Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

security.idl

Visit:

Last change on this file was 988, checked in by Silvan Scherrer, 9 years ago
Samba Server: update vendor to version 4.4.3
File size: 30.2 KB

Line
1	#include "idl_types.h"
2
3	/*
4	security IDL structures
5	*/
6
7	import "misc.idl";
8
9	/*
10	use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11	just a dom sid, but with the sub_auths represented as a conformant
12	array. As with all in-structure conformant arrays, the array length
13	is placed before the start of the structure. That's what gives rise
14	to the extra num_auths elemenent. We don't want the Samba code to
15	have to bother with such esoteric NDR details, so its easier to just
16	define it as a dom_sid and use pidl magic to make it all work. It
17	just means you need to mark a sid as a "dom_sid2" in the IDL when you
18	know it is of the conformant array variety
19	*/
20	cpp_quote("#define dom_sid2 dom_sid")
21
22	/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23	cpp_quote("#define dom_sid28 dom_sid")
24
25	/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26	cpp_quote("#define dom_sid0 dom_sid")
27
28	[
29	/*
30	* cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
31	*/
32	uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
33	version(0.0),
34	pyhelper("librpc/ndr/py_security.c"),
35	pointer_default(unique)
36	]
37	interface security
38	{
39
40	typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
41
42	typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
43	uint8 sid_rev_num; /*< SID revision number /
44	[range(0,15)] int8 num_auths; /*< Number of sub-authorities /
45	uint8 id_auth[6]; /*< Identifier Authority /
46	uint32 sub_auths[15];
47	} dom_sid;
48	/*
49	access masks are divided up like this:
50	0xabccdddd
51	where
52	a = generic rights bits SEC_GENERIC_
53	b = flags SEC_FLAG_
54	c = standard rights bits SEC_STD_
55	d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
56
57	common combinations of bits are prefixed with SEC_RIGHTS_
58	*/
59	const int SEC_MASK_GENERIC = 0xF0000000;
60	const int SEC_MASK_FLAGS = 0x0F000000;
61	const int SEC_MASK_STANDARD = 0x00FF0000;
62	const int SEC_MASK_SPECIFIC = 0x0000FFFF;
63
64	/* generic bits */
65	const int SEC_GENERIC_ALL = 0x10000000;
66	const int SEC_GENERIC_EXECUTE = 0x20000000;
67	const int SEC_GENERIC_WRITE = 0x40000000;
68	const int SEC_GENERIC_READ = 0x80000000;
69
70	/* flag bits */
71	const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
72	const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
73
74	/* standard bits */
75	const int SEC_STD_DELETE = 0x00010000;
76	const int SEC_STD_READ_CONTROL = 0x00020000;
77	const int SEC_STD_WRITE_DAC = 0x00040000;
78	const int SEC_STD_WRITE_OWNER = 0x00080000;
79	const int SEC_STD_SYNCHRONIZE = 0x00100000;
80	const int SEC_STD_REQUIRED = 0x000F0000;
81	const int SEC_STD_ALL = 0x001F0000;
82
83	/* file specific bits */
84	const int SEC_FILE_READ_DATA = 0x00000001;
85	const int SEC_FILE_WRITE_DATA = 0x00000002;
86	const int SEC_FILE_APPEND_DATA = 0x00000004;
87	const int SEC_FILE_READ_EA = 0x00000008;
88	const int SEC_FILE_WRITE_EA = 0x00000010;
89	const int SEC_FILE_EXECUTE = 0x00000020;
90	const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
91	const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
92	const int SEC_FILE_ALL = 0x000001ff;
93
94	/* directory specific bits */
95	const int SEC_DIR_LIST = 0x00000001;
96	const int SEC_DIR_ADD_FILE = 0x00000002;
97	const int SEC_DIR_ADD_SUBDIR = 0x00000004;
98	const int SEC_DIR_READ_EA = 0x00000008;
99	const int SEC_DIR_WRITE_EA = 0x00000010;
100	const int SEC_DIR_TRAVERSE = 0x00000020;
101	const int SEC_DIR_DELETE_CHILD = 0x00000040;
102	const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
103	const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
104
105	/* registry entry specific bits */
106	const int SEC_REG_QUERY_VALUE = 0x00000001;
107	const int SEC_REG_SET_VALUE = 0x00000002;
108	const int SEC_REG_CREATE_SUBKEY = 0x00000004;
109	const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
110	const int SEC_REG_NOTIFY = 0x00000010;
111	const int SEC_REG_CREATE_LINK = 0x00000020;
112
113	/* ldap specific access bits */
114	const int SEC_ADS_CREATE_CHILD = 0x00000001;
115	const int SEC_ADS_DELETE_CHILD = 0x00000002;
