summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-08-27 09:35:55 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-09-11 18:46:07 +1000
commitdbee98d30fc9c7db6693170215b8c1819b3e2f3d (patch)
tree416b01e118de9d0b409b878b09754fb226233d4c
parent0d25212cc161dee2f38c8ad60e50543596000f18 (diff)
downloadsamba-dbee98d30fc9c7db6693170215b8c1819b3e2f3d.tar.gz
samba-dbee98d30fc9c7db6693170215b8c1819b3e2f3d.tar.bz2
samba-dbee98d30fc9c7db6693170215b8c1819b3e2f3d.zip
libcli/security Move source4/ privileges code into the common libcli/security
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--libcli/security/privileges.c289
-rw-r--r--libcli/security/privileges.h44
-rw-r--r--libcli/security/wscript_build2
-rw-r--r--source4/libcli/security/privilege.c309
-rw-r--r--source4/libcli/security/security.h1
-rw-r--r--source4/libcli/security/wscript_build2
6 files changed, 333 insertions, 314 deletions
diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c
index f4f3321198..3919ce8380 100644
--- a/libcli/security/privileges.c
+++ b/libcli/security/privileges.c
@@ -6,6 +6,7 @@
Copyright (C) Gerald (Jerry) Carter 2005
Copyright (C) Michael Adam 2007
Copyright (C) Andrew Bartlett 2010
+ Copyright (C) Andrew Tridgell 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -32,6 +33,11 @@
*/
#include "includes.h"
+#include "libcli/security/privileges.h"
+#include "librpc/gen_ndr/security.h"
+
+/* The use of strcasecmp here is safe, all the comparison strings are ASCII */
+#undef strcasecmp
const uint64_t se_priv_all = SE_ALL_PRIVS;
static const uint64_t se_priv_end = SE_END;
@@ -446,3 +452,286 @@ bool privilege_set_to_se_priv( uint64_t *privilege_mask, struct lsa_PrivilegeSet
return true;
}
+
+static const struct {
+ enum sec_privilege privilege;
+ uint64_t privilege_mask;
+ const char *name;
+ const char *display_name;
+} privilege_names[] = {
+ {SEC_PRIV_SECURITY,
+ SE_SECURITY,
+ "SeSecurityPrivilege",
+ "System security"},
+
+ {SEC_PRIV_BACKUP,
+ SE_BACKUP,
+ "SeBackupPrivilege",
+ "Backup files and directories"},
+
+ {SEC_PRIV_RESTORE,
+ SE_RESTORE,
+ "SeRestorePrivilege",
+ "Restore files and directories"},
+
+ {SEC_PRIV_SYSTEMTIME,
+ SE_SYSTEMTIME,
+ "SeSystemtimePrivilege",
+ "Set the system clock"},
+
+ {SEC_PRIV_SHUTDOWN,
+ SE_SHUTDOWN,
+ "SeShutdownPrivilege",
+ "Shutdown the system"},
+
+ {SEC_PRIV_REMOTE_SHUTDOWN,
+ SE_REMOTE_SHUTDOWN,
+ "SeRemoteShutdownPrivilege",
+ "Shutdown the system remotely"},
+
+ {SEC_PRIV_TAKE_OWNERSHIP,
+ SE_TAKE_OWNERSHIP,
+ "SeTakeOwnershipPrivilege",
+ "Take ownership of files and directories"},
+
+ {SEC_PRIV_DEBUG,
+ SE_DEBUG,
+ "SeDebugPrivilege",
+ "Debug processes"},
+
+ {SEC_PRIV_SYSTEM_ENVIRONMENT,
+ SE_SYSTEM_ENVIRONMENT,
+ "SeSystemEnvironmentPrivilege",
+ "Modify system environment"},
+
+ {SEC_PRIV_SYSTEM_PROFILE,
+ SE_SYSTEM_PROFILE,
+ "SeSystemProfilePrivilege",
+ "Profile the system"},
+
+ {SEC_PRIV_PROFILE_SINGLE_PROCESS,
+ SE_PROFILE_SINGLE_PROCESS,
+ "SeProfileSingleProcessPrivilege",
+ "Profile one process"},
+
+ {SEC_PRIV_INCREASE_BASE_PRIORITY,
+ SE_INCREASE_BASE_PRIORITY,
+ "SeIncreaseBasePriorityPrivilege",
+ "Increase base priority"},
+
+ {SEC_PRIV_LOAD_DRIVER,
+ SE_LOAD_DRIVER,
+ "SeLoadDriverPrivilege",
+ "Load drivers"},
+
+ {SEC_PRIV_CREATE_PAGEFILE,
+ SE_CREATE_PAGEFILE,
+ "SeCreatePagefilePrivilege",
+ "Create page files"},
+
+ {SEC_PRIV_INCREASE_QUOTA,
+ SE_INCREASE_QUOTA,
