Context Navigation

security.idl@ 1012

Visit:

Last change on this file since 1012 was 862, checked in by Silvan Scherrer, 11 years ago
Samba Server: update trunk to 3.6.23
File size: 27.9 KB

Line
1	#include "idl_types.h"
2
3	/*
4	security IDL structures
5	*/
6
7	import "misc.idl";
8
9	/*
10	use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11	just a dom sid, but with the sub_auths represented as a conformant
12	array. As with all in-structure conformant arrays, the array length
13	is placed before the start of the structure. That's what gives rise
14	to the extra num_auths elemenent. We don't want the Samba code to
15	have to bother with such esoteric NDR details, so its easier to just
16	define it as a dom_sid and use pidl magic to make it all work. It
17	just means you need to mark a sid as a "dom_sid2" in the IDL when you
18	know it is of the conformant array variety
19	*/
20	cpp_quote("#define dom_sid2 dom_sid")
21
22	/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23	cpp_quote("#define dom_sid28 dom_sid")
24
25	/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26	cpp_quote("#define dom_sid0 dom_sid")
27
28	[
29	pyhelper("librpc/ndr/py_security.c"),
30	pointer_default(unique)
31	]
32	interface security
33	{
34
35	typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
36
37	typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
38	uint8 sid_rev_num; /*< SID revision number /
39	[range(0,15)] int8 num_auths; /*< Number of sub-authorities /
40	uint8 id_auth[6]; /*< Identifier Authority /
41	uint32 sub_auths[15];
42	} dom_sid;
43	/*
44	access masks are divided up like this:
45	0xabccdddd
46	where
47	a = generic rights bits SEC_GENERIC_
48	b = flags SEC_FLAG_
49	c = standard rights bits SEC_STD_
50	d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
51
52	common combinations of bits are prefixed with SEC_RIGHTS_
53	*/
54	const int SEC_MASK_GENERIC = 0xF0000000;
55	const int SEC_MASK_FLAGS = 0x0F000000;
56	const int SEC_MASK_STANDARD = 0x00FF0000;
57	const int SEC_MASK_SPECIFIC = 0x0000FFFF;
58
59	/* generic bits */
60	const int SEC_GENERIC_ALL = 0x10000000;
61	const int SEC_GENERIC_EXECUTE = 0x20000000;
62	const int SEC_GENERIC_WRITE = 0x40000000;
63	const int SEC_GENERIC_READ = 0x80000000;
64
65	/* flag bits */
66	const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
67	const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
68
69	/* standard bits */
70	const int SEC_STD_DELETE = 0x00010000;
71	const int SEC_STD_READ_CONTROL = 0x00020000;
72	const int SEC_STD_WRITE_DAC = 0x00040000;
73	const int SEC_STD_WRITE_OWNER = 0x00080000;
74	const int SEC_STD_SYNCHRONIZE = 0x00100000;
75	const int SEC_STD_REQUIRED = 0x000F0000;
76	const int SEC_STD_ALL = 0x001F0000;
77
78	/* file specific bits */
79	const int SEC_FILE_READ_DATA = 0x00000001;
80	const int SEC_FILE_WRITE_DATA = 0x00000002;
81	const int SEC_FILE_APPEND_DATA = 0x00000004;
82	const int SEC_FILE_READ_EA = 0x00000008;
83	const int SEC_FILE_WRITE_EA = 0x00000010;
84	const int SEC_FILE_EXECUTE = 0x00000020;
85	const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
86	const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
87	const int SEC_FILE_ALL = 0x000001ff;
88
89	/* directory specific bits */
90	const int SEC_DIR_LIST = 0x00000001;
91	const int SEC_DIR_ADD_FILE = 0x00000002;
92	const int SEC_DIR_ADD_SUBDIR = 0x00000004;
93	const int SEC_DIR_READ_EA = 0x00000008;
94	const int SEC_DIR_WRITE_EA = 0x00000010;
95	const int SEC_DIR_TRAVERSE = 0x00000020;
96	const int SEC_DIR_DELETE_CHILD = 0x00000040;
97	const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
98	const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
99
100	/* registry entry specific bits */
101	const int SEC_REG_QUERY_VALUE = 0x00000001;
102	const int SEC_REG_SET_VALUE = 0x00000002;
103	const int SEC_REG_CREATE_SUBKEY = 0x00000004;
104	const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
105	const int SEC_REG_NOTIFY = 0x00000010;
106	const int SEC_REG_CREATE_LINK = 0x00000020;
107
108	/* ldap specific access bits */
109	const int SEC_ADS_CREATE_CHILD = 0x00000001;
110	const int SEC_ADS_DELETE_CHILD = 0x00000002;
