC_DIR_ADD_FILE = 0x00000002;
|
|
const int SEC_DIR_ADD_SUBDIR = 0x00000004;
|
|
const int SEC_DIR_READ_EA = 0x00000008;
|
|
const int SEC_DIR_WRITE_EA = 0x00000010;
|
|
const int SEC_DIR_TRAVERSE = 0x00000020;
|
|
const int SEC_DIR_DELETE_CHILD = 0x00000040;
|
|
const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
|
|
const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
|
|
|
|
/* registry entry specific bits */
|
|
const int SEC_REG_QUERY_VALUE = 0x00000001;
|
|
const int SEC_REG_SET_VALUE = 0x00000002;
|
|
const int SEC_REG_CREATE_SUBKEY = 0x00000004;
|
|
const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
|
|
const int SEC_REG_NOTIFY = 0x00000010;
|
|
const int SEC_REG_CREATE_LINK = 0x00000020;
|
|
|
|
/* ldap specific access bits */
|
|
const int SEC_ADS_CREATE_CHILD = 0x00000001;
|
|
const int SEC_ADS_DELETE_CHILD = 0x00000002;
|
|
const int SEC_ADS_LIST = 0x00000004;
|
|
const int SEC_ADS_SELF_WRITE = 0x00000008;
|
|
const int SEC_ADS_READ_PROP = 0x00000010;
|
|
const int SEC_ADS_WRITE_PROP = 0x00000020;
|
|
const int SEC_ADS_DELETE_TREE = 0x00000040;
|
|
const int SEC_ADS_LIST_OBJECT = 0x00000080;
|
|
const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
|
|
|
|
/* invalid bits */
|
|
const int SEC_MASK_INVALID = 0x0ce0fe00;
|
|
|
|
/* generic->specific mappings for files */
|
|
const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
|
|
SEC_STD_SYNCHRONIZE |
|
|
SEC_FILE_READ_DATA |
|
|
SEC_FILE_READ_ATTRIBUTE |
|
|
SEC_FILE_READ_EA;
|
|
|
|
const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
|
|
SEC_STD_SYNCHRONIZE |
|
|
SEC_FILE_WRITE_DATA |
|
|
SEC_FILE_WRITE_ATTRIBUTE |
|
|
SEC_FILE_WRITE_EA |
|
|
SEC_FILE_APPEND_DATA;
|
|
|
|
const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
|
|
SEC_STD_READ_CONTROL |
|
|
SEC_FILE_READ_ATTRIBUTE |
|
|
SEC_FILE_EXECUTE;
|
|
|
|
const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
|
|
|
|
/* generic->specific mappings for directories (same as files) */
|
|
const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
|
|
const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
|
|
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
|
|
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
|
|
|
|
/* rights granted by some specific privileges */
|
|
const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
|
|
SEC_FLAG_SYSTEM_SECURITY |
|
|
SEC_GENERIC_READ;
|
|
const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
|
|
| SEC_DIR_TRAVERSE;
|
|
|
|
const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
|
|
SEC_STD_WRITE_OWNER |
|
|
SEC_FLAG_SYSTEM_SECURITY |
|
|
SEC_STD_DELETE;
|
|
const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
|
|
SEC_DIR_ADD_FILE |
|
|
SEC_DIR_ADD_SUBDIR;
|
|
|
|
/* combinations of standard masks. */
|
|
const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
|
|
const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
|
|
const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
|
|
const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
|
|
const int STANDARD_RIGHTS_WRITE_ACCESS =
|
|
(SEC_STD_WRITE_OWNER |
|
|
SEC_STD_WRITE_DAC |
|
|
SEC_STD_DELETE); /* 0x000d0000 */
|
|
const int STANDARD_RIGHTS_REQUIRED_ACCESS =
|
|
(SEC_STD_DELETE |
|
|
SEC_STD_READ_CONTROL |
|
|
SEC_STD_WRITE_DAC |
|
|
SEC_STD_WRITE_OWNER); /* 0x000f0000 */
|
|
|
|
/* generic->specific mappings for Directory Service objects */
|
|
/* directory specific part of GENERIC_ALL */
|
|
const int SEC_ADS_GENERIC_ALL_DS =
|
|
(SEC_STD_DELETE |
|
|
SEC_STD_WRITE_DAC |
|
|