+ "SeIncreaseQuotaPrivilege",
+ "Increase quota"},
+
+ {SEC_PRIV_CHANGE_NOTIFY,
+ SE_CHANGE_NOTIFY,
+ "SeChangeNotifyPrivilege",
+ "Register for change notify"},
+
+ {SEC_PRIV_UNDOCK,
+ SE_UNDOCK,
+ "SeUndockPrivilege",
+ "Undock devices"},
+
+ {SEC_PRIV_MANAGE_VOLUME,
+ SE_MANAGE_VOLUME,
+ "SeManageVolumePrivilege",
+ "Manage system volumes"},
+
+ {SEC_PRIV_IMPERSONATE,
+ SE_IMPERSONATE,
+ "SeImpersonatePrivilege",
+ "Impersonate users"},
+
+ {SEC_PRIV_CREATE_GLOBAL,
+ SE_CREATE_GLOBAL,
+ "SeCreateGlobalPrivilege",
+ "Create global"},
+
+ {SEC_PRIV_ENABLE_DELEGATION,
+ SE_ENABLE_DELEGATION,
+ "SeEnableDelegationPrivilege",
+ "Enable Delegation"},
+
+ {SEC_PRIV_INTERACTIVE_LOGON,
+ SE_INTERACTIVE_LOGON,
+ "SeInteractiveLogonRight",
+ "Interactive logon"},
+
+ {SEC_PRIV_NETWORK_LOGON,
+ SE_NETWORK_LOGON,
+ "SeNetworkLogonRight",
+ "Network logon"},
+
+ {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
+ SE_REMOTE_INTERACTIVE_LOGON,
+ "SeRemoteInteractiveLogonRight",
+ "Remote Interactive logon"},
+
+ {SEC_PRIV_MACHINE_ACCOUNT,
+ SE_MACHINE_ACCOUNT,
+ "SeMachineAccountPrivilege",
+ "Add workstations to domain"},
+
+ /* These last 3 are Samba only */
+ {SEC_PRIV_PRINT_OPERATOR,
+ SE_PRINT_OPERATOR,
+ "SePrintOperatorPrivilege",
+ "Manage printers"},
+
+ {SEC_PRIV_ADD_USERS,
+ SE_ADD_USERS,
+ "SeAddUsersPrivilege",
+ "Add users and groups to the domain"},
+
+ {SEC_PRIV_DISK_OPERATOR,
+ SE_DISK_OPERATOR,
+ "SeDiskOperatorPrivilege",
+ "Manage disk shares"},
+};
+
+
+/*
+ map a privilege id to the wire string constant
+*/
+const char *sec_privilege_name(enum sec_privilege privilege)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege == privilege) {
+ return privilege_names[i].name;
+ }
+ }
+ return NULL;
+}
+
+/*
+ map a privilege id to a privilege display name. Return NULL if not found
+
+ TODO: this should use language mappings
+*/
+const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
+{
+ int i;
+ if (privilege < 1 || privilege > 64) {
+ return NULL;
+ }
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege == privilege) {
+ return privilege_names[i].display_name;
+ }
+ }
+ return NULL;
+}
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_id(const char *name)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (strcasecmp(privilege_names[i].name, name) == 0) {
+ return privilege_names[i].privilege;
+ }
+ }
+ return -1;
+}
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_from_mask(uint64_t mask)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege_mask == mask) {
+ return privilege_names[i].privilege;
+ }
+ }
+ return -1;
+}
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_from_index(int idx)
+{
+ if (idx >= 0 && idx<ARRAY_SIZE(privilege_names)) {
+ return privilege_names[idx].privilege;
+ }
+ return -1;
+}
+
+
+/*
+ return a privilege mask given a privilege id
+*/
+static uint64_t sec_privilege_mask(enum sec_privilege privilege)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege == privilege) {
+ return privilege_names[i].privilege_mask;
+ }
+ }
+
+ return 0;
+}
+
+
+/*
+ return true if a security_token has a particular privilege bit set
+*/
+bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
+{
+ uint64_t mask;
+
+ mask = sec_privilege_mask(privilege);
+ if (mask == 0) {
+ return false;
+ }
+
+ if (token->privilege_mask & mask) {
+ return true;
+ }
+ return false;
+}
+
+/*
+ set a bit in the privilege mask
+*/
