source: trunk/server/librpc/idl/security.idl@ 1009

Last change on this file since 1009 was 862, checked in by Silvan Scherrer, 11 years ago

Samba Server: update trunk to 3.6.23

File size: 27.9 KB
Line 
1#include "idl_types.h"
2
3/*
4 security IDL structures
5*/
6
7import "misc.idl";
8
9/*
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths elemenent. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
19*/
20cpp_quote("#define dom_sid2 dom_sid")
21
22/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23cpp_quote("#define dom_sid28 dom_sid")
24
25/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26cpp_quote("#define dom_sid0 dom_sid")
27
28[
29 pyhelper("librpc/ndr/py_security.c"),
30 pointer_default(unique)
31]
32interface security
33{
34
35 typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
36
37 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
38 uint8 sid_rev_num; /**< SID revision number */
39 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
40 uint8 id_auth[6]; /**< Identifier Authority */
41 uint32 sub_auths[15];
42 } dom_sid;
43 /*
44 access masks are divided up like this:
45 0xabccdddd
46 where
47 a = generic rights bits SEC_GENERIC_
48 b = flags SEC_FLAG_
49 c = standard rights bits SEC_STD_
50 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
51
52 common combinations of bits are prefixed with SEC_RIGHTS_
53 */
54 const int SEC_MASK_GENERIC = 0xF0000000;
55 const int SEC_MASK_FLAGS = 0x0F000000;
56 const int SEC_MASK_STANDARD = 0x00FF0000;
57 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
58
59 /* generic bits */
60 const int SEC_GENERIC_ALL = 0x10000000;
61 const int SEC_GENERIC_EXECUTE = 0x20000000;
62 const int SEC_GENERIC_WRITE = 0x40000000;
63 const int SEC_GENERIC_READ = 0x80000000;
64
65 /* flag bits */
66 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
67 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
68
69 /* standard bits */
70 const int SEC_STD_DELETE = 0x00010000;
71 const int SEC_STD_READ_CONTROL = 0x00020000;
72 const int SEC_STD_WRITE_DAC = 0x00040000;
73 const int SEC_STD_WRITE_OWNER = 0x00080000;
74 const int SEC_STD_SYNCHRONIZE = 0x00100000;
75 const int SEC_STD_REQUIRED = 0x000F0000;
76 const int SEC_STD_ALL = 0x001F0000;
77
78 /* file specific bits */
79 const int SEC_FILE_READ_DATA = 0x00000001;
80 const int SEC_FILE_WRITE_DATA = 0x00000002;
81 const int SEC_FILE_APPEND_DATA = 0x00000004;
82 const int SEC_FILE_READ_EA = 0x00000008;
83 const int SEC_FILE_WRITE_EA = 0x00000010;
84 const int SEC_FILE_EXECUTE = 0x00000020;
85 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
86 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
87 const int SEC_FILE_ALL = 0x000001ff;
88
89 /* directory specific bits */
90 const int SEC_DIR_LIST = 0x00000001;
91 const int SEC_DIR_ADD_FILE = 0x00000002;
92 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
93 const int SEC_DIR_READ_EA = 0x00000008;
94 const int SEC_DIR_WRITE_EA = 0x00000010;
95 const int SEC_DIR_TRAVERSE = 0x00000020;
96 const int SEC_DIR_DELETE_CHILD = 0x00000040;
97 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
98 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
99
100 /* registry entry specific bits */
101 const int SEC_REG_QUERY_VALUE = 0x00000001;
102 const int SEC_REG_SET_VALUE = 0x00000002;
103 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
104 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
105 const int SEC_REG_NOTIFY = 0x00000010;
106 const int SEC_REG_CREATE_LINK = 0x00000020;
107
108 /* ldap specific access bits */
109 const int SEC_ADS_CREATE_CHILD = 0x00000001;
110 const int SEC_ADS_DELETE_CHILD = 0x00000002;
111 const int SEC_ADS_LIST = 0x00000004;
112 const int SEC_ADS_SELF_WRITE = 0x00000008;
113 const int SEC_ADS_READ_PROP = 0x00000010;
114 const int SEC_ADS_WRITE_PROP = 0x00000020;
115 const int SEC_ADS_DELETE_TREE = 0x00000040;
116 const int SEC_ADS_LIST_OBJECT = 0x00000080;
117 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
118
119 /* invalid bits */
120 const int SEC_MASK_INVALID = 0x0ce0fe00;
121
122 /* generic->specific mappings for files */
123 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
124 SEC_STD_SYNCHRONIZE |
125 SEC_FILE_READ_DATA |
126 SEC_FILE_READ_ATTRIBUTE |
127 SEC_FILE_READ_EA;
128
129 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
130 SEC_STD_SYNCHRONIZE |
131 SEC_FILE_WRITE_DATA |
132 SEC_FILE_WRITE_ATTRIBUTE |
133 SEC_FILE_WRITE_EA |
134 SEC_FILE_APPEND_DATA;
135
136 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
137 SEC_STD_READ_CONTROL |
138 SEC_FILE_READ_ATTRIBUTE |
139 SEC_FILE_EXECUTE;
140
141 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
142
143 /* generic->specific mappings for directories (same as files) */
144 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
145 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
146 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
147 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
148
149 /* rights granted by some specific privileges */
150 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
151 SEC_FLAG_SYSTEM_SECURITY |
152 SEC_GENERIC_READ;
153 const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
154 | SEC_DIR_TRAVERSE;
155
156 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
157 SEC_STD_WRITE_OWNER |