SEC_STD_WRITE_OWNER |
|
|
SEC_ADS_CREATE_CHILD |
|
|
SEC_ADS_DELETE_CHILD |
|
|
SEC_ADS_DELETE_TREE |
|
|
SEC_ADS_CONTROL_ACCESS);
|
|
const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
|
|
const int SEC_ADS_GENERIC_WRITE =
|
|
(SEC_STD_READ_CONTROL |
|
|
SEC_ADS_SELF_WRITE |
|
|
SEC_ADS_WRITE_PROP);
|
|
const int SEC_ADS_GENERIC_READ =
|
|
(SEC_STD_READ_CONTROL |
|
|
SEC_ADS_LIST |
|
|
SEC_ADS_READ_PROP |
|
|
SEC_ADS_LIST_OBJECT);
|
|
const int SEC_ADS_GENERIC_ALL =
|
|
(SEC_ADS_GENERIC_EXECUTE |
|
|
SEC_ADS_GENERIC_WRITE |
|
|
SEC_ADS_GENERIC_READ |
|
|
SEC_ADS_GENERIC_ALL_DS);
|
|
|
|
/***************************************************************/
|
|
/* WELL KNOWN SIDS */
|
|
|
|
/* a NULL sid */
|
|
const string SID_NULL = "S-1-0-0";
|
|
|
|
/* the world domain */
|
|
const string NAME_WORLD = "WORLD";
|
|
|
|
const string SID_WORLD_DOMAIN = "S-1-1";
|
|
const string SID_WORLD = "S-1-1-0";
|
|
|
|
/* SECURITY_CREATOR_SID_AUTHORITY */
|
|
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
|
|
const string SID_CREATOR_OWNER = "S-1-3-0";
|
|
const string SID_CREATOR_GROUP = "S-1-3-1";
|
|
const string SID_OWNER_RIGHTS = "S-1-3-4";
|
|
|
|
/* SECURITY_NT_AUTHORITY */
|
|
const string NAME_NT_AUTHORITY = "NT AUTHORITY";
|
|
|
|
const string SID_NT_AUTHORITY = "S-1-5";
|
|
const string SID_NT_DIALUP = "S-1-5-1";
|
|
const string SID_NT_NETWORK = "S-1-5-2";
|
|
const string SID_NT_BATCH = "S-1-5-3";
|
|
const string SID_NT_INTERACTIVE = "S-1-5-4";
|
|
const string SID_NT_SERVICE = "S-1-5-6";
|
|
const string SID_NT_ANONYMOUS = "S-1-5-7";
|
|
const string SID_NT_PROXY = "S-1-5-8";
|
|
const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
|
|
const string SID_NT_SELF = "S-1-5-10";
|
|
const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
|
|
const string SID_NT_RESTRICTED = "S-1-5-12";
|
|
const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
|
|
const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
|
|
const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
|
|
const string SID_NT_IUSR = "S-1-5-17";
|
|
const string SID_NT_SYSTEM = "S-1-5-18";
|
|
const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
|
|
const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
|
|
const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
|
|
const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
|
|
const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
|
|
const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
|
|
|
|
/* SECURITY_BUILTIN_DOMAIN_RID */
|
|
const string NAME_BUILTIN = "BUILTIN";
|
|
|
|
const string SID_BUILTIN = "S-1-5-32";
|
|
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
|
|
const string SID_BUILTIN_USERS = "S-1-5-32-545";
|
|
const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
|
|
const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
|
|
const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
|
|
const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
|
|
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
|
|
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
|
|
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
|
|
const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
|
|
const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
|
|
const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
|
|
const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
|
|
const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
|
|
const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
|
|
