diff options
Diffstat (limited to '')
-rw-r--r-- | librpc/idl/security.idl | 794 |
1 files changed, 794 insertions, 0 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl new file mode 100644 index 0000000..8cfdbf5 --- /dev/null +++ b/librpc/idl/security.idl @@ -0,0 +1,794 @@ +#include "idl_types.h" + +/* + security IDL structures +*/ + +import "misc.idl"; + +/* + use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really + just a dom sid, but with the sub_auths represented as a conformant + array. As with all in-structure conformant arrays, the array length + is placed before the start of the structure. That's what gives rise + to the extra num_auths elemenent. We don't want the Samba code to + have to bother with such esoteric NDR details, so its easier to just + define it as a dom_sid and use pidl magic to make it all work. It + just means you need to mark a sid as a "dom_sid2" in the IDL when you + know it is of the conformant array variety +*/ +cpp_quote("#define dom_sid2 dom_sid") + +/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ +cpp_quote("#define dom_sid28 dom_sid") + +/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ +cpp_quote("#define dom_sid0 dom_sid") + +[ + /* + * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy + */ + uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"), + version(0.0), + pyhelper("librpc/ndr/py_security.c"), + pointer_default(unique) +] +interface security +{ + + typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags; + + typedef [public,gensize,noprint,nosize,nopull,nopush] struct { + uint8 sid_rev_num; /**< SID revision number */ + [range(0,15)] int8 num_auths; /**< Number of sub-authorities */ + uint8 id_auth[6]; /**< Identifier Authority */ + uint32 sub_auths[15]; + } dom_sid; + /* + access masks are divided up like this: + 0xabccdddd + where + a = generic rights bits SEC_GENERIC_ + b = flags SEC_FLAG_ + c = standard rights bits SEC_STD_ + d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ + + common combinations of bits are prefixed with SEC_RIGHTS_ + */ + const int SEC_MASK_GENERIC = 0xF0000000; + const int SEC_MASK_FLAGS = 0x0F000000; + const int SEC_MASK_STANDARD = 0x00FF0000; + const int SEC_MASK_SPECIFIC = 0x0000FFFF; + + /* generic bits */ + const int SEC_GENERIC_ALL = 0x10000000; + const int SEC_GENERIC_EXECUTE = 0x20000000; + const int SEC_GENERIC_WRITE = 0x40000000; + const int SEC_GENERIC_READ = 0x80000000; + + /* flag bits */ + const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; + const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; + + /* standard bits */ + const int SEC_STD_DELETE = 0x00010000; + const int SEC_STD_READ_CONTROL = 0x00020000; + const int SEC_STD_WRITE_DAC = 0x00040000; + const int SEC_STD_WRITE_OWNER = 0x00080000; + const int SEC_STD_SYNCHRONIZE = 0x00100000; + const int SEC_STD_REQUIRED = 0x000F0000; + const int SEC_STD_ALL = 0x001F0000; + + /* file specific bits */ + const int SEC_FILE_READ_DATA = 0x00000001; + const int SEC_FILE_WRITE_DATA = 0x00000002; + const int SEC_FILE_APPEND_DATA = 0x00000004; + const int SEC_FILE_READ_EA = 0x00000008; + const int SEC_FILE_WRITE_EA = 0x00000010; + const int SEC_FILE_EXECUTE = 0x00000020; + const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; + const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; + const int SEC_FILE_ALL = 0x000001ff; + + /* directory specific bits */ + const int SEC_DIR_LIST = 0x00000001; + const int SEC_DIR_ADD_FILE = 0x00000002; + const int SEC_DIR_ADD_SUBDIR = 0x00000004; + const int SEC_DIR_READ_EA = 0x00000008; + const int SEC_DIR_WRITE_EA = 0x00000010; + const int SEC_DIR_TRAVERSE = 0x00000020; + const int SEC_DIR_DELETE_CHILD = 0x00000040; + const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; + const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; + + /* registry entry specific bits */ + const int SEC_REG_QUERY_VALUE = 0x00000001; + const int SEC_REG_SET_VALUE = 0x00000002; + const int SEC_REG_CREATE_SUBKEY = 0x00000004; + const int SEC_REG_ENUM_SUBKEYS = 0x00000008; + const int SEC_REG_NOTIFY = 0x00000010; + const int SEC_REG_CREATE_LINK = 0x00000020; + + /* ldap specific access bits */ + const int SEC_ADS_CREATE_CHILD = 0x00000001; + const int SEC_ADS_DELETE_CHILD = 0x00000002; + const int SEC_ADS_LIST = 0x00000004; + const int SEC_ADS_SELF_WRITE = 0x00000008; + const int SEC_ADS_READ_PROP = 0x00000010; + const