158 SEC_FLAG_SYSTEM_SECURITY |
159 SEC_STD_DELETE;
160 const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
161 SEC_DIR_ADD_FILE |
162 SEC_DIR_ADD_SUBDIR;
163
164 /* combinations of standard masks. */
165 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
166 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
167 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
168 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
169 const int STANDARD_RIGHTS_WRITE_ACCESS =
170 (SEC_STD_WRITE_OWNER |
171 SEC_STD_WRITE_DAC |
172 SEC_STD_DELETE); /* 0x000d0000 */
173 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
174 (SEC_STD_DELETE |
175 SEC_STD_READ_CONTROL |
176 SEC_STD_WRITE_DAC |
177 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
178
179 /* generic->specific mappings for Directory Service objects */
180 /* directory specific part of GENERIC_ALL */
181 const int SEC_ADS_GENERIC_ALL_DS =
182 (SEC_STD_DELETE |
183 SEC_STD_WRITE_DAC |
184 SEC_STD_WRITE_OWNER |
185 SEC_ADS_CREATE_CHILD |
186 SEC_ADS_DELETE_CHILD |
187 SEC_ADS_DELETE_TREE |
188 SEC_ADS_CONTROL_ACCESS);
189 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
190 const int SEC_ADS_GENERIC_WRITE =
191 (SEC_STD_READ_CONTROL |
192 SEC_ADS_SELF_WRITE |
193 SEC_ADS_WRITE_PROP);
194 const int SEC_ADS_GENERIC_READ =
195 (SEC_STD_READ_CONTROL |
196 SEC_ADS_LIST |
197 SEC_ADS_READ_PROP |
198 SEC_ADS_LIST_OBJECT);
199 const int SEC_ADS_GENERIC_ALL =
200 (SEC_ADS_GENERIC_EXECUTE |
201 SEC_ADS_GENERIC_WRITE |
202 SEC_ADS_GENERIC_READ |
203 SEC_ADS_GENERIC_ALL_DS);
204
205 /***************************************************************/
206 /* WELL KNOWN SIDS */
207
208 /* a NULL sid */
209 const string SID_NULL = "S-1-0-0";
210
211 /* the world domain */
212 const string NAME_WORLD = "WORLD";
213
214 const string SID_WORLD_DOMAIN = "S-1-1";
215 const string SID_WORLD = "S-1-1-0";
216
217 /* SECURITY_CREATOR_SID_AUTHORITY */
218 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
219 const string SID_CREATOR_OWNER = "S-1-3-0";
220 const string SID_CREATOR_GROUP = "S-1-3-1";
221 const string SID_OWNER_RIGHTS = "S-1-3-4";
222
223 /* SECURITY_NT_AUTHORITY */
224 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
225
226 const string SID_NT_AUTHORITY = "S-1-5";
227 const string SID_NT_DIALUP = "S-1-5-1";
228 const string SID_NT_NETWORK = "S-1-5-2";
229 const string SID_NT_BATCH = "S-1-5-3";
230 const string SID_NT_INTERACTIVE = "S-1-5-4";
231 const string SID_NT_SERVICE = "S-1-5-6";
232 const string SID_NT_ANONYMOUS = "S-1-5-7";
233 const string SID_NT_PROXY = "S-1-5-8";
234 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
235 const string SID_NT_SELF = "S-1-5-10";
236 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
237 const string SID_NT_RESTRICTED = "S-1-5-12";
238 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
239 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
240 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
241 const string SID_NT_IUSR = "S-1-5-17";
242 const string SID_NT_SYSTEM = "S-1-5-18";
243 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
244 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
245 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
246 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
247 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
248 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
249
250 /* SECURITY_BUILTIN_DOMAIN_RID */
251 const string NAME_BUILTIN = "BUILTIN";
252
253 const string SID_BUILTIN = "S-1-5-32";
254 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
255 const string SID_BUILTIN_USERS = "S-1-5-32-545";
256 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
257 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
258 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
259 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
260 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
261 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
262 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
263 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
264 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
265 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
266 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
267 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
268 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
269 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
270 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
271 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
272
273 /* SECURITY_NT_SERVICE */
274 const string NAME_NT_SERVICE = "NT SERVICE";
275
276 const string SID_NT_NT_SERVICE = "S-1-5-80";
277 const string SID_NT_TRUSTED_INSTALLER =
278 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
279
280 /* well-known domain RIDs */
281 const int DOMAIN_RID_LOGON = 9;
282 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
283 const int DOMAIN_RID_ADMINISTRATOR = 500;
284 const int DOMAIN_RID_GUEST = 501;
285 const int DOMAIN_RID_KRBTGT = 502;
286 const int DOMAIN_RID_ADMINS = 512;
287 const int DOMAIN_RID_USERS = 513;
288 const int DOMAIN_RID_GUESTS = 514;
289 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
290 const int DOMAIN_RID_DCS = 516;
291 const int DOMAIN_RID_CERT_ADMINS = 517;