116	const int SEC_ADS_LIST = 0x00000004;
117	const int SEC_ADS_SELF_WRITE = 0x00000008;
118	const int SEC_ADS_READ_PROP = 0x00000010;
119	const int SEC_ADS_WRITE_PROP = 0x00000020;
120	const int SEC_ADS_DELETE_TREE = 0x00000040;
121	const int SEC_ADS_LIST_OBJECT = 0x00000080;
122	const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
123
124	/* invalid bits */
125	const int SEC_MASK_INVALID = 0x0ce0fe00;
126
127	/* generic->specific mappings for files */
128	const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL \|
129	SEC_STD_SYNCHRONIZE \|
130	SEC_FILE_READ_DATA \|
131	SEC_FILE_READ_ATTRIBUTE \|
132	SEC_FILE_READ_EA;
133
134	const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL \|
135	SEC_STD_SYNCHRONIZE \|
136	SEC_FILE_WRITE_DATA \|
137	SEC_FILE_WRITE_ATTRIBUTE \|
138	SEC_FILE_WRITE_EA \|
139	SEC_FILE_APPEND_DATA;
140
141	const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE \|
142	SEC_STD_READ_CONTROL \|
143	SEC_FILE_READ_ATTRIBUTE \|
144	SEC_FILE_EXECUTE;
145
146	const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL \| SEC_FILE_ALL;
147
148	/* generic->specific mappings for directories (same as files) */
149	const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
150	const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
151	const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
152	const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
153
154	/* rights granted by some specific privileges */
155	const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL \|
156	SEC_FLAG_SYSTEM_SECURITY \|
157	SEC_RIGHTS_FILE_READ \|
158	SEC_DIR_TRAVERSE;
159
160	const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC \|
161	SEC_STD_WRITE_OWNER \|
162	SEC_FLAG_SYSTEM_SECURITY \|
163	SEC_RIGHTS_FILE_WRITE \|
164	SEC_DIR_ADD_FILE \|
165	SEC_DIR_ADD_SUBDIR \|
166	SEC_STD_DELETE;
167
168	/* combinations of standard masks. */
169	const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
170	const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
171	const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
172	const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
173	const int STANDARD_RIGHTS_WRITE_ACCESS =
174	(SEC_STD_WRITE_OWNER \|
175	SEC_STD_WRITE_DAC \|
176	SEC_STD_DELETE); /* 0x000d0000 */
177	const int STANDARD_RIGHTS_REQUIRED_ACCESS =
178	(SEC_STD_DELETE \|
179	SEC_STD_READ_CONTROL \|
180	SEC_STD_WRITE_DAC \|
181	SEC_STD_WRITE_OWNER); /* 0x000f0000 */
182
183	/* generic->specific mappings for Directory Service objects */
184	/* directory specific part of GENERIC_ALL */
185	const int SEC_ADS_GENERIC_ALL_DS =
186	(SEC_STD_DELETE \|
187	SEC_STD_WRITE_DAC \|
188	SEC_STD_WRITE_OWNER \|
189	SEC_ADS_CREATE_CHILD \|
190	SEC_ADS_DELETE_CHILD \|
191	SEC_ADS_DELETE_TREE \|
192	SEC_ADS_CONTROL_ACCESS);
193	const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL \| SEC_ADS_LIST;
194	const int SEC_ADS_GENERIC_WRITE =
195	(SEC_STD_READ_CONTROL \|
196	SEC_ADS_SELF_WRITE \|
197	SEC_ADS_WRITE_PROP);
198	const int SEC_ADS_GENERIC_READ =
199	(SEC_STD_READ_CONTROL \|
200	SEC_ADS_LIST \|
201	SEC_ADS_READ_PROP \|
202	SEC_ADS_LIST_OBJECT);
203	const int SEC_ADS_GENERIC_ALL =
204	(SEC_ADS_GENERIC_EXECUTE \|
205	SEC_ADS_GENERIC_WRITE \|
206	SEC_ADS_GENERIC_READ \|
207	SEC_ADS_GENERIC_ALL_DS);
208
209	/***************************************************************/
210	/* WELL KNOWN SIDS */
211
212	/* a NULL sid */
213	const string SID_NULL = "S-1-0-0";
214
215	/* the world domain */
216	const string NAME_WORLD = "WORLD";
217
218	const string SID_WORLD_DOMAIN = "S-1-1";
219	const string SID_WORLD = "S-1-1-0";
220
221	/* SECURITY_CREATOR_SID_AUTHORITY */
222	const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
223	const string SID_CREATOR_OWNER = "S-1-3-0";
224	const string SID_CREATOR_GROUP = "S-1-3-1";
225	const string SID_OWNER_RIGHTS = "S-1-3-4";
226
227	/* SECURITY_NT_AUTHORITY */
228	const string NAME_NT_AUTHORITY = "NT AUTHORITY";
229
230	const string SID_NT_AUTHORITY = "S-1-5";
231	const string SID_NT_DIALUP = "S-1-5-1";
232	const string SID_NT_NETWORK = "S-1-5-2";
233	const string SID_NT_BATCH = "S-1-5-3";
234	const string SID_NT_INTERACTIVE = "S-1-5-4";
235	const string SID_NT_SERVICE = "S-1-5-6";
236	const string SID_NT_ANONYMOUS = "S-1-5-7";
237	const string SID_NT_PROXY = "S-1-5-8";