111	const int SEC_ADS_LIST = 0x00000004;
112	const int SEC_ADS_SELF_WRITE = 0x00000008;
113	const int SEC_ADS_READ_PROP = 0x00000010;
114	const int SEC_ADS_WRITE_PROP = 0x00000020;
115	const int SEC_ADS_DELETE_TREE = 0x00000040;
116	const int SEC_ADS_LIST_OBJECT = 0x00000080;
117	const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
118
119	/* invalid bits */
120	const int SEC_MASK_INVALID = 0x0ce0fe00;
121
122	/* generic->specific mappings for files */
123	const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL \|
124	SEC_STD_SYNCHRONIZE \|
125	SEC_FILE_READ_DATA \|
126	SEC_FILE_READ_ATTRIBUTE \|
127	SEC_FILE_READ_EA;
128
129	const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL \|
130	SEC_STD_SYNCHRONIZE \|
131	SEC_FILE_WRITE_DATA \|
132	SEC_FILE_WRITE_ATTRIBUTE \|
133	SEC_FILE_WRITE_EA \|
134	SEC_FILE_APPEND_DATA;
135
136	const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE \|
137	SEC_STD_READ_CONTROL \|
138	SEC_FILE_READ_ATTRIBUTE \|
139	SEC_FILE_EXECUTE;
140
141	const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL \| SEC_FILE_ALL;
142
143	/* generic->specific mappings for directories (same as files) */
144	const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
145	const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
146	const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
147	const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
148
149	/* rights granted by some specific privileges */
150	const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL \|
151	SEC_FLAG_SYSTEM_SECURITY \|
152	SEC_GENERIC_READ;
153	const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
154	\| SEC_DIR_TRAVERSE;
155
156	const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC \|
157	SEC_STD_WRITE_OWNER \|
158	SEC_FLAG_SYSTEM_SECURITY \|
159	SEC_STD_DELETE;
160	const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE \|
161	SEC_DIR_ADD_FILE \|
162	SEC_DIR_ADD_SUBDIR;
163
164	/* combinations of standard masks. */
165	const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
166	const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
167	const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
168	const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
169	const int STANDARD_RIGHTS_WRITE_ACCESS =
170	(SEC_STD_WRITE_OWNER \|
171	SEC_STD_WRITE_DAC \|
172	SEC_STD_DELETE); /* 0x000d0000 */
173	const int STANDARD_RIGHTS_REQUIRED_ACCESS =
174	(SEC_STD_DELETE \|
175	SEC_STD_READ_CONTROL \|
176	SEC_STD_WRITE_DAC \|
177	SEC_STD_WRITE_OWNER); /* 0x000f0000 */
178
179	/* generic->specific mappings for Directory Service objects */
180	/* directory specific part of GENERIC_ALL */
181	const int SEC_ADS_GENERIC_ALL_DS =
182	(SEC_STD_DELETE \|
183	SEC_STD_WRITE_DAC \|
184	SEC_STD_WRITE_OWNER \|
185	SEC_ADS_CREATE_CHILD \|
186	SEC_ADS_DELETE_CHILD \|
187	SEC_ADS_DELETE_TREE \|
188	SEC_ADS_CONTROL_ACCESS);
189	const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL \| SEC_ADS_LIST;
190	const int SEC_ADS_GENERIC_WRITE =
191	(SEC_STD_READ_CONTROL \|
192	SEC_ADS_SELF_WRITE \|
193	SEC_ADS_WRITE_PROP);
194	const int SEC_ADS_GENERIC_READ =
195	(SEC_STD_READ_CONTROL \|
196	SEC_ADS_LIST \|
197	SEC_ADS_READ_PROP \|
198	SEC_ADS_LIST_OBJECT);
199	const int SEC_ADS_GENERIC_ALL =
200	(SEC_ADS_GENERIC_EXECUTE \|
201	SEC_ADS_GENERIC_WRITE \|
202	SEC_ADS_GENERIC_READ \|
203	SEC_ADS_GENERIC_ALL_DS);
204
205	/***************************************************************/
206	/* WELL KNOWN SIDS */
207
208	/* a NULL sid */
209	const string SID_NULL = "S-1-0-0";
210
211	/* the world domain */
212	const string NAME_WORLD = "WORLD";
213
214	const string SID_WORLD_DOMAIN = "S-1-1";
215	const string SID_WORLD = "S-1-1-0";
216
217	/* SECURITY_CREATOR_SID_AUTHORITY */
218	const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
219	const string SID_CREATOR_OWNER = "S-1-3-0";
220	const string SID_CREATOR_GROUP = "S-1-3-1";
221	const string SID_OWNER_RIGHTS = "S-1-3-4";
222
223	/* SECURITY_NT_AUTHORITY */
224	const string NAME_NT_AUTHORITY = "NT AUTHORITY";
225
226	const string SID_NT_AUTHORITY = "S-1-5";
227	const string SID_NT_DIALUP = "S-1-5-1";
228	const string SID_NT_NETWORK = "S-1-5-2";