292 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
293 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
294 const int DOMAIN_RID_POLICY_ADMINS = 520;
295 const int DOMAIN_RID_READONLY_DCS = 521;
296 const int DOMAIN_RID_RAS_SERVERS = 553;
297 const int DOMAIN_RID_RODC_ALLOW = 571;
298 const int DOMAIN_RID_RODC_DENY = 572;
299
300 /* well-known builtin RIDs */
301 const int BUILTIN_RID_ADMINISTRATORS = 544;
302 const int BUILTIN_RID_USERS = 545;
303 const int BUILTIN_RID_GUESTS = 546;
304 const int BUILTIN_RID_POWER_USERS = 547;
305 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
306 const int BUILTIN_RID_SERVER_OPERATORS = 549;
307 const int BUILTIN_RID_PRINT_OPERATORS = 550;
308 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
309 const int BUILTIN_RID_REPLICATOR = 552;
310 const int BUILTIN_RID_RAS_SERVERS = 553;
311 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
312 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
313 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
314 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
315 const int BUILTIN_RID_PERFMON_USERS = 558;
316 const int BUILTIN_RID_PERFLOG_USERS = 559;
317 const int BUILTIN_RID_AUTH_ACCESS = 560;
318 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
319
320/********************************************************************
321 This is a list of privileges reported by a WIndows 2008 R2 DC
322 just for reference purposes (and I know the LUID is not guaranteed
323 across reboots):
324
3250x00000002 SeCreateTokenPrivilege "Create a token object"
3260x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
3270x00000004 SeLockMemoryPrivilege "Lock pages in memory"
3280x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
3290x00000006 SeMachineAccountPrivilege "Add workstations to domain"
3300x00000007 SeTcbPrivilege "Act as part of the operating system"
3310x00000008 SeSecurityPrivilege "Manage auditing and security log"
3320x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
3330x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
3340x0000000b SeSystemProfilePrivilege "Profile system performance"
3350x0000000c SeSystemtimePrivilege "Change the system time"
3360x0000000d SeProfileSingleProcessPrivilege "Profile single process"
3370x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
3380x0000000f SeCreatePagefilePrivilege "Create a pagefile"
3390x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
3400x00000011 SeBackupPrivilege "Back up files and directories"
3410x00000012 SeRestorePrivilege "Restore files and directories"
3420x00000013 SeShutdownPrivilege "Shut down the system"
3430x00000014 SeDebugPrivilege "Debug programs"
3440x00000015 SeAuditPrivilege "Generate security audits"
3450x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
3460x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
3470x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
3480x00000019 SeUndockPrivilege "Remove computer from docking station"
3490x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
3500x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
3510x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
3520x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
3530x0000001e SeCreateGlobalPrivilege "Create global objects"
3540x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
3550x00000020 SeRelabelPrivilege "Modify an object label"
3560x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
3570x00000022 SeTimeZonePrivilege "Change the time zone"
3580x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
359
360 ********************************************************************/
361
362 /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
363
364 /* we have to define the LUID here due to a horrible check by printmig.exe
365 that requires the SeBackupPrivilege match what is in Windows. So match
366 those that we implement and start Samba privileges at 0x1001 */
367
368 typedef enum {
369 SEC_PRIV_INVALID = 0x0,
370 SEC_PRIV_INCREASE_QUOTA = 0x5,
371 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
372 SEC_PRIV_SECURITY = 0x8,
373 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
374 SEC_PRIV_LOAD_DRIVER = 0x0a,
375 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
376 SEC_PRIV_SYSTEMTIME = 0x0c,
377 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
378 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
379 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
380 SEC_PRIV_BACKUP = 0x11,
381 SEC_PRIV_RESTORE = 0x12,
382 SEC_PRIV_SHUTDOWN = 0x13,
383 SEC_PRIV_DEBUG = 0x14,
384 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
385 SEC_PRIV_CHANGE_NOTIFY = 0x17,
386 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
387 SEC_PRIV_UNDOCK = 0x19,
388 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
389 SEC_PRIV_MANAGE_VOLUME = 0x1c,
390 SEC_PRIV_IMPERSONATE = 0x1d,
391 SEC_PRIV_CREATE_GLOBAL = 0x1e,
392 /* Samba-specific privs */
393 SEC_PRIV_PRINT_OPERATOR = 0x1001,
394 SEC_PRIV_ADD_USERS = 0x1002,
395 SEC_PRIV_DISK_OPERATOR = 0x1003
396 } sec_privilege;
397
398
399 /* Bitmap of privilege values for internal use only. We need
400 * our own bitmap here as privilages.tdb records these values
401 * as a bitmap (privilages.ldb uses the string forms).
