sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-15 23:24:37 +03:00
Code
samba-mirror/source4/librpc/idl/security.idl
Andrew Tridgell 6ca874f71a r4147: converted from NT_USER_TOKEN to struct security_token 
this is mostly just a tidyup, but also adds the privilege_mask, which
I will be using shortly in ACL checking.

note that I had to move the definition of struct security_token out of
security.idl as pidl doesn't yet handle arrays of pointers, and the
usual workaround (to use a intermediate structure) would make things
too cumbersome for this structure, especially given we never encode it
to NDR.
(This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10 13:06:31 -05:00

280 lines
10 KiB
Plaintext
Raw Blame History

#include "idl_types.h"
/*
security IDL structures
*/
interface security
{
/*
access masks are divided up like this:
0xabccdddd
where
a = generic rights bits SEC_GENERIC_
b = flags SEC_FLAG_
c = standard rights bits SEC_STD_
d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
common combinations of bits are prefixed with SEC_RIGHTS_
*/
const int SEC_MASK_GENERIC = 0xF0000000;
const int SEC_MASK_FLAGS = 0x0F000000;
const int SEC_MASK_STANDARD = 0x00FF0000;
const int SEC_MASK_SPECIFIC = 0x0000FFFF;
/* generic bits */
const int SEC_GENERIC_ALL = 0x10000000;
const int SEC_GENERIC_EXECUTE = 0x20000000;
const int SEC_GENERIC_WRITE = 0x40000000;
const int SEC_GENERIC_READ = 0x80000000;
/* flag bits */
const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
/* standard bits */
const int SEC_STD_DELETE = 0x00010000;
const int SEC_STD_READ_CONTROL = 0x00020000;
const int SEC_STD_WRITE_DAC = 0x00040000;
const int SEC_STD_WRITE_OWNER = 0x00080000;
const int SEC_STD_SYNCHRONIZE = 0x00100000;
const int SEC_STD_REQUIRED = 0x000F0000;
const int SEC_STD_ALL = 0x001F0000;
/* file specific bits */
const int SEC_FILE_READ_DATA = 0x00000001;
const int SEC_FILE_WRITE_DATA = 0x00000002;
const int SEC_FILE_APPEND_DATA = 0x00000004;
const int SEC_FILE_READ_EA = 0x00000008;
const int SEC_FILE_WRITE_EA = 0x00000010;
const int SEC_FILE_EXECUTE = 0x00000020;
const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
const int SEC_FILE_ALL = 0x000001ff;
/* directory specific bits */
const int SEC_DIR_LIST = 0x00000001;
const int SEC_DIR_ADD_FILE = 0x00000002;
const int SEC_DIR_ADD_SUBDIR = 0x00000004;
const int SEC_DIR_READ_EA = 0x00000008;
const int SEC_DIR_WRITE_EA = 0x00000010;
const int SEC_DIR_TRAVERSE = 0x00000020;
const int SEC_DIR_DELETE_CHILD = 0x00000040;
const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
/* registry entry specific bits */
const int SEC_REG_QUERY_VALUE = 0x00000001;
const int SEC_REG_SET_VALUE = 0x00000002;
const int SEC_REG_CREATE_SUBKEY = 0x00000004;
const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
const int SEC_REG_NOTIFY = 0x00000010;
const int SEC_REG_CREATE_LINK = 0x00000020;
/* generic->specific mappings for files */
const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
SEC_STD_SYNCHRONIZE |
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE |
SEC_FILE_READ_EA;
const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
SEC_STD_SYNCHRONIZE |
SEC_FILE_WRITE_DATA |
SEC_FILE_WRITE_ATTRIBUTE |
SEC_FILE_WRITE_EA |
SEC_FILE_APPEND_DATA;
const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_FILE_EXECUTE;
const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
/* generic->specific mappings for directories (same as files) */
const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
/***************************************************************/
/* WELL KNOWN SIDS */
/* a NULL sid */
const string SID_NULL = "S-1-0-0";
/* the world domain */
const string SID_WORLD_DOMAIN = "S-1-1";
const string SID_WORLD = "S-1-1-0";
/* SECURITY_CREATOR_SID_AUTHORITY */
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
const string SID_CREATOR_OWNER = "S-1-3-0";
const string SID_CREATOR_GROUP = "S-1-3-1";
/* SECURITY_NT_AUTHORITY */
const string SID_NT_AUTHORITY = "S-1-5";
const string SID_NT_DIALUP = "S-1-5-1";
const string SID_NT_NETWORK = "S-1-5-2";
const string SID_NT_BATCH = "S-1-5-3";
const string SID_NT_INTERACTIVE = "S-1-5-4";
const string SID_NT_SERVICE = "S-1-5-6";
const string SID_NT_ANONYMOUS = "S-1-5-7";
const string SID_NT_PROXY = "S-1-5-8";
const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
const string SID_NT_SELF = "S-1-5-10";
const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
const string SID_NT_RESTRICTED = "S-1-5-12";
const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