const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
|
|
const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
|
|
const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
|
|
|
|
/* SECURITY_NT_SERVICE */
|
|
const string NAME_NT_SERVICE = "NT SERVICE";
|
|
|
|
const string SID_NT_NT_SERVICE = "S-1-5-80";
|
|
const string SID_NT_TRUSTED_INSTALLER =
|
|
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
|
|
|
|
/* well-known domain RIDs */
|
|
const int DOMAIN_RID_LOGON = 9;
|
|
const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
|
|
const int DOMAIN_RID_ADMINISTRATOR = 500;
|
|
const int DOMAIN_RID_GUEST = 501;
|
|
const int DOMAIN_RID_KRBTGT = 502;
|
|
const int DOMAIN_RID_ADMINS = 512;
|
|
const int DOMAIN_RID_USERS = 513;
|
|
const int DOMAIN_RID_GUESTS = 514;
|
|
const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
|
|
const int DOMAIN_RID_DCS = 516;
|
|
const int DOMAIN_RID_CERT_ADMINS = 517;
|
|
const int DOMAIN_RID_SCHEMA_ADMINS = 518;
|
|
const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
|
|
const int DOMAIN_RID_POLICY_ADMINS = 520;
|
|
const int DOMAIN_RID_READONLY_DCS = 521;
|
|
const int DOMAIN_RID_RAS_SERVERS = 553;
|
|
|
|
/* well-known builtin RIDs */
|
|
const int BUILTIN_RID_ADMINISTRATORS = 544;
|
|
const int BUILTIN_RID_USERS = 545;
|
|
const int BUILTIN_RID_GUESTS = 546;
|
|
const int BUILTIN_RID_POWER_USERS = 547;
|
|
const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
|
|
const int BUILTIN_RID_SERVER_OPERATORS = 549;
|
|
const int BUILTIN_RID_PRINT_OPERATORS = 550;
|
|
const int BUILTIN_RID_BACKUP_OPERATORS = 551;
|
|
const int BUILTIN_RID_REPLICATOR = 552;
|
|
const int BUILTIN_RID_RAS_SERVERS = 553;
|
|
const int BUILTIN_RID_PRE_2K_ACCESS = 554;
|
|
const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
|
|
const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
|
|
const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
|
|
const int BUILTIN_RID_PERFMON_USERS = 558;
|
|
const int BUILTIN_RID_PERFLOG_USERS = 559;
|
|
const int BUILTIN_RID_AUTH_ACCESS = 560;
|
|
const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
|
|
|
|
/*
|
|
privilege IDs. Please keep the IDs below 64. If we get more
|
|
than 64 then we need to change security_token
|
|
*/
|
|
typedef enum {
|
|
SEC_PRIV_SECURITY = 1,
|
|
SEC_PRIV_BACKUP = 2,
|
|
SEC_PRIV_RESTORE = 3,
|
|
SEC_PRIV_SYSTEMTIME = 4,
|
|
SEC_PRIV_SHUTDOWN = 5,
|
|
SEC_PRIV_REMOTE_SHUTDOWN = 6,
|
|
SEC_PRIV_TAKE_OWNERSHIP = 7,
|
|
SEC_PRIV_DEBUG = 8,
|
|
SEC_PRIV_SYSTEM_ENVIRONMENT = 9,
|
|
SEC_PRIV_SYSTEM_PROFILE = 10,
|
|
SEC_PRIV_PROFILE_SINGLE_PROCESS = 11,
|
|
SEC_PRIV_INCREASE_BASE_PRIORITY = 12,
|
|
SEC_PRIV_LOAD_DRIVER = 13,
|
|
SEC_PRIV_CREATE_PAGEFILE = 14,
|
|
SEC_PRIV_INCREASE_QUOTA = 15,
|
|
SEC_PRIV_CHANGE_NOTIFY = 16,
|
|
SEC_PRIV_UNDOCK = 17,
|
|
SEC_PRIV_MANAGE_VOLUME = 18,
|
|
SEC_PRIV_IMPERSONATE = 19,
|
|
SEC_PRIV_CREATE_GLOBAL = 20,
|
|
SEC_PRIV_ENABLE_DELEGATION = 21,
|
|
SEC_PRIV_INTERACTIVE_LOGON = 22,
|
|
SEC_PRIV_NETWORK_LOGON = 23,
|
|
SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24,
|
|
SEC_PRIV_MACHINE_ACCOUNT = 25
|
|
} sec_privilege;
|
|
|
|
|
|
typedef [public,bitmap8bit] bitmap {
|
|
SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
|
|
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
|
|
SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
|
|
SEC_ACE_FLAG_INHERITED_ACE = 0x10,
|
|
SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
|
|
SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
|
|
SEC_ACE_FLAG_FAILED_ACCESS = 0x80