402 */
403 typedef [bitmap64bit] bitmap {
404 SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
405
406 /* Samba-specific privs */
407 SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
408 SEC_PRIV_ADD_USERS_BIT = 0x00000040,
409 SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
410
411 SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
412 SEC_PRIV_BACKUP_BIT = 0x00000200,
413 SEC_PRIV_RESTORE_BIT = 0x00000400,
414 SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
415 /* End of privilages implemented before merge to common code */
416
417 SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
418 SEC_PRIV_SECURITY_BIT = 0x00002000,
419 SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
420 SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
421 SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
422 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
423 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
424 SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
425 SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
426 SEC_PRIV_DEBUG_BIT = 0x00200000,
427 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
428 SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
429 SEC_PRIV_UNDOCK_BIT = 0x01000000,
430 SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
431 SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
432 SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
433 SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
434 } se_privilege;
435
436 typedef [bitmap32bit] bitmap {
437 LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
438 LSA_POLICY_MODE_NETWORK = 0x00000002,
439 LSA_POLICY_MODE_BATCH = 0x00000004,
440 LSA_POLICY_MODE_SERVICE = 0x00000010,
441 LSA_POLICY_MODE_PROXY = 0x00000020,
442 LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
443 LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
444 LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
445 LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
446 LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
447 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
448 LSA_POLICY_MODE_ALL = 0x00000FF7,
449 LSA_POLICY_MODE_ALL_NT4 = 0x00000037
450 } lsa_SystemAccessModeFlags;
451
452 typedef [public,bitmap8bit] bitmap {
453 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
454 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
455 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
456 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
457 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
458 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
459 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
460 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
461 } security_ace_flags;
462
463 typedef [public,enum8bit] enum {
464 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
465 SEC_ACE_TYPE_ACCESS_DENIED = 1,
466 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
467 SEC_ACE_TYPE_SYSTEM_ALARM = 3,
468 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
469 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
470 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
471 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
472 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
473 } security_ace_type;
474
475 typedef [bitmap32bit] bitmap {
476 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
477 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
478 } security_ace_object_flags;
479
480 typedef [nodiscriminant] union {
481 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
482 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
483 [default];
484 } security_ace_object_type;
485
486 typedef [nodiscriminant] union {
487 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
488 * (of the parent container)
489 */
490 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
491 [default];
492 } security_ace_object_inherited_type;
493
494 typedef struct {
495 security_ace_object_flags flags;
496 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
497 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
498 } security_ace_object;
499
500 typedef [public,nodiscriminant] union {
501 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
502 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
503 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
504 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
505 [default];
506 } security_ace_object_ctr;
507
508 typedef [public,nopull,gensize,nosize] struct {
509 security_ace_type type; /* SEC_ACE_TYPE_* */
510 security_ace_flags flags; /* SEC_ACE_FLAG_* */
511 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
512 uint32 access_mask;
513 [switch_is(type)] security_ace_object_ctr object;
514 dom_sid trustee;
515 } security_ace;
516
517 typedef enum {
518 SECURITY_ACL_REVISION_NT4 = 2,
519 SECURITY_ACL_REVISION_ADS = 4
520 } security_acl_revision;
521
522 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
523
524 typedef [public,gensize,nosize] struct {
525 security_acl_revision revision;
526 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
527 [range(0,1000)] uint32 num_aces;