238	const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
239	const string SID_NT_SELF = "S-1-5-10";
240	const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
241	const string SID_NT_RESTRICTED = "S-1-5-12";
242	const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
243	const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
244	const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
245	const string SID_NT_IUSR = "S-1-5-17";
246	const string SID_NT_SYSTEM = "S-1-5-18";
247	const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
248	const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
249	const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
250	const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
251	const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
252	const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
253
254	/* SECURITY_BUILTIN_DOMAIN_RID */
255	const string NAME_BUILTIN = "BUILTIN";
256
257	const string SID_BUILTIN = "S-1-5-32";
258	const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
259	const string SID_BUILTIN_USERS = "S-1-5-32-545";
260	const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
261	const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
262	const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
263	const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
264	const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
265	const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
266	const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
267	const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
268	const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
269	const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
270	const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
271	const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
272	const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
273	const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
274	const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
275	const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
276	const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
277	const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
278	const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
279	const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
280
281	/* SECURITY_NT_SERVICE */
282	const string NAME_NT_SERVICE = "NT SERVICE";
283
284	const string SID_NT_NT_SERVICE = "S-1-5-80";
285	const string SID_NT_TRUSTED_INSTALLER =
286	"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
287
288	const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
289	const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
290
291	/* well-known domain RIDs */
292	const int DOMAIN_RID_LOGON = 9;
293	const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
294	const int DOMAIN_RID_ADMINISTRATOR = 500;
295	const int DOMAIN_RID_GUEST = 501;
296	const int DOMAIN_RID_KRBTGT = 502;
297	const int DOMAIN_RID_ADMINS = 512;
298	const int DOMAIN_RID_USERS = 513;
299	const int DOMAIN_RID_GUESTS = 514;
300	const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
301	const int DOMAIN_RID_DCS = 516;
302	const int DOMAIN_RID_CERT_ADMINS = 517;
303	const int DOMAIN_RID_SCHEMA_ADMINS = 518;
304	const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
305	const int DOMAIN_RID_POLICY_ADMINS = 520;
306	const int DOMAIN_RID_READONLY_DCS = 521;
307	const int DOMAIN_RID_RAS_SERVERS = 553;
308	const int DOMAIN_RID_RODC_ALLOW = 571;
309	const int DOMAIN_RID_RODC_DENY = 572;
310
311	/* well-known builtin RIDs */
312	const int BUILTIN_RID_ADMINISTRATORS = 544;
313	const int BUILTIN_RID_USERS = 545;
314	const int BUILTIN_RID_GUESTS = 546;
315	const int BUILTIN_RID_POWER_USERS = 547;
316	const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
317	const int BUILTIN_RID_SERVER_OPERATORS = 549;
318	const int BUILTIN_RID_PRINT_OPERATORS = 550;
319	const int BUILTIN_RID_BACKUP_OPERATORS = 551;
320	const int BUILTIN_RID_REPLICATOR = 552;
321	const int BUILTIN_RID_RAS_SERVERS = 553;
322	const int BUILTIN_RID_PRE_2K_ACCESS = 554;
323	const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
324	const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
325	const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