int SEC_ADS_WRITE_PROP = 0x00000020; + const int SEC_ADS_DELETE_TREE = 0x00000040; + const int SEC_ADS_LIST_OBJECT = 0x00000080; + const int SEC_ADS_CONTROL_ACCESS = 0x00000100; + + /* invalid bits */ + const int SEC_MASK_INVALID = 0x0ce0fe00; + + /* generic->specific mappings for files */ + const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_READ_DATA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_READ_EA; + + const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_WRITE_DATA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_FILE_WRITE_EA | + SEC_FILE_APPEND_DATA; + + const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE; + + const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL; + + /* generic->specific mappings for directories (same as files) */ + const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ; + const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE; + const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE; + const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL; + + /* rights granted by some specific privileges */ + const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL | + SEC_FLAG_SYSTEM_SECURITY | + SEC_RIGHTS_FILE_READ | + SEC_DIR_TRAVERSE; + + const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC | + SEC_STD_WRITE_OWNER | + SEC_FLAG_SYSTEM_SECURITY | + SEC_RIGHTS_FILE_WRITE | + SEC_DIR_ADD_FILE | + SEC_DIR_ADD_SUBDIR | + SEC_STD_DELETE; + + /* combinations of standard masks. */ + const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */ + const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ + const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ + const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */ + const int STANDARD_RIGHTS_WRITE_ACCESS = + (SEC_STD_WRITE_OWNER | + SEC_STD_WRITE_DAC | + SEC_STD_DELETE); /* 0x000d0000 */ + const int STANDARD_RIGHTS_REQUIRED_ACCESS = + (SEC_STD_DELETE | + SEC_STD_READ_CONTROL | + SEC_STD_WRITE_DAC | + SEC_STD_WRITE_OWNER); /* 0x000f0000 */ + + /* generic->specific mappings for Directory Service objects */ + /* directory specific part of GENERIC_ALL */ + const int SEC_ADS_GENERIC_ALL_DS = + (SEC_STD_DELETE | + SEC_STD_WRITE_DAC | + SEC_STD_WRITE_OWNER | + SEC_ADS_CREATE_CHILD | + SEC_ADS_DELETE_CHILD | + SEC_ADS_DELETE_TREE | + SEC_ADS_CONTROL_ACCESS); + const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST; + const int SEC_ADS_GENERIC_WRITE = + (SEC_STD_READ_CONTROL | + SEC_ADS_SELF_WRITE | + SEC_ADS_WRITE_PROP); + const int SEC_ADS_GENERIC_READ = + (SEC_STD_READ_CONTROL | + SEC_ADS_LIST | + SEC_ADS_READ_PROP | + SEC_ADS_LIST_OBJECT); + const int SEC_ADS_GENERIC_ALL = + (SEC_ADS_GENERIC_EXECUTE | + SEC_ADS_GENERIC_WRITE | + SEC_ADS_GENERIC_READ | + SEC_ADS_GENERIC_ALL_DS); + + /***************************************************************/ + /* WELL KNOWN SIDS */ + + /* a NULL sid */ + const string SID_NULL = "S-1-0-0"; + + /* the world domain */ + const string NAME_WORLD = "WORLD"; + + const string SID_WORLD_DOMAIN = "S-1-1"; + const string SID_WORLD = "S-1-1-0"; + + /* SECURITY_CREATOR_SID_AUTHORITY */ + const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; + const string SID_CREATOR_OWNER = "S-1-3-0"; + const string SID_CREATOR_GROUP = "S-1-3-1"; + const string SID_OWNER_RIGHTS = "S-1-3-4"; + + /* SECURITY_NT_AUTHORITY */ + const string NAME_NT_AUTHORITY = "NT AUTHORITY"; + + const string SID_NT_AUTHORITY = "S-1-5"; + const string SID_NT_DIALUP = "S-1-5-1"; + const string SID_NT_NETWORK = "S-1-5-2"; + const string SID_NT_BATCH = "S-1-5-3"; + const string SID_NT_INTERACTIVE = "S-1-5-4"; + const string SID_NT_SERVICE = "S-1-5-6"; + const string SID_NT_ANONYMOUS = "S-1-5-7"; + const string SID_NT_PROXY = "S-1-5-8"; + const string SID_NT_ENTERPRISE_DCS = "S-1-5-9"; + const string SID_NT_SELF = "S-1-5-10"; + const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11"; + const string SID_NT_RESTRICTED = "S-1-5-12"; + const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13"; + const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14"; + const string SID_NT_THIS_ORGANISATION = "S-1-5-15"; + const string SID_NT_IUSR = "S-1-5-17"; + const string SID_NT_SYSTEM = "S-1-5-18"; + const string SID_NT_LOCAL_SERVICE = "S-1-5-19"; + const string SID_NT_NETWORK_SERVICE = "S-1-5-20"; + const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21"; + const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10"; + const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14"; + const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000"; + + /* SECURITY_BUILTIN_DOMAIN_RID */ + const string NAME_BUILTIN = "BUILTIN"; + + const string SID_BUILTIN = "S-1-5-32"; + const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; + const string SID_BUILTIN_USERS = "S-1-5-32-545"; + const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; + const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; + const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; + const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; + const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; + const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; + const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; + const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553"; + const string SID_BUILTIN_PREW2K = "S-1-5-32-554"; + const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555"; + const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556"; + const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557"; + const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558"; + const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559"; + const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560"; + const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561"; + const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562"; + const string SID_BUILTIN_IUSERS = "S-1-5-32-568"; + const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569"; + const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573"; + const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574"; + const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575"; + const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576"; + const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577"; + const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578"; + const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579"; + const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580"; + const string SID_BUILTIN_SYSTEM_MANAGED_ACCOUNTS_GRP = "S-1-5-32-581"; + const string SID_BUILTIN_STORAGE_REPLICA_ADMINISTRATORS = "S-1-5-32-582"; + + const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33"; + + /* UID/GID mapping Samba style */ + const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1"; + const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2"; + + /* SECURITY_NT_SERVICE */ + const string NAME_NT_SERVICE = "NT SERVICE"; + + const string SID_NT_NT_SERVICE = "S-1-5-80"; + const string SID_NT_TRUSTED_INSTALLER = + "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"; + + /* + * This is added during the AS-REQ/AS-REP exchange after + * pre-authentication was successful. + */ + const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; + /* + * This is added during S4U2Self PAC creation. + * + * It won't replace a possible + * SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY + * during S4U2Proxy. + */ + const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; + + const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496"; + const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497"; + + const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0"; + + const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1"; + + const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096"; + const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192"; + const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448"; + const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288"; + const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384"; + + /* + * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx + */ + const string SID_NT_NFS_SUBSYSTEM = "S-1-5-88"; + const string SID_NT_NFS_USER = "S-1-5-88-1"; + const string SID_NT_NFS_GROUP = "S-1-5-88-2"; + const string SID_NT_NFS_MASK = "S-1-5-88-3"; + const string SID_NT_NFS_OTHERS = "S-1-5-88-4"; + + /* well-known domain RIDs */ + const int DOMAIN_RID_LOGON = 9; + const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498; + const int DOMAIN_RID_ADMINISTRATOR = 500; + const int DOMAIN_RID_GUEST = 501; + const int DOMAIN_RID_KRBTGT = 502; + const int DOMAIN_RID_ADMINS = 512; + const int DOMAIN_RID_USERS = 513; + const int