528 security_ace aces[num_aces];
529 } security_acl;
530
531 /* default revision for new ACLs */
532 typedef [public,enum8bit] enum {
533 SECURITY_DESCRIPTOR_REVISION_1 = 1
534 } security_descriptor_revision;
535
536 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
537
538 /* security_descriptor->type bits */
539 typedef [public,bitmap16bit] bitmap {
540 SEC_DESC_OWNER_DEFAULTED = 0x0001,
541 SEC_DESC_GROUP_DEFAULTED = 0x0002,
542 SEC_DESC_DACL_PRESENT = 0x0004,
543 SEC_DESC_DACL_DEFAULTED = 0x0008,
544 SEC_DESC_SACL_PRESENT = 0x0010,
545 SEC_DESC_SACL_DEFAULTED = 0x0020,
546 SEC_DESC_DACL_TRUSTED = 0x0040,
547 SEC_DESC_SERVER_SECURITY = 0x0080,
548 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
549 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
550 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
551 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
552 SEC_DESC_DACL_PROTECTED = 0x1000,
553 SEC_DESC_SACL_PROTECTED = 0x2000,
554 SEC_DESC_RM_CONTROL_VALID = 0x4000,
555 SEC_DESC_SELF_RELATIVE = 0x8000
556 } security_descriptor_type;
557
558 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
559 security_descriptor_revision revision;
560 security_descriptor_type type; /* SEC_DESC_xxxx flags */
561 [relative] dom_sid *owner_sid;
562 [relative] dom_sid *group_sid;
563 [relative] security_acl *sacl; /* system ACL */
564 [relative] security_acl *dacl; /* user (discretionary) ACL */
565 } security_descriptor;
566
567 typedef [public] struct {
568 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
569 [subcontext(4)] security_descriptor *sd;
570 } sec_desc_buf;
571
572 /* This is not yet sent over the network, but is simply defined in IDL */
573 typedef [public,gensize] struct {
574 uint32 num_sids;
575 [size_is(num_sids)] dom_sid sids[*];
576 se_privilege privilege_mask;
577 lsa_SystemAccessModeFlags rights_mask;
578 } security_token;
579
580 /* This is not yet sent over the network, but is simply defined in IDL */
581 typedef [public,gensize] struct {
582 uid_t uid;
583 uid_t gid;
584 uint32 ngroups;
585 [size_is(ngroups)] gid_t groups[*];
586 } security_unix_token;
587
588 /* bits that determine which parts of a security descriptor
589 are being queried/set */
590 typedef [public,bitmap32bit] bitmap {
591 SECINFO_OWNER = 0x00000001,
592 SECINFO_GROUP = 0x00000002,
593 SECINFO_DACL = 0x00000004,
594 SECINFO_SACL = 0x00000008,
595 SECINFO_LABEL = 0x00000010,
596 SECINFO_ATTRIBUTE = 0x00000020,
597 SECINFO_SCOPE = 0x00000040,
598 SECINFO_BACKUP = 0x00010000,
599 SECINFO_UNPROTECTED_SACL = 0x10000000,
600 SECINFO_UNPROTECTED_DACL = 0x20000000,
601 SECINFO_PROTECTED_SACL = 0x40000000,
602 SECINFO_PROTECTED_DACL = 0x80000000
603 } security_secinfo;
604
605 typedef [public,bitmap32bit] bitmap {
606 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
607 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
608 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
609 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
610 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
611 } kerb_EncTypes;
612
613 typedef [public,bitmap32bit] bitmap {
614 SEC_DACL_AUTO_INHERIT = 0x00000001,
615 SEC_SACL_AUTO_INHERIT = 0x00000002,
616 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
617 SEC_OWNER_FROM_PARENT = 0x00000008,
618 SEC_GROUP_FROM_PARENT = 0x00000010
619 } security_autoinherit;
620
621 /***************************************************************/
622 /* Extended right guids */
623
624 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
625 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
626 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
627 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
628 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
629 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
630 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
631 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
632 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
633 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
634 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
635 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
636 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
637 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
638 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
639
640 /***************************************************************/
641 /* validated writes guids */
642 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
643 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
644 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
645 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
646 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
647
648 /* A type to describe the mapping of generic access rights to object
649 specific access rights. */
650
651 typedef struct {
652 uint32 generic_read;
653 uint32 generic_write;
654 uint32 generic_execute;
655 uint32 generic_all;
656 } generic_mapping;
657
658 typedef struct {
659 uint32 std_read;
660 uint32 std_write;
661 uint32 std_execute;
662 uint32 std_all;
663 } standard_mapping;
664}
Note: See TracBrowser for help on using the repository browser.