326	const int BUILTIN_RID_PERFMON_USERS = 558;
327	const int BUILTIN_RID_PERFLOG_USERS = 559;
328	const int BUILTIN_RID_AUTH_ACCESS = 560;
329	const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
330	const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
331	const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
332	const int BUILTIN_RID_EVENT_LOG_READERS = 573;
333	const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
334
335	/********************************************************************
336	This is a list of privileges reported by a WIndows 2008 R2 DC
337	just for reference purposes (and I know the LUID is not guaranteed
338	across reboots):
339
340	0x00000002 SeCreateTokenPrivilege "Create a token object"
341	0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
342	0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
343	0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
344	0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
345	0x00000007 SeTcbPrivilege "Act as part of the operating system"
346	0x00000008 SeSecurityPrivilege "Manage auditing and security log"
347	0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
348	0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
349	0x0000000b SeSystemProfilePrivilege "Profile system performance"
350	0x0000000c SeSystemtimePrivilege "Change the system time"
351	0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
352	0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
353	0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
354	0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
355	0x00000011 SeBackupPrivilege "Back up files and directories"
356	0x00000012 SeRestorePrivilege "Restore files and directories"
357	0x00000013 SeShutdownPrivilege "Shut down the system"
358	0x00000014 SeDebugPrivilege "Debug programs"
359	0x00000015 SeAuditPrivilege "Generate security audits"
360	0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
361	0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
362	0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
363	0x00000019 SeUndockPrivilege "Remove computer from docking station"
364	0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
365	0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
366	0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
367	0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
368	0x0000001e SeCreateGlobalPrivilege "Create global objects"
369	0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
370	0x00000020 SeRelabelPrivilege "Modify an object label"
371	0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
372	0x00000022 SeTimeZonePrivilege "Change the time zone"
373	0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
374
375	********************************************************************/
376
377	/* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
378
379	/* we have to define the LUID here due to a horrible check by printmig.exe
380	that requires the SeBackupPrivilege match what is in Windows. So match
381	those that we implement and start Samba privileges at 0x1001 */
382
383	typedef enum {
384	SEC_PRIV_INVALID = 0x0,
385	SEC_PRIV_INCREASE_QUOTA = 0x5,
386	SEC_PRIV_MACHINE_ACCOUNT = 0x6,
387	SEC_PRIV_SECURITY = 0x8,
388	SEC_PRIV_TAKE_OWNERSHIP = 0x09,
389	SEC_PRIV_LOAD_DRIVER = 0x0a,
390	SEC_PRIV_SYSTEM_PROFILE = 0x0b,
391	SEC_PRIV_SYSTEMTIME = 0x0c,
392	SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
393	SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
394	SEC_PRIV_CREATE_PAGEFILE = 0x0f,
395	SEC_PRIV_BACKUP = 0x11,
396	SEC_PRIV_RESTORE = 0x12,
397	SEC_PRIV_SHUTDOWN = 0x13,
398	SEC_PRIV_DEBUG = 0x14,
399	SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
400	SEC_PRIV_CHANGE_NOTIFY = 0x17,
401	SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
402	SEC_PRIV_UNDOCK = 0x19,
403	SEC_PRIV_ENABLE_DELEGATION = 0x1b,
404	SEC_PRIV_MANAGE_VOLUME = 0x1c,
405	SEC_PRIV_IMPERSONATE = 0x1d,
406	SEC_PRIV_CREATE_GLOBAL = 0x1e,
407	/* Samba-specific privs */
408	SEC_PRIV_PRINT_OPERATOR = 0x1001,
409	SEC_PRIV_ADD_USERS = 0x1002,
410	SEC_PRIV_DISK_OPERATOR = 0x1003
411	} sec_privilege;
412
413
414	/* Bitmap of privilege values for internal use only. We need
415	* our own bitmap here as privilages.tdb records these values
416	* as a bitmap (privilages.ldb uses the string forms).