DOMAIN_RID_GUESTS = 514; + const int DOMAIN_RID_DOMAIN_MEMBERS = 515; + const int DOMAIN_RID_DCS = 516; + const int DOMAIN_RID_CERT_ADMINS = 517; + const int DOMAIN_RID_SCHEMA_ADMINS = 518; + const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; + const int DOMAIN_RID_POLICY_ADMINS = 520; + const int DOMAIN_RID_READONLY_DCS = 521; + const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522; + const int DOMAIN_RID_PROTECTED_USERS = 525; + const int DOMAIN_RID_KEY_ADMINS = 526; + const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527; + const int DOMAIN_RID_RAS_SERVERS = 553; + const int DOMAIN_RID_RODC_ALLOW = 571; + const int DOMAIN_RID_RODC_DENY = 572; + + /* well-known builtin RIDs */ + const int BUILTIN_RID_ADMINISTRATORS = 544; + const int BUILTIN_RID_USERS = 545; + const int BUILTIN_RID_GUESTS = 546; + const int BUILTIN_RID_POWER_USERS = 547; + const int BUILTIN_RID_ACCOUNT_OPERATORS = 548; + const int BUILTIN_RID_SERVER_OPERATORS = 549; + const int BUILTIN_RID_PRINT_OPERATORS = 550; + const int BUILTIN_RID_BACKUP_OPERATORS = 551; + const int BUILTIN_RID_REPLICATOR = 552; + const int BUILTIN_RID_RAS_SERVERS = 553; + const int BUILTIN_RID_PRE_2K_ACCESS = 554; + const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555; + const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556; + const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557; + const int BUILTIN_RID_PERFMON_USERS = 558; + const int BUILTIN_RID_PERFLOG_USERS = 559; + const int BUILTIN_RID_AUTH_ACCESS = 560; + const int BUILTIN_RID_TS_LICENSE_SERVERS = 561; + const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562; + const int BUILTIN_RID_IUSERS = 568; + const int BUILTIN_RID_CRYPTO_OPERATORS = 569; + const int BUILTIN_RID_EVENT_LOG_READERS = 573; + const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574; + const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575; + const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576; + const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577; + const int BUILTIN_RID_HYPER_V_ADMINS = 578; + const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579; + const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580; + +/******************************************************************** + This is a list of privileges reported by a WIndows 2008 R2 DC + just for reference purposes (and I know the LUID is not guaranteed + across reboots): + +0x00000002 SeCreateTokenPrivilege "Create a token object" +0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token" +0x00000004 SeLockMemoryPrivilege "Lock pages in memory" +0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process" +0x00000006 SeMachineAccountPrivilege "Add workstations to domain" +0x00000007 SeTcbPrivilege "Act as part of the operating system" +0x00000008 SeSecurityPrivilege "Manage auditing and security log" +0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects" +0x0000000a SeLoadDriverPrivilege "Load and unload device drivers" +0x0000000b SeSystemProfilePrivilege "Profile system performance" +0x0000000c SeSystemtimePrivilege "Change the system time" +0x0000000d SeProfileSingleProcessPrivilege "Profile single process" +0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority" +0x0000000f SeCreatePagefilePrivilege "Create a pagefile" +0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects" +0x00000011 SeBackupPrivilege "Back up files and directories" +0x00000012 SeRestorePrivilege "Restore files and directories" +0x00000013 SeShutdownPrivilege "Shut down the system" +0x00000014 SeDebugPrivilege "Debug programs" +0x00000015 SeAuditPrivilege "Generate security audits" +0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values" +0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking" +0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system" +0x00000019 SeUndockPrivilege "Remove computer from docking station" +0x0000001a SeSyncAgentPrivilege "Synchronize directory service data" +0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation" +0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks" +0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication" +0x0000001e SeCreateGlobalPrivilege "Create global objects" +0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller" +0x00000020 SeRelabelPrivilege "Modify an object label" +0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set" +0x00000022 