search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
[Samba.git] / librpc / idl / security.idl
blob3d2c8a33903aaaec4c1af23eaca9e7f334bafa88
1 #include "idl_types.h"
2
3 /*
4 security IDL structures
5 */
6
7 import "misc.idl";
8
9 /*
10 use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
11 just a dom sid, but with the sub_auths represented as a conformant
12 array. As with all in-structure conformant arrays, the array length
13 is placed before the start of the structure. That's what gives rise
14 to the extra num_auths elemenent. We don't want the Samba code to
15 have to bother with such esoteric NDR details, so its easier to just
16 define it as a dom_sid and use pidl magic to make it all work. It
17 just means you need to mark a sid as a "dom_sid2" in the IDL when you
18 know it is of the conformant array variety
19 */
20 cpp_quote("#define dom_sid2 dom_sid")
21
22 /* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
23 cpp_quote("#define dom_sid28 dom_sid")
24
25 /* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
26 cpp_quote("#define dom_sid0 dom_sid")
27
28 [
29 /*
30 * cbf7d408-2d6c-11e2-ae5b-0b5692790e18 just to make ndrdump happy
31 */
32 uuid("cbf7d408-2d6c-11e2-ae5b-0b5692790e18"),
33 version(0.0),
34 pyhelper("librpc/ndr/py_security.c"),
35 pointer_default(unique)
36 ]
37 interface security
38 {
39
40 typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
41
42 typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
43 uint8 sid_rev_num; /**< SID revision number */
44 [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
45 uint8 id_auth[6]; /**< Identifier Authority */
46 uint32 sub_auths[15];
47 } dom_sid;
48 /*
49 access masks are divided up like this:
50 0xabccdddd
51 where
52 a = generic rights bits SEC_GENERIC_
53 b = flags SEC_FLAG_
54 c = standard rights bits SEC_STD_
55 d = object type specific bits SEC_{FILE,DIR,REG,xxx}_
56
57 common combinations of bits are prefixed with SEC_RIGHTS_
58 */
59 const int SEC_MASK_GENERIC = 0xF0000000;
60 const int SEC_MASK_FLAGS = 0x0F000000;
61 const int SEC_MASK_STANDARD = 0x00FF0000;
62 const int SEC_MASK_SPECIFIC = 0x0000FFFF;
63
64 /* generic bits */
65 const int SEC_GENERIC_ALL = 0x10000000;
66 const int SEC_GENERIC_EXECUTE = 0x20000000;
67 const int SEC_GENERIC_WRITE = 0x40000000;
68 const int SEC_GENERIC_READ = 0x80000000;
69
70 /* flag bits */
71 const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
72 const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
73
74 /* standard bits */
75 const int SEC_STD_DELETE = 0x00010000;
76 const int SEC_STD_READ_CONTROL = 0x00020000;
77 const int SEC_STD_WRITE_DAC = 0x00040000;
78 const int SEC_STD_WRITE_OWNER = 0x00080000;
79 const int SEC_STD_SYNCHRONIZE = 0x00100000;
80 const int SEC_STD_REQUIRED = 0x000F0000;
81 const int SEC_STD_ALL = 0x001F0000;
82
83 /* file specific bits */
84 const int SEC_FILE_READ_DATA = 0x00000001;
85 const int SEC_FILE_WRITE_DATA = 0x00000002;
86 const int SEC_FILE_APPEND_DATA = 0x00000004;
87 const int SEC_FILE_READ_EA = 0x00000008;
88 const int SEC_FILE_WRITE_EA = 0x00000010;
89 const int SEC_FILE_EXECUTE = 0x00000020;
90 const int SEC_FILE_READ_ATTRIBUTE = 0x00000080;
91 const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
92 const int SEC_FILE_ALL = 0x000001ff;
93
94 /* directory specific bits */
95 const int SEC_DIR_LIST = 0x00000001;
96 const int SEC_DIR_ADD_FILE = 0x00000002;
97 const int SEC_DIR_ADD_SUBDIR = 0x00000004;
98 const int SEC_DIR_READ_EA = 0x00000008;
99 const int SEC_DIR_WRITE_EA = 0x00000010;
100 const int SEC_DIR_TRAVERSE = 0x00000020;
101 const int SEC_DIR_DELETE_CHILD = 0x00000040;
102 const int SEC_DIR_READ_ATTRIBUTE = 0x00000080;
103 const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100;
104
105 /* registry entry specific bits */
106 const int SEC_REG_QUERY_VALUE = 0x00000001;
107 const int SEC_REG_SET_VALUE = 0x00000002;
108 const int SEC_REG_CREATE_SUBKEY = 0x00000004;
109 const int SEC_REG_ENUM_SUBKEYS = 0x00000008;
110 const int SEC_REG_NOTIFY = 0x00000010;
111 const int SEC_REG_CREATE_LINK = 0x00000020;
112
113 /* ldap specific access bits */
114 const int SEC_ADS_CREATE_CHILD = 0x00000001;
115 const int SEC_ADS_DELETE_CHILD = 0x00000002;
116 const int SEC_ADS_LIST = 0x00000004;
117 const int SEC_ADS_SELF_WRITE = 0x00000008;
118 const int SEC_ADS_READ_PROP = 0x00000010;
119 const int SEC_ADS_WRITE_PROP = 0x00000020;
120 const int SEC_ADS_DELETE_TREE = 0x00000040;
121 const int SEC_ADS_LIST_OBJECT = 0x00000080;
122 const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
123
124 /* invalid bits */
125 const int SEC_MASK_INVALID = 0x0ce0fe00;
126
127 /* generic->specific mappings for files */
128 const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
129 SEC_STD_SYNCHRONIZE |
130 SEC_FILE_READ_DATA |
131 SEC_FILE_READ_ATTRIBUTE |
132 SEC_FILE_READ_EA;
133
134 const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL |
135 SEC_STD_SYNCHRONIZE |
136 SEC_FILE_WRITE_DATA |
137 SEC_FILE_WRITE_ATTRIBUTE |
138 SEC_FILE_WRITE_EA |
139 SEC_FILE_APPEND_DATA;
140
141 const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE |
142 SEC_STD_READ_CONTROL |
143 SEC_FILE_READ_ATTRIBUTE |
144 SEC_FILE_EXECUTE;
145
146 const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL;
147
148 /* generic->specific mappings for directories (same as files) */
149 const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ;
150 const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE;
151 const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
152 const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
153
154 /* rights granted by some specific privileges */
155 const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
156 SEC_FLAG_SYSTEM_SECURITY |
157 SEC_RIGHTS_FILE_READ |
158 SEC_DIR_TRAVERSE;
159
160 const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
161 SEC_STD_WRITE_OWNER |
162 SEC_FLAG_SYSTEM_SECURITY |
163 SEC_RIGHTS_FILE_WRITE |
164 SEC_DIR_ADD_FILE |
165 SEC_DIR_ADD_SUBDIR |
166 SEC_STD_DELETE;
167
168 /* combinations of standard masks. */
169 const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
170 const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
171 const int STANDARD_RIGHTS_EXECUTE_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
172 const int STANDARD_RIGHTS_READ_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
173 const int STANDARD_RIGHTS_WRITE_ACCESS =
174 (SEC_STD_WRITE_OWNER |
175 SEC_STD_WRITE_DAC |
176 SEC_STD_DELETE); /* 0x000d0000 */
177 const int STANDARD_RIGHTS_REQUIRED_ACCESS =
178 (SEC_STD_DELETE |
179 SEC_STD_READ_CONTROL |
180 SEC_STD_WRITE_DAC |
181 SEC_STD_WRITE_OWNER); /* 0x000f0000 */
182
183 /* generic->specific mappings for Directory Service objects */
184 /* directory specific part of GENERIC_ALL */
185 const int SEC_ADS_GENERIC_ALL_DS =
186 (SEC_STD_DELETE |
187 SEC_STD_WRITE_DAC |
188 SEC_STD_WRITE_OWNER |
189 SEC_ADS_CREATE_CHILD |
190 SEC_ADS_DELETE_CHILD |
191 SEC_ADS_DELETE_TREE |
192 SEC_ADS_CONTROL_ACCESS);
193 const int SEC_ADS_GENERIC_EXECUTE = SEC_STD_READ_CONTROL | SEC_ADS_LIST;
194 const int SEC_ADS_GENERIC_WRITE =
195 (SEC_STD_READ_CONTROL |
196 SEC_ADS_SELF_WRITE |
197 SEC_ADS_WRITE_PROP);
198 const int SEC_ADS_GENERIC_READ =
199 (SEC_STD_READ_CONTROL |
200 SEC_ADS_LIST |
201 SEC_ADS_READ_PROP |
202 SEC_ADS_LIST_OBJECT);
203 const int SEC_ADS_GENERIC_ALL =
204 (SEC_ADS_GENERIC_EXECUTE |
205 SEC_ADS_GENERIC_WRITE |
206 SEC_ADS_GENERIC_READ |
207 SEC_ADS_GENERIC_ALL_DS);
208
209 /*
210 * Rights implicitly granted to a user who is an owner of the security
211 * descriptor being processed.
212 */
213 typedef enum {
214 IMPLICIT_OWNER_READ_CONTROL_RIGHTS,
215 IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS
216 } implicit_owner_rights;
217
218 /***************************************************************/
219 /* WELL KNOWN SIDS */
220
221 /* a NULL sid */
222 const string SID_NULL = "S-1-0-0";
223
224 /* the world domain */
225 const string NAME_WORLD = "WORLD";
226
227 const string SID_WORLD_DOMAIN = "S-1-1";
228 const string SID_WORLD = "S-1-1-0";
229
230 /* SECURITY_CREATOR_SID_AUTHORITY */
231 const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
232 const string SID_CREATOR_OWNER = "S-1-3-0";
233 const string SID_CREATOR_GROUP = "S-1-3-1";
234 const string SID_OWNER_RIGHTS = "S-1-3-4";
235
236 /* SECURITY_NT_AUTHORITY */
237 const string NAME_NT_AUTHORITY = "NT AUTHORITY";
238
239 const string SID_NT_AUTHORITY = "S-1-5";
240 const string SID_NT_DIALUP = "S-1-5-1";
241 const string SID_NT_NETWORK = "S-1-5-2";
242 const string SID_NT_BATCH = "S-1-5-3";
243 const string SID_NT_INTERACTIVE = "S-1-5-4";
244 const string SID_NT_SERVICE = "S-1-5-6";
245 const string SID_NT_ANONYMOUS = "S-1-5-7";
246 const string SID_NT_PROXY = "S-1-5-8";
247 const string SID_NT_ENTERPRISE_DCS = "S-1-5-9";
248 const string SID_NT_SELF = "S-1-5-10";
249 const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11";
250 const string SID_NT_RESTRICTED = "S-1-5-12";
251 const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
252 const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
253 const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
254 const string SID_NT_IUSR = "S-1-5-17";
255 const string SID_NT_SYSTEM = "S-1-5-18";
256 const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
257 const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
258 const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
259 const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
260 const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
261 const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
262
263 /* SECURITY_BUILTIN_DOMAIN_RID */
264 const string NAME_BUILTIN = "BUILTIN";
265
266 const string SID_BUILTIN = "S-1-5-32";
267 const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
268 const string SID_BUILTIN_USERS = "S-1-5-32-545";
269 const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
270 const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
271 const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
272 const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
273 const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
274 const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
275 const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
276 const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
277 const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
278 const string SID_BUILTIN_REMOTE_DESKTOP_USERS = "S-1-5-32-555";
279 const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
280 const string SID_BUILTIN_INCOMING_FOREST_TRUST = "S-1-5-32-557";
281 const string SID_BUILTIN_PERFMON_USERS = "S-1-5-32-558";
282 const string SID_BUILTIN_PERFLOG_USERS = "S-1-5-32-559";
283 const string SID_BUILTIN_AUTH_ACCESS = "S-1-5-32-560";
284 const string SID_BUILTIN_TS_LICENSE_SERVERS = "S-1-5-32-561";
285 const string SID_BUILTIN_DISTRIBUTED_COM_USERS = "S-1-5-32-562";
286 const string SID_BUILTIN_IUSERS = "S-1-5-32-568";
287 const string SID_BUILTIN_CRYPTO_OPERATORS = "S-1-5-32-569";
288 const string SID_BUILTIN_EVENT_LOG_READERS = "S-1-5-32-573";
289 const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS = "S-1-5-32-574";
290 const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS = "S-1-5-32-575";
291 const string SID_BUILTIN_RDS_ENDPOINT_SERVERS = "S-1-5-32-576";
292 const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577";
293 const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578";
294 const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS = "S-1-5-32-579";
295 const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS = "S-1-5-32-580";
296 const string SID_BUILTIN_SYSTEM_MANAGED_ACCOUNTS_GRP = "S-1-5-32-581";
297 const string SID_BUILTIN_STORAGE_REPLICA_ADMINISTRATORS = "S-1-5-32-582";
298
299 const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
300
301 /* UID/GID mapping Samba style */
302 const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
303 const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2";
304
305 /* SECURITY_NT_SERVICE */
306 const string NAME_NT_SERVICE = "NT SERVICE";
307
308 const string SID_NT_NT_SERVICE = "S-1-5-80";
309 const string SID_NT_TRUSTED_INSTALLER =
310 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
311
312 /*
313 * This is added during the AS-REQ/AS-REP exchange after
314 * pre-authentication was successful.
315 */
316 const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
317 /*
318 * This is added during S4U2Self PAC creation.
319 *
320 * It won't replace a possible
321 * SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
322 * during S4U2Proxy.
323 */
324 const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
325
326 const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
327 const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
328
329 const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
330
331 const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
332
333 const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
334 const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
335 const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
336 const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
337 const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
338
339 /*
340 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
341 */
342 const string SID_NT_NFS_SUBSYSTEM = "S-1-5-88";
343 const string SID_NT_NFS_USER = "S-1-5-88-1";
344 const string SID_NT_NFS_GROUP = "S-1-5-88-2";
345 const string SID_NT_NFS_MASK = "S-1-5-88-3";
346 const string SID_NT_NFS_OTHERS = "S-1-5-88-4";
347
348 /* well-known domain RIDs */
349 const int DOMAIN_RID_LOGON = 9;
350 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
351 const int DOMAIN_RID_ADMINISTRATOR = 500;
352 const int DOMAIN_RID_GUEST = 501;
353 const int DOMAIN_RID_KRBTGT = 502;
354 const int DOMAIN_RID_ADMINS = 512;
355 const int DOMAIN_RID_USERS = 513;
356 const int DOMAIN_RID_GUESTS = 514;
357 const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
358 const int DOMAIN_RID_DCS = 516;
359 const int DOMAIN_RID_CERT_ADMINS = 517;
360 const int DOMAIN_RID_SCHEMA_ADMINS = 518;
361 const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
362 const int DOMAIN_RID_POLICY_ADMINS = 520;
363 const int DOMAIN_RID_READONLY_DCS = 521;
364 const int DOMAIN_RID_CLONEABLE_CONTROLLERS = 522;
365 const int DOMAIN_RID_PROTECTED_USERS = 525;
366 const int DOMAIN_RID_KEY_ADMINS = 526;
367 const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS = 527;
368 const int DOMAIN_RID_RAS_SERVERS = 553;
369 const int DOMAIN_RID_RODC_ALLOW = 571;
370 const int DOMAIN_RID_RODC_DENY = 572;
371
372 /* well-known builtin RIDs */
373 const int BUILTIN_RID_ADMINISTRATORS = 544;
374 const int BUILTIN_RID_USERS = 545;
375 const int BUILTIN_RID_GUESTS = 546;
376 const int BUILTIN_RID_POWER_USERS = 547;
377 const int BUILTIN_RID_ACCOUNT_OPERATORS = 548;
378 const int BUILTIN_RID_SERVER_OPERATORS = 549;
379 const int BUILTIN_RID_PRINT_OPERATORS = 550;
380 const int BUILTIN_RID_BACKUP_OPERATORS = 551;
381 const int BUILTIN_RID_REPLICATOR = 552;
382 const int BUILTIN_RID_RAS_SERVERS = 553;
383 const int BUILTIN_RID_PRE_2K_ACCESS = 554;
384 const int BUILTIN_RID_REMOTE_DESKTOP_USERS = 555;
385 const int BUILTIN_RID_NETWORK_CONF_OPERATORS = 556;
386 const int BUILTIN_RID_INCOMING_FOREST_TRUST = 557;
387 const int BUILTIN_RID_PERFMON_USERS = 558;
388 const int BUILTIN_RID_PERFLOG_USERS = 559;
389 const int BUILTIN_RID_AUTH_ACCESS = 560;
390 const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
391 const int BUILTIN_RID_DISTRIBUTED_COM_USERS = 562;
392 const int BUILTIN_RID_IUSERS = 568;
393 const int BUILTIN_RID_CRYPTO_OPERATORS = 569;
394 const int BUILTIN_RID_EVENT_LOG_READERS = 573;
395 const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS = 574;
396 const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575;
397 const int BUILTIN_RID_RDS_ENDPOINT_SERVERS = 576;
398 const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS = 577;
399 const int BUILTIN_RID_HYPER_V_ADMINS = 578;
400 const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS = 579;
401 const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS = 580;
402
403 /********************************************************************
404 This is a list of privileges reported by a WIndows 2008 R2 DC
405 just for reference purposes (and I know the LUID is not guaranteed
406 across reboots):
407
408 0x00000002 SeCreateTokenPrivilege "Create a token object"
409 0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
410 0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
411 0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
412 0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
413 0x00000007 SeTcbPrivilege "Act as part of the operating system"
414 0x00000008 SeSecurityPrivilege "Manage auditing and security log"
415 0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
416 0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
417 0x0000000b SeSystemProfilePrivilege "Profile system performance"
418 0x0000000c SeSystemtimePrivilege "Change the system time"
419 0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
420 0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
421 0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
422 0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
423 0x00000011 SeBackupPrivilege "Back up files and directories"
424 0x00000012 SeRestorePrivilege "Restore files and directories"
425 0x00000013 SeShutdownPrivilege "Shut down the system"
426 0x00000014 SeDebugPrivilege "Debug programs"
427 0x00000015 SeAuditPrivilege "Generate security audits"
428 0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
429 0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
430 0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
431 0x00000019 SeUndockPrivilege "Remove computer from docking station"
432 0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
433 0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
434 0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
435 0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
436 0x0000001e SeCreateGlobalPrivilege "Create global objects"
437 0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
438 0x00000020 SeRelabelPrivilege "Modify an object label"
439 0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
440 0x00000022 SeTimeZonePrivilege "Change the time zone"
441 0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
442
443 ********************************************************************/
444
445 /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
446
447 /* we have to define the LUID here due to a horrible check by printmig.exe
448 that requires the SeBackupPrivilege match what is in Windows. So match
449 those that we implement and start Samba privileges at 0x1001 */
450
451 typedef enum {
452 SEC_PRIV_INVALID = 0x0,
453 SEC_PRIV_INCREASE_QUOTA = 0x5,
454 SEC_PRIV_MACHINE_ACCOUNT = 0x6,
455 SEC_PRIV_SECURITY = 0x8,
456 SEC_PRIV_TAKE_OWNERSHIP = 0x09,
457 SEC_PRIV_LOAD_DRIVER = 0x0a,
458 SEC_PRIV_SYSTEM_PROFILE = 0x0b,
459 SEC_PRIV_SYSTEMTIME = 0x0c,
460 SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
461 SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
462 SEC_PRIV_CREATE_PAGEFILE = 0x0f,
463 SEC_PRIV_BACKUP = 0x11,
464 SEC_PRIV_RESTORE = 0x12,
465 SEC_PRIV_SHUTDOWN = 0x13,
466 SEC_PRIV_DEBUG = 0x14,
467 SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
468 SEC_PRIV_CHANGE_NOTIFY = 0x17,
469 SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
470 SEC_PRIV_UNDOCK = 0x19,
471 SEC_PRIV_ENABLE_DELEGATION = 0x1b,
472 SEC_PRIV_MANAGE_VOLUME = 0x1c,
473 SEC_PRIV_IMPERSONATE = 0x1d,
474 SEC_PRIV_CREATE_GLOBAL = 0x1e,
475 /* Samba-specific privs */
476 SEC_PRIV_PRINT_OPERATOR = 0x1001,
477 SEC_PRIV_ADD_USERS = 0x1002,
478 SEC_PRIV_DISK_OPERATOR = 0x1003
479 } sec_privilege;
480
481
482 /* Bitmap of privilege values for internal use only. We need
483 * our own bitmap here as privilages.tdb records these values
484 * as a bitmap (privilages.ldb uses the string forms).
485 */
486 typedef [bitmap64bit] bitmap {
487 SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
488
489 /* Samba-specific privs */
490 SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
491 SEC_PRIV_ADD_USERS_BIT = 0x00000040,
492 SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
493
494 SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
495 SEC_PRIV_BACKUP_BIT = 0x00000200,
496 SEC_PRIV_RESTORE_BIT = 0x00000400,
497 SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
498 /* End of privilages implemented before merge to common code */
499
500 SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
501 SEC_PRIV_SECURITY_BIT = 0x00002000,
502 SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
503 SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
504 SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
505 SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
506 SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
507 SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
508 SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
509 SEC_PRIV_DEBUG_BIT = 0x00200000,
510 SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
511 SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
512 SEC_PRIV_UNDOCK_BIT = 0x01000000,
513 SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
514 SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
515 SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
516 SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
517 } se_privilege;
518
519 typedef [bitmap32bit] bitmap {
520 LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
521 LSA_POLICY_MODE_NETWORK = 0x00000002,
522 LSA_POLICY_MODE_BATCH = 0x00000004,
523 LSA_POLICY_MODE_SERVICE = 0x00000010,
524 LSA_POLICY_MODE_PROXY = 0x00000020,
525 LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
526 LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
527 LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
528 LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
529 LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
530 LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
531 LSA_POLICY_MODE_ALL = 0x00000FF7,
532 LSA_POLICY_MODE_ALL_NT4 = 0x00000037
533 } lsa_SystemAccessModeFlags;
534
535 typedef [public,bitmap8bit] bitmap {
536 SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
537 SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
538 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04,
539 SEC_ACE_FLAG_INHERIT_ONLY = 0x08,
540 SEC_ACE_FLAG_INHERITED_ACE = 0x10,
541 SEC_ACE_FLAG_VALID_INHERIT = 0x0f,
542 SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40,
543 SEC_ACE_FLAG_FAILED_ACCESS = 0x80
544 } security_ace_flags;
545
546 typedef [public,enum8bit] enum {
547 SEC_ACE_TYPE_ACCESS_ALLOWED = 0,
548 SEC_ACE_TYPE_ACCESS_DENIED = 1,
549 SEC_ACE_TYPE_SYSTEM_AUDIT = 2,
550 SEC_ACE_TYPE_SYSTEM_ALARM = 3,
551 SEC_ACE_TYPE_ALLOWED_COMPOUND = 4,
552 SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5,
553 SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6,
554 SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7,
555 SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
556 } security_ace_type;
557
558 typedef [bitmap32bit] bitmap {
559 SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
560 SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
561 } security_ace_object_flags;
562
563 typedef [nodiscriminant] union {
564 /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
565 [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
566 [default];
567 } security_ace_object_type;
568
569 typedef [nodiscriminant] union {
570 /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
571 * (of the parent container)
572 */
573 [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
574 [default];
575 } security_ace_object_inherited_type;
576
577 typedef struct {
578 security_ace_object_flags flags;
579 [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
580 [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
581 } security_ace_object;
582
583 typedef [public,nodiscriminant] union {
584 [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
585 [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
586 [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
587 [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
588 [default];
589 } security_ace_object_ctr;
590
591 typedef [public,nopull,gensize,nosize] struct {
592 security_ace_type type; /* SEC_ACE_TYPE_* */
593 security_ace_flags flags; /* SEC_ACE_FLAG_* */
594 [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
595 uint32 access_mask;
596 [switch_is(type)] security_ace_object_ctr object;
597 dom_sid trustee;
598 } security_ace;
599
600 typedef enum {
601 SECURITY_ACL_REVISION_NT4 = 2,
602 SECURITY_ACL_REVISION_ADS = 4
603 } security_acl_revision;
604
605 const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
606
607 typedef [public,gensize,nosize] struct {
608 security_acl_revision revision;
609 [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
610 [range(0,2000)] uint32 num_aces;
611 security_ace aces[num_aces];
612 } security_acl;
613
614 /* default revision for new ACLs */
615 typedef [public,enum8bit] enum {
616 SECURITY_DESCRIPTOR_REVISION_1 = 1
617 } security_descriptor_revision;
618
619 const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
620
621 /* security_descriptor->type bits */
622 typedef [public,bitmap16bit] bitmap {
623 SEC_DESC_OWNER_DEFAULTED = 0x0001,
624 SEC_DESC_GROUP_DEFAULTED = 0x0002,
625 SEC_DESC_DACL_PRESENT = 0x0004,
626 SEC_DESC_DACL_DEFAULTED = 0x0008,
627 SEC_DESC_SACL_PRESENT = 0x0010,
628 SEC_DESC_SACL_DEFAULTED = 0x0020,
629 SEC_DESC_DACL_TRUSTED = 0x0040,
630 SEC_DESC_SERVER_SECURITY = 0x0080,
631 SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100,
632 SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200,
633 SEC_DESC_DACL_AUTO_INHERITED = 0x0400,
634 SEC_DESC_SACL_AUTO_INHERITED = 0x0800,
635 SEC_DESC_DACL_PROTECTED = 0x1000,
636 SEC_DESC_SACL_PROTECTED = 0x2000,
637 SEC_DESC_RM_CONTROL_VALID = 0x4000,
638 SEC_DESC_SELF_RELATIVE = 0x8000
639 } security_descriptor_type;
640
641 typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
642 security_descriptor_revision revision;
643 security_descriptor_type type; /* SEC_DESC_xxxx flags */
644 [relative] dom_sid *owner_sid;
645 [relative] dom_sid *group_sid;
646 [relative] security_acl *sacl; /* system ACL */
647 [relative] security_acl *dacl; /* user (discretionary) ACL */
648 } security_descriptor;
649
650 typedef [public] struct {
651 [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
652 [subcontext(4)] security_descriptor *sd;
653 } sec_desc_buf;
654
655 /* Group attributes, used to be samr_GroupAttrs */
656 typedef [public,bitmap32bit] bitmap {
657 SE_GROUP_MANDATORY = 0x00000001,
658 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
659 SE_GROUP_ENABLED = 0x00000004,
660 SE_GROUP_OWNER = 0x00000008,
661 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
662 SE_GROUP_INTEGRITY = 0x00000020,
663 SE_GROUP_INTEGRITY_ENABLED = 0x00000040,
664 SE_GROUP_RESOURCE = 0x20000000,
665 SE_GROUP_LOGON_ID = 0xC0000000
666 } security_GroupAttrs;
667
668 /* This is not yet sent over the network, but is simply defined in IDL */
669 typedef [public] struct {
670 uint32 num_sids;
671 [size_is(num_sids)] dom_sid sids[*];
672 se_privilege privilege_mask;
673 lsa_SystemAccessModeFlags rights_mask;
674 } security_token;
675
676 /* This is not yet sent over the network, but is simply defined in IDL */
677 typedef [public] struct {
678 uid_t uid;
679 gid_t gid;
680 uint32 ngroups;
681 [size_is(ngroups)] gid_t groups[*];
682 } security_unix_token;
683
684 /* bits that determine which parts of a security descriptor
685 are being queried/set */
686 typedef [public,bitmap32bit] bitmap {
687 SECINFO_OWNER = 0x00000001,
688 SECINFO_GROUP = 0x00000002,
689 SECINFO_DACL = 0x00000004,
690 SECINFO_SACL = 0x00000008,
691 SECINFO_LABEL = 0x00000010,
692 SECINFO_ATTRIBUTE = 0x00000020,
693 SECINFO_SCOPE = 0x00000040,
694 SECINFO_BACKUP = 0x00010000,
695 SECINFO_UNPROTECTED_SACL = 0x10000000,
696 SECINFO_UNPROTECTED_DACL = 0x20000000,
697 SECINFO_PROTECTED_SACL = 0x40000000,
698 SECINFO_PROTECTED_DACL = 0x80000000
699 } security_secinfo;
700
701 /*
702 * a SMB server should only support the following flags
703 * and ignore all others.
704 *
705 * See AdditionalInformation in [MS-SMB2] 2.2.37 SMB2 QUERY_INFO Request
706 * and 2.2.39 SMB2 SET_INFO Request.
707 */
708 const int SMB_SUPPORTED_SECINFO_FLAGS = (
709 SECINFO_OWNER |
710 SECINFO_GROUP |
711 SECINFO_DACL |
712 SECINFO_SACL |
713 SECINFO_LABEL |
714 SECINFO_ATTRIBUTE |
715 SECINFO_SCOPE |
716 SECINFO_BACKUP |
717 0);
718
719 /*
720 * See [MS-KILE] 2.2.5 LSAP_TOKEN_INFO_INTEGRITY
721 */
722 typedef [public,gensize,flag(NDR_PAHEX)] struct {
723 uint32 Flags;
724 uint32 TokenIL;
725 uint8 MachineId[32];
726 } LSAP_TOKEN_INFO_INTEGRITY;
727
728 /*
729 * See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags
730 */
731 typedef [public,bitmap32bit] bitmap {
732 KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
733 KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
734 KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
735 KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
736 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
737 KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020,
738 KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
739 KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
740 KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
741 KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED = 0x00080000
742 } kerb_EncTypes;
743
744 typedef [public,bitmap32bit] bitmap {
745 SEC_DACL_AUTO_INHERIT = 0x00000001,
746 SEC_SACL_AUTO_INHERIT = 0x00000002,
747 SEC_DEFAULT_DESCRIPTOR = 0x00000004,
748 SEC_OWNER_FROM_PARENT = 0x00000008,
749 SEC_GROUP_FROM_PARENT = 0x00000010
750 } security_autoinherit;
751
752 /***************************************************************/
753 /* Extended right guids */
754
755 const string GUID_DRS_ALLOCATE_RIDS = "1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd";
756 const string GUID_DRS_CHANGE_DOMAIN_MASTER = "014bf69c-7b3b-11d1-85f6-08002be74fab";
757 const string GUID_DRS_CHANGE_INFR_MASTER = "cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd";
758 const string GUID_DRS_CHANGE_PDC = "bae50096-4752-11d1-9052-00c04fc2d4cf";
759 const string GUID_DRS_CHANGE_RID_MASTER = "d58d5f36-0a98-11d1-adbb-00c04fd8d5cd";
760 const string GUID_DRS_CHANGE_SCHEMA_MASTER = "e12b56b6-0a95-11d1-adbb-00c04fd8d5cd";
761 const string GUID_DRS_GET_CHANGES = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
762 const string GUID_DRS_REPL_SYNCRONIZE = "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2";
763 const string GUID_DRS_MANAGE_TOPOLOGY = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
764 const string GUID_DRS_GET_ALL_CHANGES = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
765 const string GUID_DRS_RO_REPL_SECRET_SYNC = "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2";
766 const string GUID_DRS_GET_FILTERED_ATTRIBUTES = "89e95b76-444d-4c62-991a-0facbeda640c";
767 const string GUID_DRS_MONITOR_TOPOLOGY = "f98340fb-7c5b-4cdb-a00b-2ebdfa115a96";
768 const string GUID_DRS_USER_CHANGE_PASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b";
769 const string GUID_DRS_FORCE_CHANGE_PASSWORD = "00299570-246d-11d0-a768-00aa006e0529";
770 const string GUID_DRS_UPDATE_PASSWORD_NOT_REQUIRED_BIT
771 = "280f369c-67c7-438e-ae98-1d46f3c6f541";
772 const string GUID_DRS_UNEXPIRE_PASSWORD = "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501";
773 const string GUID_DRS_ENABLE_PER_USER_REVERSIBLY_ENCRYPTED_PASSWORD
774 = "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5";
775 const string GUID_DRS_DS_INSTALL_REPLICA = "9923a32a-3607-11d2-b9be-0000f87a36b2";
776 const string GUID_DRS_REANIMATE_TOMBSTONE = "45ec5156-db7e-47bb-b53f-dbeb2d03c40f";
777 const string GUID_DRS_ALLOWED_TO_AUTHENTICATE = "68b1d179-0d15-4D4F-ab71-46152e79a7bc";
778
779 /***************************************************************/
780 /* validated writes guids */
781 const string GUID_DRS_VALIDATE_SPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
782 const string GUID_DRS_SELF_MEMBERSHIP = "bf9679c0-0de6-11d0-a285-00aa003049e2";
783 const string GUID_DRS_DNS_HOST_NAME = "72e39547-7b18-11d1-adef-00c04fd8d5cd";
784 const string GUID_DRS_ADD_DNS_HOST_NAME = "80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
785 const string GUID_DRS_BEHAVIOR_VERSION = "d31a8757-2447-4545-8081-3bb610cacbf2";
786
787 /* A type to describe the mapping of generic access rights to object
788 specific access rights. */
789
790 typedef struct {
791 uint32 generic_read;
792 uint32 generic_write;
793 uint32 generic_execute;
794 uint32 generic_all;
795 } generic_mapping;
796
797 typedef struct {
798 uint32 std_read;
799 uint32 std_write;
800 uint32 std_execute;
801 uint32 std_all;
802 } standard_mapping;
803 }
Samba GIT mirror