229	const string SID_NT_BATCH = "S-1-5-3";
230	const string SID_NT_INTERACTIVE = "S-1-5-4";
231	const string SID_NT_SERVICE = "S-1-5-6";
232	const string SID_NT_ANONYMOUS = "S-1-5-7";
233	const string SID_NT_PROXY = "S-1-5-8";
234	const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
235	const string SID_NT_SELF = "S-1-5-10";
236	const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
237	const string SID_NT_RESTRICTED = "S-1-5-12";
238	const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
239	const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
240	const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
241	const string SID_NT_IUSR = "S-1-5-17";
242	const string SID_NT_SYSTEM = "S-1-5-18";
243	const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
244	const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
245	const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
246	const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
247	const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
248	const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
249
250	/* SECURITY_BUILTIN_DOMAIN_RID */
251	const string NAME_BUILTIN = "BUILTIN";
252
253	const string SID_BUILTIN = "S-1-5-32";
254	const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
255	const string SID_BUILTIN_USERS = "S-1-5-32-545";
256	const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
257	const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
258	const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
259	const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
260	const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
261	const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
262	const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
263	const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
264	const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
265	const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
266	const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
267	const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
268	const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
269	const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
270	const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
271	const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
272
273	/* SECURITY_NT_SERVICE */
274	const string NAME_NT_SERVICE = "NT SERVICE";
275
276	const string SID_NT_NT_SERVICE = "S-1-5-80";
277	const string SID_NT_TRUSTED_INSTALLER =
278	"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
279
280	/* well-known domain RIDs */
281	const int DOMAIN_RID_LOGON = 9;
282	const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
283	const int DOMAIN_RID_ADMINISTRATOR = 500;
284	const int DOMAIN_RID_GUEST = 501;
285	const int DOMAIN_RID_KRBTGT = 502;
286	const int DOMAIN_RID_ADMINS = 512;
287	const int DOMAIN_RID_USERS = 513;
288	const int DOMAIN_RID_GUESTS = 514;
289	const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
290	const int DOMAIN_RID_DCS = 516;
291	const int DOMAIN_RID_CERT_ADMINS = 517;
292	const int DOMAIN_RID_SCHEMA_ADMINS = 518;
293	const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
294	const int DOMAIN_RID_POLICY_ADMINS = 520;
295	const int DOMAIN_RID_READONLY_DCS = 521;
296	const int DOMAIN_RID_RAS_SERVERS = 553;
297	const int DOMAIN_RID_RODC_ALLOW = 571;
298	const int DOMAIN_RID_RODC_DENY = 572;
299
300	/* well-known builtin RIDs */
301	const int BUILTIN_RID_ADMINISTRATORS = 544;
302	const int BUILTIN_RID_USERS = 545;
303	const int BUILTIN_RID_GUESTS = 546;
304	const int BUILTIN_RID_POWER_USERS = 547;
305	const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
306	const int BUILTIN_RID_SERVER_OPERATORS = 549;
307	const int BUILTIN_RID_PRINT_OPERATORS = 550;
308	const int BUILTIN_RID_BACKUP_OPERATORS = 551;
309	const int BUILTIN_RID_REPLICATOR = 552;
310	const int BUILTIN_RID_RAS_SERVERS = 553;
311	const int BUILTIN_RID_PRE_2K_ACCESS = 554;
312	const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
313	const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