417	*/
418	typedef [bitmap64bit] bitmap {
419	SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
420
421	/* Samba-specific privs */
422	SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
423	SEC_PRIV_ADD_USERS_BIT = 0x00000040,
424	SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
425
426	SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
427	SEC_PRIV_BACKUP_BIT = 0x00000200,
428	SEC_PRIV_RESTORE_BIT = 0x00000400,
429	SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
430	/* End of privilages implemented before merge to common code */
431
432	SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
433	SEC_PRIV_SECURITY_BIT = 0x00002000,
434	SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
435	SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
436	SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
437	SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
438	SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
439	SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
440	SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
441	SEC_PRIV_DEBUG_BIT = 0x00200000,
442	SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
443	SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
444	SEC_PRIV_UNDOCK_BIT = 0x01000000,
445	SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
446	SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
447	SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
448	SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
449	} se_privilege;
450
451	typedef [bitmap32bit] bitmap {
452	LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
453	LSA_POLICY_MODE_NETWORK = 0x00000002,
454	LSA_POLICY_MODE_BATCH = 0x00000004,
455	LSA_POLICY_MODE_SERVICE = 0x00000010,
456	LSA_POLICY_MODE_PROXY = 0x00000020,
457	LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
458	LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
459	LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
460	LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
461	LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
462	LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
463	LSA_POLICY_MODE_ALL = 0x00000FF7,
464	LSA_POLICY_MODE_ALL_NT4 = 0x00000037
465	} lsa_SystemAccessModeFlags;
466
467	typedef [public,bitmap8bit] bitmap {
468	SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
469	SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
470	SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
471	SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
472	SEC_ACE_FLAG_INHERITED_ACE = 0x10,
473	SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
474	SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
475	SEC_ACE_FLAG_FAILED_ACCESS = 0x80
476	} security_ace_flags;
477
478	typedef [public,enum8bit] enum {
479	SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
480	SEC_ACE_TYPE_ACCESS_DENIED = 1,
481	SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
482	SEC_ACE_TYPE_SYSTEM_ALARM = 3,
483	SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
484	SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
485	SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
486	SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
487	SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
488	} security_ace_type;
489
490	typedef [bitmap32bit] bitmap {
491	SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
492	SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
493	} security_ace_object_flags;
494
495	typedef [nodiscriminant] union {
496	/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
497	[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
498	[default];
499	} security_ace_object_type;
500
501	typedef [nodiscriminant] union {
502	/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
503	* (of the parent container)
504	*/
505	[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
506	[default];
507	} security_ace_object_inherited_type;
508
509	typedef struct {
510	security_ace_object_flags flags;
511	[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
512	[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
513	} security_ace_object;
514
515	typedef [public,nodiscriminant] union {
516	[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
517	[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
518	[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
519	[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
520	[default];
521	} security_ace_object_ctr;
522
523	typedef [public,nopull,gensize,nosize] struct {
524	security_ace_type type; /* SEC_ACE_TYPE_* */
525	security_ace_flags flags; /* SEC_ACE_FLAG_* */
526	[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
527	uint32 access_mask;
528	[switch_is(type)] security_ace_object_ctr object;
529	dom_sid trustee;
530	} security_ace;
531
532	typedef enum {
533	SECURITY_ACL_REVISION_NT4 = 2,
534	SECURITY_ACL_REVISION_ADS = 4
535	} security_acl_revision;
536
537	const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
538
539	typedef [public,gensize,nosize] struct {
540	security_acl_revision revision;
541	[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
542	[range(0,2000)] uint32 num_aces;
543	security_ace aces[num_aces];
544	} security_acl;
545
546	/* default revision for new ACLs */
547	typedef [public,enum8bit] enum {
548	SECURITY_DESCRIPTOR_REVISION_1 = 1
549	} security_descriptor_revision;
550
551	const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
552
553	/* security_descriptor->type bits */
554	typedef [public,bitmap16bit] bitmap {
555	SEC_DESC_OWNER_DEFAULTED = 0x0001,
556	SEC_DESC_GROUP_DEFAULTED = 0x0002,
557	SEC_DESC_DACL_PRESENT = 0x0004,
558	SEC_DESC_DACL_DEFAULTED = 0x0008,
559	SEC_DESC_SACL_PRESENT = 0x0010,
560	SEC_DESC_SACL_DEFAULTED = 0x0020,
561	SEC_DESC_DACL_TRUSTED = 0x0040,
562	SEC_DESC_SERVER_SECURITY = 0x0080,
563	SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
564	SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
565	SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
566	SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
567	SEC_DESC_DACL_PROTECTED = 0x1000,
568	SEC_DESC_SACL_PROTECTED = 0x2000,