|
|
} security_ace_flags;
|
|
|
|
typedef [public,enum8bit] enum {
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
|
|
SEC_ACE_TYPE_ACCESS_DENIED = 1,
|
|
SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
|
|
SEC_ACE_TYPE_SYSTEM_ALARM = 3,
|
|
SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
|
|
SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
|
|
SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
|
|
SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
|
|
} security_ace_type;
|
|
|
|
typedef [bitmap32bit] bitmap {
|
|
SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
|
|
SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
|
|
} security_ace_object_flags;
|
|
|
|
typedef [nodiscriminant] union {
|
|
/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
|
|
[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
|
|
[default];
|
|
} security_ace_object_type;
|
|
|
|
typedef [nodiscriminant] union {
|
|
/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
|
|
* (of the parent container)
|
|
*/
|
|
[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
|
|
[default];
|
|
} security_ace_object_inherited_type;
|
|
|
|
typedef struct {
|
|
security_ace_object_flags flags;
|
|
[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
|
|
[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
|
|
} security_ace_object;
|
|
|
|
typedef [public,nodiscriminant] union {
|
|
[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
|
|
[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
|
|
[default];
|
|
} security_ace_object_ctr;
|
|
|
|
typedef [public,nopull,gensize,nosize] struct {
|
|
security_ace_type type; /* SEC_ACE_TYPE_* */
|
|
security_ace_flags flags; /* SEC_ACE_FLAG_* */
|
|
[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
|
|
uint32 access_mask;
|
|
[switch_is(type)] security_ace_object_ctr object;
|
|
dom_sid trustee;
|
|
} security_ace;
|
|
|
|
typedef enum {
|
|
SECURITY_ACL_REVISION_NT4 = 2,
|
|
SECURITY_ACL_REVISION_ADS = 4
|
|
} security_acl_revision;
|
|
|
|
const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
|
|
|
|
typedef [public,gensize,nosize] struct {
|
|
security_acl_revision revision;
|
|
[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
|
|
[range(0,1000)] uint32 num_aces;
|
|
security_ace aces[num_aces];
|
|
} security_acl;
|
|
|
|
/* default revision for new ACLs */
|
|
typedef [public,enum8bit] enum {
|
|
SECURITY_DESCRIPTOR_REVISION_1 = 1
|
|
} security_descriptor_revision;
|
|
|
|
const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
|
|
|
|
/* security_descriptor->type bits */
|
|
typedef [public,bitmap16bit] bitmap {
|
|
SEC_DESC_OWNER_DEFAULTED = 0x0001,
|
|
SEC_DESC_GROUP_DEFAULTED = 0x0002,
|
|
SEC_DESC_DACL_PRESENT = 0x0004,
|
|
SEC_DESC_DACL_DEFAULTED = 0x0008,
|
|
SEC_DESC_SACL_PRESENT = 0x0010,
|
|
SEC_DESC_SACL_DEFAULTED = 0x0020,
|
|
SEC_DESC_DACL_TRUSTED = 0x0040,
|
|
SEC_DESC_SERVER_SECURITY = 0x0080,
|
|
SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
|
|
SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
|
|
SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
|
|
SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
|
|
SEC_DESC_DACL_PROTECTED = 0x1000,
|
|
SEC_DESC_SACL_PROTECTED = 0x2000,
|
|
SEC_DESC_RM_CONTROL_VALID = 0x4000,
|
|
SEC_DESC_SELF_RELATIVE = 0x8000
|
|
} security_descriptor_type;
|
|
|
|
typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
|
|
security_descriptor_revision revision;
|
|
security_descriptor_type type; /* SEC_DESC_xxxx flags */