314	const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
315	const int BUILTIN_RID_PERFMON_USERS = 558;
316	const int BUILTIN_RID_PERFLOG_USERS = 559;
317	const int BUILTIN_RID_AUTH_ACCESS = 560;
318	const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
319
320	/********************************************************************
321	This is a list of privileges reported by a WIndows 2008 R2 DC
322	just for reference purposes (and I know the LUID is not guaranteed
323	across reboots):
324
325	0x00000002 SeCreateTokenPrivilege "Create a token object"
326	0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
327	0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
328	0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
329	0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
330	0x00000007 SeTcbPrivilege "Act as part of the operating system"
331	0x00000008 SeSecurityPrivilege "Manage auditing and security log"
332	0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
333	0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
334	0x0000000b SeSystemProfilePrivilege "Profile system performance"
335	0x0000000c SeSystemtimePrivilege "Change the system time"
336	0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
337	0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
338	0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
339	0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
340	0x00000011 SeBackupPrivilege "Back up files and directories"
341	0x00000012 SeRestorePrivilege "Restore files and directories"
342	0x00000013 SeShutdownPrivilege "Shut down the system"
343	0x00000014 SeDebugPrivilege "Debug programs"
344	0x00000015 SeAuditPrivilege "Generate security audits"
345	0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
346	0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
347	0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
348	0x00000019 SeUndockPrivilege "Remove computer from docking station"
349	0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
350	0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
351	0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
352	0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
353	0x0000001e SeCreateGlobalPrivilege "Create global objects"
354	0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
355	0x00000020 SeRelabelPrivilege "Modify an object label"
356	0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
357	0x00000022 SeTimeZonePrivilege "Change the time zone"
358	0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
359
360	********************************************************************/
361
362	/* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
363
364	/* we have to define the LUID here due to a horrible check by printmig.exe
365	that requires the SeBackupPrivilege match what is in Windows. So match
366	those that we implement and start Samba privileges at 0x1001 */
367
368	typedef enum {
369	SEC_PRIV_INVALID = 0x0,
370	SEC_PRIV_INCREASE_QUOTA = 0x5,
371	SEC_PRIV_MACHINE_ACCOUNT = 0x6,
372	SEC_PRIV_SECURITY = 0x8,
373	SEC_PRIV_TAKE_OWNERSHIP = 0x09,
374	SEC_PRIV_LOAD_DRIVER = 0x0a,
375	SEC_PRIV_SYSTEM_PROFILE = 0x0b,
376	SEC_PRIV_SYSTEMTIME = 0x0c,
377	SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
378	SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
379	SEC_PRIV_CREATE_PAGEFILE = 0x0f,
380	SEC_PRIV_BACKUP = 0x11,
381	SEC_PRIV_RESTORE = 0x12,
382	SEC_PRIV_SHUTDOWN = 0x13,
383	SEC_PRIV_DEBUG = 0x14,
384	SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
385	SEC_PRIV_CHANGE_NOTIFY = 0x17,
386	SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
387	SEC_PRIV_UNDOCK = 0x19,
388	SEC_PRIV_ENABLE_DELEGATION = 0x1b,
389	SEC_PRIV_MANAGE_VOLUME = 0x1c,
390	SEC_PRIV_IMPERSONATE = 0x1d,
391	SEC_PRIV_CREATE_GLOBAL = 0x1e,
392	/* Samba-specific privs */
393	SEC_PRIV_PRINT_OPERATOR = 0x1001,
394	SEC_PRIV_ADD_USERS = 0x1002,
395	SEC_PRIV_DISK_OPERATOR = 0x1003
396	} sec_privilege;
397
398
399	/* Bitmap of privilege values for internal use only. We need
400	* our own bitmap here as privilages.tdb records these values
401	* as a bitmap (privilages.ldb uses the string forms).