const string SID_NT_SYSTEM = "S-1-5-18";
const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
/* SECURITY_BUILTIN_DOMAIN_RID */
const string SID_BUILTIN = "S-1-5-32";
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
const string SID_BUILTIN_USERS = "S-1-5-32-545";
const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
/*
privilege IDs. Please keep the IDs below 64. If we get more
than 64 then we need to change security_token
*/
typedef enum {
SEC_PRIV_SECURITY = 1,
SEC_PRIV_BACKUP = 2,
SEC_PRIV_RESTORE = 3,
SEC_PRIV_SYSTEMTIME = 4,
SEC_PRIV_SHUTDOWN = 5,
SEC_PRIV_REMOTE_SHUTDOWN = 6,
SEC_PRIV_TAKE_OWNERSHIP = 7,
SEC_PRIV_DEBUG = 8,
SEC_PRIV_SYSTEM_ENVIRONMENT = 9,
SEC_PRIV_SYSTEM_PROFILE = 10,
SEC_PRIV_PROFILE_SINGLE_PROCESS = 11,
SEC_PRIV_INCREASE_BASE_PRIORITY = 12,
SEC_PRIV_LOAD_DRIVER = 13,
SEC_PRIV_CREATE_PAGEFILE = 14,
SEC_PRIV_INCREASE_QUOTA = 15,
SEC_PRIV_CHANGE_NOTIFY = 16,
SEC_PRIV_UNDOCK = 17,
SEC_PRIV_MANAGE_VOLUME = 18,
SEC_PRIV_IMPERSONATE = 19,
SEC_PRIV_CREATE_GLOBAL = 20,
SEC_PRIV_ENABLE_DELEGATION = 21,
SEC_PRIV_INTERACTIVE_LOGON = 22,
SEC_PRIV_NETWORK_LOGON = 23,
SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24
} sec_privilege;
/* a domain SID. Note that unlike Samba3 this contains a pointer,
so you can't copy them using assignment */
typedef [public,noprint] struct {
uint8 sid_rev_num; /**< SID revision number */
uint8 num_auths; /**< Number of sub-authorities */
uint8 id_auth[6]; /**< Identifier Authority */
uint32 sub_auths[num_auths];
} dom_sid;
const int SEC_ACE_FLAG_OBJECT_INHERIT = 0x001;
const int SEC_ACE_FLAG_CONTAINER_INHERIT = 0x002;
const int SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x004;
const int SEC_ACE_FLAG_INHERIT_ONLY = 0x008;
const int SEC_ACE_FLAG_INHERITED_ACE = 0x010;
const int SEC_ACE_FLAG_VALID_INHERIT = 0x00f;
const int SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x040;
const int SEC_ACE_FLAG_FAILED_ACCESS = 0x080;
const int SEC_ACE_TYPE_ACCESS_ALLOWED = 0x0;
const int SEC_ACE_TYPE_ACCESS_DENIED = 0x1;
const int SEC_ACE_TYPE_SYSTEM_AUDIT = 0x2;
const int SEC_ACE_TYPE_SYSTEM_ALARM = 0x3;
const int SEC_ACE_TYPE_ALLOWED_COMPOUND = 0x4;
const int SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 0x5;
const int SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 0x6;
const int SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 0x7;
const int SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 0x8;
typedef [public] struct {
uint8 type; /* SEC_ACE_TYPE_* */
uint8 flags; /* SEC_ACE_FLAG_* */
[value(ndr_size_security_ace(r))] uint16 size;
uint32 access_mask;
#if 0
/* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
struct {
uint32 flags;
GUID object_guid;
GUID inherit_guid;
} *obj;
#endif
dom_sid trustee;
} security_ace;
const int NT4_ACL_REVISION = 0x2;
typedef [public] struct {
uint16 revision;
[value(ndr_size_security_acl(r))] uint16 size;
[range(0,1000)] uint32 num_aces;
security_ace aces[num_aces];
} security_acl;
/* default revision for new ACLs */
const int SD_REVISION = 1;
/* security_descriptor->type bits */
const int SEC_DESC_OWNER_DEFAULTED = 0x0001;
const int SEC_DESC_GROUP_DEFAULTED = 0x0002;
const int SEC_DESC_DACL_PRESENT = 0x0004;
const int SEC_DESC_DACL_DEFAULTED = 0x0008;
const int SEC_DESC_SACL_PRESENT = 0x0010;
const int SEC_DESC_SACL_DEFAULTED = 0x0020;
const int SEC_DESC_DACL_TRUSTED = 0x0040;
const int SEC_DESC_SERVER_SECURITY = 0x0080;
const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100;
const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200;
const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400;
const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800;
const int SEC_DESC_DACL_PROTECTED = 0x1000;
const int SEC_DESC_SACL_PROTECTED = 0x2000;
const int SEC_DESC_RM_CONTROL_VALID = 0x4000;
const int SEC_DESC_SELF_RELATIVE = 0x8000;
/* bits that determine which parts of a security descriptor
are being queried/set */
const int SECINFO_OWNER = 0x00000001;
const int SECINFO_GROUP = 0x00000002;
const int SECINFO_DACL = 0x00000004;
const int SECINFO_SACL = 0x00000008;
typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
uint8 revision;
uint16 type; /* SEC_DESC_xxxx flags */
[relative] dom_sid *owner_sid;
[relative] dom_sid *group_sid;
[relative] security_acl *sacl; /* system ACL */
[relative] security_acl *dacl; /* user (discretionary) ACL */
} security_descriptor;
typedef [public] struct {
[range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
[subcontext(4)] security_descriptor *sd;
} sec_desc_buf;
}
View Git Blame Copy Permalink