|
|
[relative] dom_sid *owner_sid;
|
|
[relative] dom_sid *group_sid;
|
|
[relative] security_acl *sacl; /* system ACL */
|
|
[relative] security_acl *dacl; /* user (discretionary) ACL */
|
|
} security_descriptor;
|
|
|
|
typedef [public] struct {
|
|
[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
|
|
[subcontext(4)] security_descriptor *sd;
|
|
} sec_desc_buf;
|
|
|
|
typedef [public] struct {
|
|
dom_sid *user_sid;
|
|
dom_sid *group_sid;
|
|
uint32 num_sids;
|
|
[size_is(num_sids)] dom_sid *sids[*];
|
|
udlong privilege_mask;
|
|
} security_token;
|
|
|
|
/* bits that determine which parts of a security descriptor
|
|
are being queried/set */
|
|
typedef [public,bitmap32bit] bitmap {
|
|
SECINFO_OWNER = 0x00000001,
|
|
SECINFO_GROUP = 0x00000002,
|
|
SECINFO_DACL = 0x00000004,
|
|
SECINFO_SACL = 0x00000008,
|
|
SECINFO_UNPROTECTED_SACL = 0x10000000,
|
|
SECINFO_UNPROTECTED_DACL = 0x20000000,
|
|
SECINFO_PROTECTED_SACL = 0x40000000,
|
|
SECINFO_PROTECTED_DACL = 0x80000000
|
|
} security_secinfo;
|
|
|
|
typedef [public,bitmap32bit] bitmap {
|
|
KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
|
|
KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
|
|
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
|
|
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
|
|
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
|
|
} kerb_EncTypes;
|
|
|
|
typedef [public,bitmap32bit] bitmap {
|
|
SEC_DACL_AUTO_INHERIT = 0x00000001,
|
|
SEC_SACL_AUTO_INHERIT = 0x00000002,
|
|
SEC_DEFAULT_DESCRIPTOR = 0x00000004,
|
|
SEC_OWNER_FROM_PARENT = 0x00000008,
|
|
SEC_GROUP_FROM_PARENT = 0x00000010
|
|
} security_autoinherit;
|
|
|
|
/***************************************************************/
|
|
/* Extended right guids */
|
|
|
|
const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
|
|
const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
|
|
const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
|
|
const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
|
|
const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
|
|
const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
|
|
const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
|
|
const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
|
|
const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
|
|
const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
|
|
const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
|
|
const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
|
|
const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
|
|
const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
|
|
const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
|
|
|
|
/***************************************************************/
|
|
/* validated writes guids */
|
|
const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
|
|
const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
|
|
const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
|
|
const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
|
|
const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
|
|
|
|
/* A type to describe the mapping of generic access rights to object
|
|
specific access rights. */
|
|
|
|
typedef struct {
|
|
uint32 generic_read;
|
|
uint32 generic_write;
|
|
uint32 generic_execute;
|
|
uint32 generic_all;
|
|
} generic_mapping;
|
|
|
|
typedef struct {
|
|
uint32 std_read;
|
|
uint32 std_write;
|
|
uint32 std_execute;
|
|
uint32 std_all;
|
|
} standard_mapping;
|
|
}
|