+void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
+{
+ /* Relies on the fact that an invalid privilage will return 0, so won't change this */
+ token->privilege_mask |= sec_privilege_mask(privilege);
+}
+
+void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
+{
+ DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
+ (unsigned long long) token->privilege_mask));
+
+ if (token->privilege_mask) {
+ int i = 0;
+ uint64_t mask;
+ for (mask = 1; mask != 0; mask = mask << 1) {
+ if (token->privilege_mask & mask) {
+ enum sec_privilege privilege = sec_privilege_from_mask(mask);
+ DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++,
+ sec_privilege_name(privilege)));
+ }
+ }
+ }
+}
diff --git a/libcli/security/privileges.h b/libcli/security/privileges.h
index 905645906f..69c7dbcec3 100644
--- a/libcli/security/privileges.h
+++ b/libcli/security/privileges.h
@@ -1,4 +1,3 @@
-
/*
Unix SMB/CIFS implementation.
SMB parameters and setup
@@ -59,8 +58,8 @@ extern const uint64_t se_take_ownership;
typedef struct {
TALLOC_CTX *mem_ctx;
bool ext_ctx;
- uint32 count;
- uint32 control;
+ uint32_t count;
+ uint32_t control;
struct lsa_LUIDAttribute *set;
} PRIVILEGE_SET;
@@ -159,4 +158,43 @@ const char *luid_to_privilege_name(const struct lsa_LUID *set);
bool se_priv_to_privilege_set( PRIVILEGE_SET *set, uint64_t *privilege_mask );
bool privilege_set_to_se_priv( uint64_t *privilege_mask, struct lsa_PrivilegeSet *privset );
+/*
+ map a privilege id to the wire string constant
+*/
+const char *sec_privilege_name(enum sec_privilege privilege);
+
+/*
+ map a privilege id to a privilege display name. Return NULL if not found
+
+ TODO: this should use language mappings
+*/
+const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language);
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_id(const char *name);
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_from_mask(uint64_t mask);
+
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_from_index(int idx);
+
+/*
+ return true if a security_token has a particular privilege bit set
+*/
+bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege);
+
+/*
+ set a bit in the privilege mask
+*/
+void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege);
+
+void security_token_debug_privileges(int dbg_lev, const struct security_token *token);
+
#endif /* PRIVILEGES_H */
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index c2a02f3db6..49682e288e 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -2,7 +2,7 @@
bld.SAMBA_SUBSYSTEM('LIBSECURITY_COMMON',
- source='dom_sid.c display_sec.c secace.c secacl.c security_descriptor.c sddl.c',
+ source='dom_sid.c display_sec.c secace.c secacl.c security_descriptor.c sddl.c privileges.c',
deps='talloc'
)
diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c
deleted file mode 100644
index 9fd7192883..0000000000
--- a/source4/libcli/security/privilege.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- manipulate privileges
-
- Copyright (C) Andrew Tridgell 2004
- Copyright (C) Andrew Bartlett 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "librpc/gen_ndr/security.h"
-#include "libcli/security/security.h"
-
-
-static const struct {
- enum sec_privilege privilege;
- uint64_t privilege_mask;
- const char *name;
- const char *display_name;
-} privilege_names[] = {
- {SEC_PRIV_SECURITY,
- SE_SECURITY,
- "SeSecurityPrivilege",
- "System security"},
-
- {SEC_PRIV_BACKUP,
- SE_BACKUP,
- "SeBackupPrivilege",
- "Backup files and directories"},
-
- {SEC_PRIV_RESTORE,
- SE_RESTORE,
- "SeRestorePrivilege",
- "Restore files and directories"},
-
- {SEC_PRIV_SYSTEMTIME,
- SE_SYSTEMTIME,
- "SeSystemtimePrivilege",
- "Set the system clock"},
-
- {SEC_PRIV_SHUTDOWN,
- SE_SHUTDOWN,
- "SeShutdownPrivilege",
- "Shutdown the system"},
-
- {SEC_PRIV_REMOTE_SHUTDOWN,
- SE_REMOTE_SHUTDOWN,
- "SeRemoteShutdownPrivilege",
- "Shutdown the system remotely"},
-
- {SEC_PRIV_TAKE_OWNERSHIP,
- SE_TAKE_OWNERSHIP,
- "SeTakeOwnershipPrivilege",
- "Take ownership of files and directories"},
-
- {SEC_PRIV_DEBUG,
- SE_DEBUG,
- "SeDebugPrivilege",
- "Debug processes"},
-
- {SEC_PRIV_SYSTEM_ENVIRONMENT,
- SE_SYSTEM_ENVIRONMENT,
- "SeSystemEnvironmentPrivilege",
- "Modify system environment"},
-
- {SEC_PRIV_SYSTEM_PROFILE,
- SE_SYSTEM_PROFILE,
- "SeSystemProfilePrivilege",
- "Profile the system"},
-
- {SEC_PRIV_PROFILE_SINGLE_PROCESS,
- SE_PROFILE_SINGLE_PROCESS,
- "SeProfileSingleProcessPrivilege",
- "Profile one process"},
-
- {SEC_PRIV_INCREASE_BASE_PRIORITY,
- SE_INCREASE_BASE_PRIORITY,
- "SeIncreaseBasePriorityPrivilege",
- "Increase base priority"},
-
- {SEC_PRIV_LOAD_DRIVER,
- SE_LOAD_DRIVER,
- "SeLoadDriverPrivilege",
- "Load drivers"},
-
- {SEC_PRIV_CREATE_PAGEFILE,
- SE_CREATE_PAGEFILE,
- "SeCreatePagefilePrivilege",
- "Create page files"},
-
- {SEC_PRIV_INCREASE_QUOTA,
- SE_INCREASE_QUOTA,
- "SeIncreaseQuotaPrivilege",
- "Increase quota"},
-
- {SEC_PRIV_CHANGE_NOTIFY,
- SE_CHANGE_NOTIFY,
- "SeChangeNotifyPrivilege",
- "Register for change notify"},
-
- {SEC_PRIV_UNDOCK,
- SE_UNDOCK,
- "SeUndockPrivilege",
- "Undock devices"},
-
- {SEC_PRIV_MANAGE_VOLUME,
- SE_MANAGE_VOLUME,
- "SeManageVolumePrivilege",
- "Manage system volumes"},
-
- {SEC_PRIV_IMPERSONATE,
- SE_IMPERSONATE,
- "SeImpersonatePrivilege",
- "Impersonate users"},
-
- {SEC_PRIV_CREATE_GLOBAL,
- SE_CREATE_GLOBAL,
- "SeCreateGlobalPrivilege",
- "Create global"},
-
- {SEC_PRIV_ENABLE_DELEGATION,
- SE_ENABLE_DELEGATION,
- "SeEnableDelegationPrivilege",
- "Enable Delegation"},
-
- {SEC_PRIV_INTERACTIVE_LOGON,
- SE_INTERACTIVE_LOGON,
- "SeInteractiveLogonRight",
- "Interactive logon"},
-
- {SEC_PRIV_NETWORK_LOGON,
- SE_NETWORK_LOGON,
- "SeNetworkLogonRight",
- "Network logon"},
-
- {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
- SE_REMOTE_INTERACTIVE_LOGON,
- "SeRemoteInteractiveLogonRight",
- "Remote Interactive logon"},
-
- {SEC_PRIV_MACHINE_ACCOUNT,
- SE_MACHINE_ACCOUNT,
- "SeMachineAccountPrivilege",
- "Add workstations to domain"},
-
- /* These last 3 are Samba only */
- {SEC_PRIV_PRINT_OPERATOR,
- SE_PRINT_OPERATOR,
- "SePrintOperatorPrivilege",
- "Manage printers"},
-
- {SEC_PRIV_ADD_USERS,
- SE_ADD_USERS,
- "SeAddUsersPrivilege",
- "Add users and groups to the domain"},
-
- {SEC_PRIV_DISK_OPERATOR,
- SE_DISK_OPERATOR,
- "SeDiskOperatorPrivilege",
- "Manage disk shares"},
-};
-
-
-/*
- map a privilege id to the wire string constant
-*/
-const char *sec_privilege_name(enum sec_privilege privilege)
-{
- int i;
- for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
- if (privilege_names[i].privilege == privilege) {
- return privilege_names[i].name;
- }
- }
- return NULL;
-}
-
-/*
- map a privilege id to a privilege display name. Return NULL if not found
-
- TODO: this should use language mappings
-*/
-const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
-{
- int i;
- if (privilege < 1 || privilege > 64) {
- return NULL;
- }
- for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
- if (privilege_names[i].privilege == privilege) {
- return privilege_names[i].display_name;
- }
- }
- return NULL;
-}
-
-/*
- map a privilege name to a privilege id. Return -1 if not found
-*/
-enum sec_privilege sec_privilege_id(const char *name)
-{
- int i;
- for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
- if (strcasecmp(privilege_names[i].name, name) == 0) {
- return privilege_names[i].privilege;
- }
- }
- return -1;
-}
-
-/*
- map a privilege name to a privilege id. Return -1 if not found
-*/
-enum sec_privilege sec_privilege_from_mask(uint64_t mask)
-{
- int i;
- for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
- if (privilege_names[i].privilege_mask == mask) {
- return privilege_names[i].privilege;
- }
- }
- return -1;
-}
-
-/*
- map a privilege name to a privilege id. Return -1 if not found
-*/
-enum sec_privilege sec_privilege_from_index(int idx)
-{
- if (idx >= 0 && idx<ARRAY_SIZE(privilege_names)) {
- return privilege_names[idx].privilege;
- }
- return -1;
-}
-
-
-/*
- return a privilege mask given a privilege id
-*/
-static uint64_t sec_privilege_mask(enum sec_privilege privilege)
-{
- int i;
- for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
- if (privilege_names[i].privilege == privilege) {
- return privilege_names[i].privilege_mask;
- }
- }
-
- return 0;
-}
-
-
-/*
- return true if a security_token has a particular privilege bit set
-*/
-bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
-{
- uint64_t mask;
-
- mask = sec_privilege_mask(privilege);
- if (mask == 0) {
- return false;
- }
-
- if (token->privilege_mask & mask) {
- return true;
- }
- return false;
-}
-
-/*
- set a bit in the privilege mask
-*/
-void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
-{
- /* Relies on the fact that an invalid privilage will return 0, so won't change this */
- token->privilege_mask |= sec_privilege_mask(privilege);
-}
-
-void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
-{
- DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
- (unsigned long long) token->privilege_mask));
-
- if (token->privilege_mask) {
- int i = 0;
- uint64_t mask;
- for (mask = 1; mask != 0; mask = mask << 1) {
- if (token->privilege_mask & mask) {
- enum sec_privilege privilege = sec_privilege_from_mask(mask);
- DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++,
- sec_privilege_name(privilege)));
- }
- }
- }
-}
diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h
index 236096560c..dc5e3ca736 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -50,5 +50,6 @@ struct object_tree {
#include "libcli/security/proto.h"
#include "libcli/security/security_descriptor.h"
#include "libcli/security/sddl.h"
+#include "libcli/security/privileges.h"
#endif
diff --git a/source4/libcli/security/wscript_build b/source4/libcli/security/wscript_build
index 3d1118790c..5d53022137 100644
--- a/source4/libcli/security/wscript_build
+++ b/source4/libcli/security/wscript_build
@@ -1,7 +1,7 @@
#!/usr/bin/env python
bld.SAMBA_SUBSYSTEM('LIBSECURITY',
- source='security_token.c access_check.c privilege.c create_descriptor.c object_tree.c',
+ source='security_token.c access_check.c create_descriptor.c object_tree.c',
autoproto='proto.h',
public_deps='LIBNDR LIBSECURITY_COMMON'
)