SeTimeZonePrivilege "Change the time zone" +0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links" + + ********************************************************************/ + + /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */ + + /* we have to define the LUID here due to a horrible check by printmig.exe + that requires the SeBackupPrivilege match what is in Windows. So match + those that we implement and start Samba privileges at 0x1001 */ + + typedef enum { + SEC_PRIV_INVALID = 0x0, + SEC_PRIV_INCREASE_QUOTA = 0x5, + SEC_PRIV_MACHINE_ACCOUNT = 0x6, + SEC_PRIV_SECURITY = 0x8, + SEC_PRIV_TAKE_OWNERSHIP = 0x09, + SEC_PRIV_LOAD_DRIVER = 0x0a, + SEC_PRIV_SYSTEM_PROFILE = 0x0b, + SEC_PRIV_SYSTEMTIME = 0x0c, + SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d, + SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e, + SEC_PRIV_CREATE_PAGEFILE = 0x0f, + SEC_PRIV_BACKUP = 0x11, + SEC_PRIV_RESTORE = 0x12, + SEC_PRIV_SHUTDOWN = 0x13, + SEC_PRIV_DEBUG = 0x14, + SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16, + SEC_PRIV_CHANGE_NOTIFY = 0x17, + SEC_PRIV_REMOTE_SHUTDOWN = 0x18, + SEC_PRIV_UNDOCK = 0x19, + SEC_PRIV_ENABLE_DELEGATION = 0x1b, + SEC_PRIV_MANAGE_VOLUME = 0x1c, + SEC_PRIV_IMPERSONATE = 0x1d, + SEC_PRIV_CREATE_GLOBAL = 0x1e, + /* Samba-specific privs */ + SEC_PRIV_PRINT_OPERATOR = 0x1001, + SEC_PRIV_ADD_USERS = 0x1002, + SEC_PRIV_DISK_OPERATOR = 0x1003 + } sec_privilege; + + + /* Bitmap of privilege values for internal use only. We need + * our own bitmap here as privilages.tdb records these values + * as a bitmap (privilages.ldb uses the string forms). + */ + typedef [bitmap64bit] bitmap { + SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010, + + /* Samba-specific privs */ + SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020, + SEC_PRIV_ADD_USERS_BIT = 0x00000040, + SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080, + + SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100, + SEC_PRIV_BACKUP_BIT = 0x00000200, + SEC_PRIV_RESTORE_BIT = 0x00000400, + SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800, + /* End of privilages implemented before merge to common code */ + + SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000, + SEC_PRIV_SECURITY_BIT = 0x00002000, + SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000, + SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000, + SEC_PRIV_SYSTEMTIME_BIT = 0x00010000, + SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000, + SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000, + SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000, + SEC_PRIV_SHUTDOWN_BIT = 0x00100000, + SEC_PRIV_DEBUG_BIT = 0x00200000, + SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000, + SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000, + SEC_PRIV_UNDOCK_BIT = 0x01000000, + SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000, + SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000, + SEC_PRIV_IMPERSONATE_BIT = 0x08000000, + SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000 + } se_privilege; + + typedef [bitmap32bit] bitmap { + LSA_POLICY_MODE_INTERACTIVE = 0x00000001, + LSA_POLICY_MODE_NETWORK = 0x00000002, + LSA_POLICY_MODE_BATCH = 0x00000004, + LSA_POLICY_MODE_SERVICE = 0x00000010, + LSA_POLICY_MODE_PROXY = 0x00000020, + LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040, + LSA_POLICY_MODE_DENY_NETWORK = 0x00000080, + LSA_POLICY_MODE_DENY_BATCH = 0x00000100, + LSA_POLICY_MODE_DENY_SERVICE = 0x00000200, + LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400, + LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800, + LSA_POLICY_MODE_ALL = 0x00000FF7, + LSA_POLICY_MODE_ALL_NT4 = 0x00000037 + } lsa_SystemAccessModeFlags; + + typedef [public,bitmap8bit] bitmap { + SEC_ACE_FLAG_OBJECT_INHERIT = 0x01, + SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02, + SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04, + SEC_ACE_FLAG_INHERIT_ONLY = 0x08, + SEC_ACE_FLAG_INHERITED_ACE = 0x10, + SEC_ACE_FLAG_VALID_INHERIT = 0x0f, + SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40, + SEC_ACE_FLAG_FAILED_ACCESS = 0x80 + } security_ace_flags; + + typedef [public,enum8bit] enum { + SEC_ACE_TYPE_ACCESS_ALLOWED = 0, + SEC_ACE_TYPE_ACCESS_DENIED = 1, + SEC_ACE_TYPE_SYSTEM_AUDIT = 2, + SEC_ACE_TYPE_SYSTEM_ALARM = 3, + SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, + SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5, + SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6, + SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7, + SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8 + } security_ace_type; + + typedef [bitmap32bit] bitmap { + SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001, + SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002 + } security_ace_object_flags; + + typedef [nodiscriminant] union { + /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */ + [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type; + [default]; + } security_ace_object_type; + + typedef [nodiscriminant] union { + /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context + * (of the parent container) + */ + [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type; + [default]; + } security_ace_object_inherited_type; + + typedef struct { + security_ace_object_flags flags; + [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type; + [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type; + } security_ace_object; + + typedef [public,nodiscriminant] union { + [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object; + [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object; + [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object; + [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object; + [default]; + } security_ace_object_ctr; + + typedef [public,nopull,gensize,nosize] struct { + security_ace_type type; /* SEC_ACE_TYPE_* */ + security_ace_flags flags; /* SEC_ACE_FLAG_* */ + [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; + uint32 access_mask; + [switch_is(type)] security_ace_object_ctr object; + dom_sid trustee; + } security_ace; + + typedef enum { + SECURITY_ACL_REVISION_NT4 = 2, + SECURITY_ACL_REVISION_ADS = 4 + } security_acl_revision; + + const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4; + + typedef [public,gensize,nosize] struct { + security_acl_revision revision; + [value(ndr_size_security_acl(r,ndr->flags))] uint16 size; + [range(0,2000)] uint32 num_aces; + security_ace aces[num_aces]; + } security_acl; + + /* default revision for new ACLs */ + typedef [public,enum8bit] enum { + SECURITY_DESCRIPTOR_REVISION_1 = 1 + } security_descriptor_revision; + + const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1; + + /* security_descriptor->type bits */ + typedef [public,bitmap16bit] bitmap { + SEC_DESC_OWNER_DEFAULTED = 0x0001, + SEC_DESC_GROUP_DEFAULTED = 0x0002, + SEC_DESC_DACL_PRESENT = 0x0004, + SEC_DESC_DACL_DEFAULTED = 0x0008, + SEC_DESC_SACL_PRESENT = 0x0010, + SEC_DESC_SACL_DEFAULTED = 0x0020, + SEC_DESC_DACL_TRUSTED = 0x0040, + SEC_DESC_SERVER_SECURITY = 0x0080, + SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100, + SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200, + SEC_DESC_DACL_AUTO_INHERITED = 0x0400, + SEC_DESC_SACL_AUTO_INHERITED = 0x0800, + SEC_DESC_DACL_PROTECTED = 0x1000, + SEC_DESC_SACL_PROTECTED = 0x2000, + SEC_DESC_RM_CONTROL_VALID = 0x4000, + SEC_DESC_SELF_RELATIVE = 0x8000 + } security_descriptor_type; + + typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct { + security_descriptor_revision revision; + security_descriptor_type type; /* SEC_DESC_xxxx flags */ + [relative] dom_sid *owner_sid; + [relative] dom_sid *group_sid; + [relative] security_acl *sacl; /* system ACL */ + [relative] security_acl *dacl; /* user (discretionary) ACL */ + } security_descriptor; + + typedef [public] struct { + [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size; + [subcontext(4)] security_descriptor *sd; + } sec_desc_buf; + + /* Group attributes, used to be samr_GroupAttrs */ + typedef [public,bitmap32bit] bitmap { + SE_GROUP_MANDATORY = 0x00000001, + SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002, + SE_GROUP_ENABLED = 0x00000004, + SE_GROUP_OWNER = 0x00000008, + SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010, + SE_GROUP_INTEGRITY = 0x00000020, + SE_GROUP_INTEGRITY_ENABLED = 0x00000040, + SE_GROUP_RESOURCE = 0x20000000, + SE_GROUP_LOGON_ID = 0xC0000000 + } security_GroupAttrs; + + /* This is not yet sent over the network, but is simply defined in IDL */ + typedef [public] struct { + uint32 num_sids; + [size_is(num_sids)] dom_sid sids[*]; + se_privilege privilege_mask; + lsa_SystemAccessModeFlags rights_mask; + } security_token; + + /* This is not yet sent over the network, but is simply defined in IDL */ + typedef [public] struct { + uid_t uid; + gid_t gid; + uint32 ngroups; + [size_is(ngroups)] gid_t groups[*]; + } security_unix_token; + + /* bits that determine which parts of a security descriptor + are being queried/set */ + typedef [public,bitmap32bit] bitmap { + SECINFO_OWNER = 0x00000001, + SECINFO_GROUP = 0x00000002, + SECINFO_DACL = 0x00000004, + SECINFO_SACL = 0x00000008, + SECINFO_LABEL = 0x00000010, + SECINFO_ATTRIBUTE = 0x00000020, + SECINFO_SCOPE = 0x00000040, + SECINFO_BACKUP = 0x00010000, + SECINFO_UNPROTECTED_SACL = 0x10000000, + SECINFO_UNPROTECTED_DACL = 0x20000000, + SECINFO_PROTECTED_SACL = 0x40000000, + SECINFO_PROTECTED_DACL = 0x80000000 + } security_secinfo; + + /* + * a SMB server should only support the following flags + * and ignore all others. + * + * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request + * and 2.2.39 SMB2 SET_INFO Request. + */ + const int SMB_SUPPORTED_SECINFO_FLAGS = ( + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL | + SECINFO_SACL | + SECINFO_LABEL | + SECINFO_ATTRIBUTE | + SECINFO_SCOPE | + SECINFO_BACKUP | + 0); + + /* + * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY + */ + typedef [public,gensize,flag(NDR_PAHEX)] struct { + uint32 Flags; + uint32 TokenIL; + uint8 MachineId[32]; + } LSAP_TOKEN_INFO_INTEGRITY; + + /* + * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags + */ + typedef [public,bitmap32bit] bitmap { + KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, + KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, + KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, + KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010, + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020, + KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000, + KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000, + KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000, + KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000 + } kerb_EncTypes; + + typedef [public,bitmap32bit] bitmap { + SEC_DACL_AUTO_INHERIT = 0x00000001, + SEC_SACL_AUTO_INHERIT = 0x00000002, + SEC_DEFAULT_DESCRIPTOR = 0x00000004, + SEC_OWNER_FROM_PARENT = 0x00000008, + SEC_GROUP_FROM_PARENT = 0x00000010 + } security_autoinherit; + + /***************************************************************/ + /* Extended right guids */ + + const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd"; + const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab"; + const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd"; + const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf"; + const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd"; + const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd"; + const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"; + const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c"; + const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96"; + const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"; + const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529"; + const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT + = "280f369c-67c7-438e-ae98-1d46f3c6f541"; + const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501"; + const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD + = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5"; + const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2"; + const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f"; + const string GUID_DRS_ALLOWED_TO_AUTHENTICATE = "68b1d179-0d15-4D4F-ab71-46152e79a7bc"; + + /***************************************************************/ + /* validated writes guids */ + const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; + const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2"; + const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd"; + const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7"; + const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2"; + + /* A type to describe the mapping of generic access rights to object + specific access rights. */ + + typedef struct { + uint32 generic_read; + uint32 generic_write; + uint32 generic_execute; + uint32 generic_all; + } generic_mapping; + + typedef struct { + uint32 std_read; + uint32 std_write; + uint32 std_execute; + uint32 std_all; + } standard_mapping; +} |