402	*/
403	typedef [bitmap64bit] bitmap {
404	SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
405
406	/* Samba-specific privs */
407	SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
408	SEC_PRIV_ADD_USERS_BIT = 0x00000040,
409	SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
410
411	SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
412	SEC_PRIV_BACKUP_BIT = 0x00000200,
413	SEC_PRIV_RESTORE_BIT = 0x00000400,
414	SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
415	/* End of privilages implemented before merge to common code */
416
417	SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
418	SEC_PRIV_SECURITY_BIT = 0x00002000,
419	SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
420	SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
421	SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
422	SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
423	SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
424	SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
425	SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
426	SEC_PRIV_DEBUG_BIT = 0x00200000,
427	SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
428	SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
429	SEC_PRIV_UNDOCK_BIT = 0x01000000,
430	SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
431	SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
432	SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
433	SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
434	} se_privilege;
435
436	typedef [bitmap32bit] bitmap {
437	LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
438	LSA_POLICY_MODE_NETWORK = 0x00000002,
439	LSA_POLICY_MODE_BATCH = 0x00000004,
440	LSA_POLICY_MODE_SERVICE = 0x00000010,
441	LSA_POLICY_MODE_PROXY = 0x00000020,
442	LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
443	LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
444	LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
445	LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
446	LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
447	LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
448	LSA_POLICY_MODE_ALL = 0x00000FF7,
449	LSA_POLICY_MODE_ALL_NT4 = 0x00000037
450	} lsa_SystemAccessModeFlags;
451
452	typedef [public,bitmap8bit] bitmap {
453	SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
454	SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
455	SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
456	SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
457	SEC_ACE_FLAG_INHERITED_ACE = 0x10,
458	SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
459	SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
460	SEC_ACE_FLAG_FAILED_ACCESS = 0x80
461	} security_ace_flags;
462
463	typedef [public,enum8bit] enum {
464	SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
465	SEC_ACE_TYPE_ACCESS_DENIED = 1,
466	SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
467	SEC_ACE_TYPE_SYSTEM_ALARM = 3,
468	SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
469	SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
470	SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
471	SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
472	SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
473	} security_ace_type;
474
475	typedef [bitmap32bit] bitmap {
476	SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
477	SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
478	} security_ace_object_flags;
479
480	typedef [nodiscriminant] union {
481	/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
482	[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
483	[default];
484	} security_ace_object_type;
485
486	typedef [nodiscriminant] union {
487	/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
488	* (of the parent container)
489	*/
490	[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
491	[default];
492	} security_ace_object_inherited_type;
493
494	typedef struct {
495	security_ace_object_flags flags;
496	[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
497	[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
498	} security_ace_object;
499
500	typedef [public,nodiscriminant] union {
501	[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
502	[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
503	[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
504	[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
505	[default];
506	} security_ace_object_ctr;
507
508	typedef [public,nopull,gensize,nosize] struct {
509	security_ace_type type; /* SEC_ACE_TYPE_* */
510	security_ace_flags flags; /* SEC_ACE_FLAG_* */
511	[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
512	uint32 access_mask;
513	[switch_is(type)] security_ace_object_ctr object;
514	dom_sid trustee;
515	} security_ace;
516
517	typedef enum {
518	SECURITY_ACL_REVISION_NT4 = 2,
519	SECURITY_ACL_REVISION_ADS = 4
520	} security_acl_revision;
521
522	const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
523
524	typedef [public,gensize,nosize] struct {
525	security_acl_revision revision;
526	[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
527	[range(0,1000)] uint32 num_aces;
528	security_ace aces[num_aces];
529	} security_acl;
530
531	/* default revision for new ACLs */
532	typedef [public,enum8bit] enum {
533	SECURITY_DESCRIPTOR_REVISION_1 = 1
534	} security_descriptor_revision;
535
536	const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
537
538	/* security_descriptor->type bits */
539	typedef [public,bitmap16bit] bitmap {
540	SEC_DESC_OWNER_DEFAULTED = 0x0001,
541	SEC_DESC_GROUP_DEFAULTED = 0x0002,
542	SEC_DESC_DACL_PRESENT = 0x0004,
543	SEC_DESC_DACL_DEFAULTED = 0x0008,
544	SEC_DESC_SACL_PRESENT = 0x0010,
545	SEC_DESC_SACL_DEFAULTED = 0x0020,
546	SEC_DESC_DACL_TRUSTED = 0x0040,
547	SEC_DESC_SERVER_SECURITY = 0x0080,
548	SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
549	SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
550	SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
551	SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
552	SEC_DESC_DACL_PROTECTED = 0x1000,
553	SEC_DESC_SACL_PROTECTED = 0x2000,
554	SEC_DESC_RM_CONTROL_VALID = 0x4000,
555	SEC_DESC_SELF_RELATIVE = 0x8000
556	} security_descriptor_type;
557
558	typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
559	security_descriptor_revision revision;
560	security_descriptor_type type; /* SEC_DESC_xxxx flags */
561	[relative] dom_sid *owner_sid;
562	[relative] dom_sid *group_sid;
563	[relative] security_acl sacl; / system ACL */
564	[relative] security_acl dacl; / user (discretionary) ACL */
565	} security_descriptor;
566
567	typedef [public] struct {
568	[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
569	[subcontext(4)] security_descriptor *sd;
570	} sec_desc_buf;
571
572	/* This is not yet sent over the network, but is simply defined in IDL */
573	typedef [public,gensize] struct {
574	uint32 num_sids;
575	[size_is(num_sids)] dom_sid sids[*];
576	se_privilege privilege_mask;
577	lsa_SystemAccessModeFlags rights_mask;
578	} security_token;
579
580	/* This is not yet sent over the network, but is simply defined in IDL */
581	typedef [public,gensize] struct {
582	uid_t uid;
583	uid_t gid;
584	uint32 ngroups;
585	[size_is(ngroups)] gid_t groups[*];
586	} security_unix_token;
587
588	/* bits that determine which parts of a security descriptor
589	are being queried/set */
590	typedef [public,bitmap32bit] bitmap {
591	SECINFO_OWNER = 0x00000001,
592	SECINFO_GROUP = 0x00000002,
593	SECINFO_DACL = 0x00000004,
594	SECINFO_SACL = 0x00000008,
595	SECINFO_LABEL = 0x00000010,
596	SECINFO_ATTRIBUTE = 0x00000020,
597	SECINFO_SCOPE = 0x00000040,
598	SECINFO_BACKUP = 0x00010000,
599	SECINFO_UNPROTECTED_SACL = 0x10000000,
600	SECINFO_UNPROTECTED_DACL = 0x20000000,
601	SECINFO_PROTECTED_SACL = 0x40000000,
602	SECINFO_PROTECTED_DACL = 0x80000000
603	} security_secinfo;
604
605	typedef [public,bitmap32bit] bitmap {
606	KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
607	KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
608	KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
609	KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
610	KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
611	} kerb_EncTypes;
612
613	typedef [public,bitmap32bit] bitmap {
614	SEC_DACL_AUTO_INHERIT = 0x00000001,
615	SEC_SACL_AUTO_INHERIT = 0x00000002,
616	SEC_DEFAULT_DESCRIPTOR = 0x00000004,
617	SEC_OWNER_FROM_PARENT = 0x00000008,
618	SEC_GROUP_FROM_PARENT = 0x00000010
619	} security_autoinherit;
620
621	/***************************************************************/
622	/* Extended right guids */
623
624	const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
625	const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
626	const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
627	const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
628	const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
629	const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
630	const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
631	const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
632	const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
633	const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
634	const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
635	const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
636	const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
637	const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
638	const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
639
640	/***************************************************************/
641	/* validated writes guids */
642	const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
643	const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
644	const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
645	const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
646	const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
647
648	/* A type to describe the mapping of generic access rights to object
649	specific access rights. */
650
651	typedef struct {
652	uint32 generic_read;
653	uint32 generic_write;
654	uint32 generic_execute;
655	uint32 generic_all;
656	} generic_mapping;
657
658	typedef struct {
659	uint32 std_read;
660	uint32 std_write;
661	uint32 std_execute;
662	uint32 std_all;
663	} standard_mapping;
664	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/librpc/idl/security.idl@ 1012

Download in other formats: