s4-privs Remove link between enum sec_privilege and the privilege bitmap

This allows us to set the enum sec_privilege constants to the LUID
values that are seen from windows, which we need to match, in order
to preserve the support for the NT Print Migrator tool after a merge
with the source3/ privileges code.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

2 files changed, 140 insertions, 46 deletions

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 20cbb4189b..922b264df9 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -315,36 +315,78 @@ interface security
 	const int BUILTIN_RID_AUTH_ACCESS		= 560;
 	const int BUILTIN_RID_TS_LICENSE_SERVERS	= 561;
 
-	/*
-	  privilege IDs. Please keep the IDs below 64. If we get more
-	  than 64 then we need to change security_token
-	*/
+/********************************************************************
+ This is a list of privileges reported by a WIndows 2000 SP4 AD DC
+ just for reference purposes (and I know the LUID is not guaranteed
+ across reboots):
+
+            SeCreateTokenPrivilege  Create a token object ( 0x0, 0x2 )
+     SeAssignPrimaryTokenPrivilege  Replace a process level token ( 0x0, 0x3 )
+             SeLockMemoryPrivilege  Lock pages in memory ( 0x0, 0x4 )
+          SeIncreaseQuotaPrivilege  Increase quotas ( 0x0, 0x5 )
+         SeMachineAccountPrivilege  Add workstations to domain ( 0x0, 0x6 )
+                    SeTcbPrivilege  Act as part of the operating system ( 0x0, 0x7 )
+               SeSecurityPrivilege  Manage auditing and security log ( 0x0, 0x8 )
+          SeTakeOwnershipPrivilege  Take ownership of files or other objects ( 0x0, 0x9 )
+             SeLoadDriverPrivilege  Load and unload device drivers ( 0x0, 0xa )
+          SeSystemProfilePrivilege  Profile system performance ( 0x0, 0xb )
+             SeSystemtimePrivilege  Change the system time ( 0x0, 0xc )
+   SeProfileSingleProcessPrivilege  Profile single process ( 0x0, 0xd )
+   SeIncreaseBasePriorityPrivilege  Increase scheduling priority ( 0x0, 0xe )
+         SeCreatePagefilePrivilege  Create a pagefile ( 0x0, 0xf )
+        SeCreatePermanentPrivilege  Create permanent shared objects ( 0x0, 0x10 )
+                 SeBackupPrivilege  Back up files and directories ( 0x0, 0x11 )
+                SeRestorePrivilege  Restore files and directories ( 0x0, 0x12 )
+               SeShutdownPrivilege  Shut down the system ( 0x0, 0x13 )
+                  SeDebugPrivilege  Debug programs ( 0x0, 0x14 )
+                  SeAuditPrivilege  Generate security audits ( 0x0, 0x15 )
+      SeSystemEnvironmentPrivilege  Modify firmware environment values ( 0x0, 0x16 )
+           SeChangeNotifyPrivilege  Bypass traverse checking ( 0x0, 0x17 )
+         SeRemoteShutdownPrivilege  Force shutdown from a remote system ( 0x0, 0x18 )
+                 SeUndockPrivilege  Remove computer from docking station ( 0x0, 0x19 )
+              SeSyncAgentPrivilege  Synchronize directory service data ( 0x0, 0x1a )
+       SeEnableDelegationPrivilege  Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
+           SeManageVolumePrivilege  Perform volume maintenance tasks ( 0x0, 0x1c )
+            SeImpersonatePrivilege  Impersonate a client after authentication ( 0x0, 0x1d )
+           SeCreateGlobalPrivilege  Create global objects ( 0x0, 0x1e )
+
+ ********************************************************************/
+
+/* we have to define the LUID here due to a horrible check by printmig.exe
+   that requires the SeBackupPrivilege match what is in Windows.  So match
+   those that we implement and start Samba privileges at 0x1001 */
+
 	typedef enum {
-		SEC_PRIV_SECURITY                  = 1,
-		SEC_PRIV_BACKUP                    = 2,
-		SEC_PRIV_RESTORE                   = 3,
-		SEC_PRIV_SYSTEMTIME                = 4,
-		SEC_PRIV_SHUTDOWN                  = 5,
-		SEC_PRIV_REMOTE_SHUTDOWN           = 6,
-		SEC_PRIV_TAKE_OWNERSHIP            = 7,
-		SEC_PRIV_DEBUG                     = 8,
-		SEC_PRIV_SYSTEM_ENVIRONMENT        = 9,
-		SEC_PRIV_SYSTEM_PROFILE            = 10,
-		SEC_PRIV_PROFILE_SINGLE_PROCESS    = 11,
-		SEC_PRIV_INCREASE_BASE_PRIORITY    = 12,
-		SEC_PRIV_LOAD_DRIVER               = 13,
-		SEC_PRIV_CREATE_PAGEFILE           = 14,
-		SEC_PRIV_INCREASE_QUOTA            = 15,
-		SEC_PRIV_CHANGE_NOTIFY             = 16,
-		SEC_PRIV_UNDOCK                    = 17,
-		SEC_PRIV_MANAGE_VOLUME             = 18,
-		SEC_PRIV_IMPERSONATE               = 19,
-		SEC_PRIV_CREATE_GLOBAL             = 20,
-		SEC_PRIV_ENABLE_DELEGATION         = 21,
-		SEC_PRIV_INTERACTIVE_LOGON         = 22,
-		SEC_PRIV_NETWORK_LOGON             = 23,
-		SEC_PRIV_REMOTE_INTERACTIVE_LOGON  = 24,
-		SEC_PRIV_MACHINE_ACCOUNT           = 25
+		SEC_PRIV_INCREASE_QUOTA            = 0x5,
+		SEC_PRIV_MACHINE_ACCOUNT           = 0x6,
+		SEC_PRIV_SECURITY                  = 0x8,
+		SEC_PRIV_TAKE_OWNERSHIP            = 0x09,
+		SEC_PRIV_LOAD_DRIVER               = 0x0a,
+		SEC_PRIV_SYSTEM_PROFILE            = 0x0b,
+		SEC_PRIV_SYSTEMTIME                = 0x0c,
+		SEC_PRIV_PROFILE_SINGLE_PROCESS    = 0x0d,
+		SEC_PRIV_INCREASE_BASE_PRIORITY    = 0x0e,
+		SEC_PRIV_CREATE_PAGEFILE           = 0x0f,
+		SEC_PRIV_BACKUP                    = 0x11,
+		SEC_PRIV_RESTORE                   = 0x12,
+		SEC_PRIV_SHUTDOWN                  = 0x13,
+		SEC_PRIV_DEBUG                     = 0x14,
+		SEC_PRIV_SYSTEM_ENVIRONMENT        = 0x16,
+		SEC_PRIV_CHANGE_NOTIFY             = 0x17,
+		SEC_PRIV_REMOTE_SHUTDOWN           = 0x18,
+		SEC_PRIV_UNDOCK                    = 0x19,
+		SEC_PRIV_ENABLE_DELEGATION         = 0x1b,
+		SEC_PRIV_MANAGE_VOLUME             = 0x1c,
+		SEC_PRIV_IMPERSONATE               = 0x1d,
+		SEC_PRIV_CREATE_GLOBAL             = 0x1e,
+		/* Samba-specific privs */
+		SEC_PRIV_PRINT_OPERATOR            = 0x1001,
+		SEC_PRIV_ADD_USERS                 = 0x1002,
+		SEC_PRIV_DISK_OPERATOR             = 0x1003,
+		/* Windows privs not in the list above */
+		SEC_PRIV_INTERACTIVE_LOGON         = 0x2022,
+		SEC_PRIV_NETWORK_LOGON             = 0x2023,
+		SEC_PRIV_REMOTE_INTERACTIVE_LOGON  = 0x2024
 	} sec_privilege;
 
 /*
diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c
index 8263830654..374dc4a449 100644
--- a/source4/libcli/security/privilege.c
+++ b/source4/libcli/security/privilege.c
@@ -26,108 +26,150 @@
 
 static const struct {
 	enum sec_privilege privilege;
+	uint64_t privilege_mask;
 	const char *name;
 	const char *display_name;
 } privilege_names[] = {
 	{SEC_PRIV_SECURITY,                   
+	 SE_SECURITY,
 	 "SeSecurityPrivilege",
 	"System security"},
 
 	{SEC_PRIV_BACKUP,                     
+	 SE_BACKUP,
 	 "SeBackupPrivilege",
 	 "Backup files and directories"},
 
 	{SEC_PRIV_RESTORE,                    
+	 SE_RESTORE,
 	 "SeRestorePrivilege",
 	"Restore files and directories"},
 
 	{SEC_PRIV_SYSTEMTIME,                 
+	 SE_SYSTEMTIME,
 	 "SeSystemtimePrivilege",
 	"Set the system clock"},
 
 	{SEC_PRIV_SHUTDOWN,                   
+	 SE_SHUTDOWN,
 	 "SeShutdownPrivilege",
 	"Shutdown the system"},
 
 	{SEC_PRIV_REMOTE_SHUTDOWN,            
+	 SE_REMOTE_SHUTDOWN,
 	 "SeRemoteShutdownPrivilege",
 	"Shutdown the system remotely"},
 
 	{SEC_PRIV_TAKE_OWNERSHIP,             
+	 SE_TAKE_OWNERSHIP,
 	 "SeTakeOwnershipPrivilege",
 	"Take ownership of files and directories"},
 
 	{SEC_PRIV_DEBUG,                      
+	 SE_DEBUG,
 	 "SeDebugPrivilege",
 	"Debug processes"},
 
 	{SEC_PRIV_SYSTEM_ENVIRONMENT,         
+	 SE_SYSTEM_ENVIRONMENT,
 	 "SeSystemEnvironmentPrivilege",
 	"Modify system environment"},
 
 	{SEC_PRIV_SYSTEM_PROFILE,             
+	 SE_SYSTEM_PROFILE,
 	 "SeSystemProfilePrivilege",
 	"Profile the system"},
 
 	{SEC_PRIV_PROFILE_SINGLE_PROCESS,     
+	 SE_PROFILE_SINGLE_PROCESS,
 	 "SeProfileSingleProcessPrivilege",
 	"Profile one process"},
 
 	{SEC_PRIV_INCREASE_BASE_PRIORITY,     
+	 SE_INCREASE_BASE_PRIORITY,
 	 "SeIncreaseBasePriorityPrivilege",
 	 "Increase base priority"},
 
 	{SEC_PRIV_LOAD_DRIVER,
+	 SE_LOAD_DRIVER,
 	 "SeLoadDriverPrivilege",
 	"Load drivers"},
 
 	{SEC_PRIV_CREATE_PAGEFILE,            
+	 SE_CREATE_PAGEFILE,
 	 "SeCreatePagefilePrivilege",
 	"Create page files"},
 
 	{SEC_PRIV_INCREASE_QUOTA,
+	 SE_INCREASE_QUOTA,
 	 "SeIncreaseQuotaPrivilege",
 	"Increase quota"},
 
 	{SEC_PRIV_CHANGE_NOTIFY,              
+	 SE_CHANGE_NOTIFY,
 	 "SeChangeNotifyPrivilege",
 	"Register for change notify"},
 
 	{SEC_PRIV_UNDOCK,                     
+	 SE_UNDOCK,
 	 "SeUndockPrivilege",
 	"Undock devices"},
 
 	{SEC_PRIV_MANAGE_VOLUME,              
+	 SE_MANAGE_VOLUME,
 	 "SeManageVolumePrivilege",
 	"Manage system volumes"},
 
 	{SEC_PRIV_IMPERSONATE,                
+	 SE_IMPERSONATE,
 	 "SeImpersonatePrivilege",
 	"Impersonate users"},
 
 	{SEC_PRIV_CREATE_GLOBAL,              
+	 SE_CREATE_GLOBAL,
 	 "SeCreateGlobalPrivilege",
 	"Create global"},
 
 	{SEC_PRIV_ENABLE_DELEGATION,          
+	 SE_ENABLE_DELEGATION,
 	 "SeEnableDelegationPrivilege",
 	"Enable Delegation"},
 
 	{SEC_PRIV_INTERACTIVE_LOGON,          
+	 SE_INTERACTIVE_LOGON,
 	 "SeInteractiveLogonRight",
 	"Interactive logon"},
 
 	{SEC_PRIV_NETWORK_LOGON,
+	 SE_NETWORK_LOGON,
 	 "SeNetworkLogonRight",
 	"Network logon"},
 
 	{SEC_PRIV_REMOTE_INTERACTIVE_LOGON,   
+	 SE_REMOTE_INTERACTIVE_LOGON,
 	 "SeRemoteInteractiveLogonRight",
 	"Remote Interactive logon"},
 
 	{SEC_PRIV_MACHINE_ACCOUNT,
+	 SE_MACHINE_ACCOUNT,
 	 "SeMachineAccountPrivilege",
-	"Add workstations to domain"}
+	 "Add workstations to domain"},
+
+	/* These last 3 are Samba only */
+	{SEC_PRIV_PRINT_OPERATOR,
+	 SE_PRINT_OPERATOR,
+	 "SePrintOperatorPrivilege",
+	 "Manage printers"},
+
+	{SEC_PRIV_ADD_USERS,
+	 SE_ADD_USERS,
+	 "SeAddUsersPrivilege",
+	 "Add users and groups to the domain"},
+
+	{SEC_PRIV_DISK_OPERATOR,
+	 SE_DISK_OPERATOR,
+	 "SeDiskOperatorPrivilege",
+	 "Manage disk shares"},
 };
 
 
@@ -178,20 +220,34 @@ enum sec_privilege sec_privilege_id(const char *name)
 	return -1;
 }
 
+/*
+  map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_from_mask(uint64_t mask)
+{
+	int i;
+	for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+		if (privilege_names[i].privilege_mask == mask) {
+			return privilege_names[i].privilege;
+		}
+	}
+	return -1;
+}
+
 
 /*
   return a privilege mask given a privilege id
 */
 static uint64_t sec_privilege_mask(enum sec_privilege privilege)
 {
-	uint64_t mask = 1;
-
-	if (privilege < 1 || privilege > 64) {
-		return 0;
+	int i;
+	for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+		if (privilege_names[i].privilege == privilege) {
+			return privilege_names[i].privilege_mask;
+		}
 	}
 
-	mask <<= (privilege-1);
-	return mask;
+	return 0;
 }
 
 
@@ -202,11 +258,11 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p
 {
 	uint64_t mask;
 
-	if (privilege < 1 || privilege > 64) {
+	mask = sec_privilege_mask(privilege);
+	if (mask == 0) {
 		return false;
 	}
 
-	mask = sec_privilege_mask(privilege);
 	if (token->privilege_mask & mask) {
 		return true;
 	}
@@ -218,9 +274,7 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p
 */
 void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
 {
-	if (privilege < 1 || privilege > 64) {
-		return;
-	}
+	/* Relies on the fact that an invalid privilage will return 0, so won't change this */
 	token->privilege_mask |= sec_privilege_mask(privilege);
 }
 
@@ -231,12 +285,10 @@ void security_token_debug_privileges(int dbg_lev, const struct security_token *t
 
 	if (token->privilege_mask) {
 		int i = 0;
-		unsigned int privilege;
-
-		for (privilege = 1; privilege <= 64; privilege++) {
-			uint64_t mask = sec_privilege_mask(privilege);
-
+		uint64_t mask;
+		for (mask = 1; mask != 0; mask = mask << 1) {
 			if (token->privilege_mask & mask) {
+				enum sec_privilege privilege = sec_privilege_from_mask(mask);
 				DEBUGADD(dbg_lev, ("  Privilege[%3lu]: %s\n", (unsigned long)i++, 
 					sec_privilege_name(privilege)));
 			}