569	SEC_DESC_RM_CONTROL_VALID = 0x4000,
570	SEC_DESC_SELF_RELATIVE = 0x8000
571	} security_descriptor_type;
572
573	typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
574	security_descriptor_revision revision;
575	security_descriptor_type type; /* SEC_DESC_xxxx flags */
576	[relative] dom_sid *owner_sid;
577	[relative] dom_sid *group_sid;
578	[relative] security_acl sacl; / system ACL */
579	[relative] security_acl dacl; / user (discretionary) ACL */
580	} security_descriptor;
581
582	[nopython] void decode_security_descriptor (
583	[in] security_descriptor sd
584	);
585
586	typedef [public] struct {
587	[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
588	[subcontext(4)] security_descriptor *sd;
589	} sec_desc_buf;
590
591	[nopython] void decode_sec_desc_buf (
592	[in] sec_desc_buf sd_buf
593	);
594
595	/* This is not yet sent over the network, but is simply defined in IDL */
596	typedef [public] struct {
597	uint32 num_sids;
598	[size_is(num_sids)] dom_sid sids[*];
599	se_privilege privilege_mask;
600	lsa_SystemAccessModeFlags rights_mask;
601	} security_token;
602
603	[nopython] void decode_security_token (
604	[in] security_token token
605	);
606
607	/* This is not yet sent over the network, but is simply defined in IDL */
608	typedef [public] struct {
609	uid_t uid;
610	gid_t gid;
611	uint32 ngroups;
612	[size_is(ngroups)] gid_t groups[*];
613	} security_unix_token;
614
615	[nopython] void decode_security_unix_token (
616	[in] security_unix_token unix_token
617	);
618
619	/* bits that determine which parts of a security descriptor
620	are being queried/set */
621	typedef [public,bitmap32bit] bitmap {
622	SECINFO_OWNER = 0x00000001,
623	SECINFO_GROUP = 0x00000002,
624	SECINFO_DACL = 0x00000004,
625	SECINFO_SACL = 0x00000008,
626	SECINFO_LABEL = 0x00000010,
627	SECINFO_ATTRIBUTE = 0x00000020,
628	SECINFO_SCOPE = 0x00000040,
629	SECINFO_BACKUP = 0x00010000,
630	SECINFO_UNPROTECTED_SACL = 0x10000000,
631	SECINFO_UNPROTECTED_DACL = 0x20000000,
632	SECINFO_PROTECTED_SACL = 0x40000000,
633	SECINFO_PROTECTED_DACL = 0x80000000
634	} security_secinfo;
635
636	/*
637	* a SMB server should only support the following flags
638	* and ignore all others.
639	*
640	* See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
641	* and 2.2.39 SMB2 SET_INFO Request.
642	*/
643	const int SMB_SUPPORTED_SECINFO_FLAGS = (
644	SECINFO_OWNER \|
645	SECINFO_GROUP \|
646	SECINFO_DACL \|
647	SECINFO_SACL \|
648	SECINFO_LABEL \|
649	SECINFO_ATTRIBUTE \|
650	SECINFO_SCOPE \|
651	SECINFO_BACKUP \|
652	0);
653
654	/*
655	* See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
656	*/
657	typedef [public,gensize,flag(NDR_PAHEX)] struct {
658	uint32 Flags;
659	uint32 TokenIL;
660	uint8 MachineId[32];
661	} LSAP_TOKEN_INFO_INTEGRITY;
662
663	/*
664	* See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
665	*/
666	typedef [public,bitmap32bit] bitmap {
667	KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
668	KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
669	KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
670	KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
671	KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
672	KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
673	KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
674	KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
675	KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
676	} kerb_EncTypes;
677
678	typedef [public,bitmap32bit] bitmap {
679	SEC_DACL_AUTO_INHERIT = 0x00000001,
680	SEC_SACL_AUTO_INHERIT = 0x00000002,
681	SEC_DEFAULT_DESCRIPTOR = 0x00000004,
682	SEC_OWNER_FROM_PARENT = 0x00000008,
683	SEC_GROUP_FROM_PARENT = 0x00000010
684	} security_autoinherit;
685
686	/***************************************************************/
687	/* Extended right guids */
688
689	const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
690	const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
691	const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
692	const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
693	const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
694	const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
695	const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
696	const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
697	const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
698	const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
699	const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
700	const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
701	const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
702	const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
703	const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
704	const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
705	= "280f369c-67c7-438e-ae98-1d46f3c6f541";
706	const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
707	const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
708	= "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
709	const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2";
710	const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
711
712
713	/***************************************************************/
714	/* validated writes guids */
715	const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
716	const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
717	const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
718	const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
719	const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
720
721	/* A type to describe the mapping of generic access rights to object
722	specific access rights. */
723
724	typedef struct {
725	uint32 generic_read;
726	uint32 generic_write;
727	uint32 generic_execute;
728	uint32 generic_all;
729	} generic_mapping;
730
731	typedef struct {
732	uint32 std_read;
733	uint32 std_write;
734	uint32 std_execute;
735	uint32 std_all;
736	} standard_mapping;
737	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: vendor/current/librpc/idl/security.idl

Download in other formats: