summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-08-26 15:56:21 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-09-11 18:46:04 +1000
commite655e9f6765f951447a36cc3890437f21a13ca0d (patch)
tree97d037c2e7e6cd5a485b5168b378965b6926b0ba
parentfcaa86f4026cac94ed257406cbf4a59947b6029f (diff)
downloadsamba-e655e9f6765f951447a36cc3890437f21a13ca0d.tar.gz
samba-e655e9f6765f951447a36cc3890437f21a13ca0d.tar.bz2
samba-e655e9f6765f951447a36cc3890437f21a13ca0d.zip
s4-privs Remove link between enum sec_privilege and the privilege bitmap
This allows us to set the enum sec_privilege constants to the LUID values that are seen from windows, which we need to match, in order to preserve the support for the NT Print Migrator tool after a merge with the source3/ privileges code. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--librpc/idl/security.idl100
-rw-r--r--source4/libcli/security/privilege.c86
2 files changed, 140 insertions, 46 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 20cbb4189b..922b264df9 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -315,36 +315,78 @@ interface security
const int BUILTIN_RID_AUTH_ACCESS = 560;
const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
- /*
- privilege IDs. Please keep the IDs below 64. If we get more
- than 64 then we need to change security_token
- */
+/********************************************************************
+ This is a list of privileges reported by a WIndows 2000 SP4 AD DC
+ just for reference purposes (and I know the LUID is not guaranteed
+ across reboots):
+
+ SeCreateTokenPrivilege Create a token object ( 0x0, 0x2 )
+ SeAssignPrimaryTokenPrivilege Replace a process level token ( 0x0, 0x3 )
+ SeLockMemoryPrivilege Lock pages in memory ( 0x0, 0x4 )
+ SeIncreaseQuotaPrivilege Increase quotas ( 0x0, 0x5 )
+ SeMachineAccountPrivilege Add workstations to domain ( 0x0, 0x6 )
+ SeTcbPrivilege Act as part of the operating system ( 0x0, 0x7 )
+ SeSecurityPrivilege Manage auditing and security log ( 0x0, 0x8 )
+ SeTakeOwnershipPrivilege Take ownership of files or other objects ( 0x0, 0x9 )
+ SeLoadDriverPrivilege Load and unload device drivers ( 0x0, 0xa )
+ SeSystemProfilePrivilege Profile system performance ( 0x0, 0xb )
+ SeSystemtimePrivilege Change the system time ( 0x0, 0xc )
+ SeProfileSingleProcessPrivilege Profile single process ( 0x0, 0xd )
+ SeIncreaseBasePriorityPrivilege Increase scheduling priority ( 0x0, 0xe )
+ SeCreatePagefilePrivilege Create a pagefile ( 0x0, 0xf )
+ SeCreatePermanentPrivilege Create permanent shared objects ( 0x0, 0x10 )
+ SeBackupPrivilege Back up files and directories ( 0x0, 0x11 )
+ SeRestorePrivilege Restore files and directories ( 0x0, 0x12 )
+ SeShutdownPrivilege Shut down the system ( 0x0, 0x13 )
+ SeDebugPrivilege Debug programs ( 0x0, 0x14 )
+ SeAuditPrivilege Generate security audits ( 0x0, 0x15 )
+ SeSystemEnvironmentPrivilege Modify firmware environment values ( 0x0, 0x16 )
+ SeChangeNotifyPrivilege Bypass traverse checking ( 0x0, 0x17 )
+ SeRemoteShutdownPrivilege Force shutdown from a remote system ( 0x0, 0x18 )
+ SeUndockPrivilege Remove computer from docking station ( 0x0, 0x19 )
+ SeSyncAgentPrivilege Synchronize directory service data ( 0x0, 0x1a )
+ SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
+ SeManageVolumePrivilege Perform volume maintenance tasks ( 0x0, 0x1c )
+ SeImpersonatePrivilege Impersonate a client after authentication ( 0x0, 0x1d )
+ SeCreateGlobalPrivilege Create global objects ( 0x0, 0x1e )
+
+ ********************************************************************/
+
+/* we have to define the LUID here due to a horrible check by printmig.exe
+ that requires the SeBackupPrivilege match what is in Windows. So match
+ those that we implement and start Samba privileges at 0x1001 */
+
typedef enum {
- SEC_PRIV_SECURITY = 1,
- SEC_PRIV_BACKUP = 2,
- SEC_PRIV_RESTORE = 3,
- SEC_PRIV_SYSTEMTIME = 4,
- SEC_PRIV_SHUTDOWN = 5,
- SEC_PRIV_REMOTE_SHUTDOWN = 6,
- SEC_PRIV_TAKE_OWNERSHIP = 7,
- SEC_PRIV_DEBUG = 8,
- SEC_PRIV_SYSTEM_ENVIRONMENT = 9,
- SEC_PRIV_SYSTEM_PROFILE = 10,
- SEC_PRIV_PROFILE_SINGLE_PROCESS = 11,
- SEC_PRIV_INCREASE_BASE_PRIORITY = 12,
- SEC_PRIV_LOAD_DRIVER = 13,
- SEC_PRIV_CREATE_PAGEFILE = 14,
- SEC_PRIV_INCREASE_QUOTA = 15,
- SEC_PRIV_CHANGE_NOTIFY = 16,
- SEC_PRIV_UNDOCK = 17,
- SEC_PRIV_MANAGE_VOLUME = 18,
- SEC_PRIV_IMPERSONATE = 19,
- SEC_PRIV_CREATE_GLOBAL = 20,
- SEC_PRIV_ENABLE_DELEGATION = 21,
- SEC_PRIV_INTERACTIVE_LOGON = 22,
- SEC_PRIV_NETWORK_LOGON = 23,
- SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24,
- SEC_PRIV_MACHINE_ACCOUNT = 25
+ SEC_PRIV_INCREASE_QUOTA = 0x5,
+ SEC_PRIV_MACHINE_ACCOUNT = 0x6,
+ SEC_PRIV_SECURITY = 0x8,
+ SEC_PRIV_TAKE_OWNERSHIP = 0x09,
+ SEC_PRIV_LOAD_DRIVER = 0x0a,
+ SEC_PRIV_SYSTEM_PROFILE = 0x0b,
+ SEC_PRIV_SYSTEMTIME = 0x0c,
+ SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d,
+ SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e,
+ SEC_PRIV_CREATE_PAGEFILE = 0x0f,
+ SEC_PRIV_BACKUP = 0x11,
+ SEC_PRIV_RESTORE = 0x12,
+ SEC_PRIV_SHUTDOWN = 0x13,
+ SEC_PRIV_DEBUG = 0x14,
+ SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16,
+ SEC_PRIV_CHANGE_NOTIFY = 0x17,
+ SEC_PRIV_REMOTE_SHUTDOWN = 0x18,
+ SEC_PRIV_UNDOCK = 0x19,
+ SEC_PRIV_ENABLE_DELEGATION = 0x1b,
+ SEC_PRIV_MANAGE_VOLUME = 0x1c,
+ SEC_PRIV_IMPERSONATE = 0x1d,
+ SEC_PRIV_CREATE_GLOBAL = 0x1e,
+ /* Samba-specific privs */
+ SEC_PRIV_PRINT_OPERATOR = 0x1001,
+ SEC_PRIV_ADD_USERS = 0x1002,
+ SEC_PRIV_DISK_OPERATOR = 0x1003,
+ /* Windows privs not in the list above */
+ SEC_PRIV_INTERACTIVE_LOGON = 0x2022,
+ SEC_PRIV_NETWORK_LOGON = 0x2023,
+ SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 0x2024
} sec_privilege;
/*
diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c
index 8263830654..374dc4a449 100644
--- a/source4/libcli/security/privilege.c
+++ b/source4/libcli/security/privilege.c
@@ -26,108 +26,150 @@
static const struct {
enum sec_privilege privilege;
+ uint64_t privilege_mask;
const char *name;
const char *display_name;
} privilege_names[] = {
{SEC_PRIV_SECURITY,
+ SE_SECURITY,
"SeSecurityPrivilege",
"System security"},
{SEC_PRIV_BACKUP,
+ SE_BACKUP,
"SeBackupPrivilege",
"Backup files and directories"},
{SEC_PRIV_RESTORE,
+ SE_RESTORE,
"SeRestorePrivilege",
"Restore files and directories"},
{SEC_PRIV_SYSTEMTIME,
+ SE_SYSTEMTIME,
"SeSystemtimePrivilege",
"Set the system clock"},
{SEC_PRIV_SHUTDOWN,
+ SE_SHUTDOWN,
"SeShutdownPrivilege",
"Shutdown the system"},
{SEC_PRIV_REMOTE_SHUTDOWN,
+ SE_REMOTE_SHUTDOWN,
"SeRemoteShutdownPrivilege",
"Shutdown the system remotely"},
{SEC_PRIV_TAKE_OWNERSHIP,
+ SE_TAKE_OWNERSHIP,
"SeTakeOwnershipPrivilege",
"Take ownership of files and directories"},
{SEC_PRIV_DEBUG,
+ SE_DEBUG,
"SeDebugPrivilege",
"Debug processes"},
{SEC_PRIV_SYSTEM_ENVIRONMENT,
+ SE_SYSTEM_ENVIRONMENT,
"SeSystemEnvironmentPrivilege",
"Modify system environment"},
{SEC_PRIV_SYSTEM_PROFILE,
+ SE_SYSTEM_PROFILE,
"SeSystemProfilePrivilege",
"Profile the system"},
{SEC_PRIV_PROFILE_SINGLE_PROCESS,
+ SE_PROFILE_SINGLE_PROCESS,
"SeProfileSingleProcessPrivilege",
"Profile one process"},
{SEC_PRIV_INCREASE_BASE_PRIORITY,
+ SE_INCREASE_BASE_PRIORITY,
"SeIncreaseBasePriorityPrivilege",
"Increase base priority"},
{SEC_PRIV_LOAD_DRIVER,
+ SE_LOAD_DRIVER,
"SeLoadDriverPrivilege",
"Load drivers"},
{SEC_PRIV_CREATE_PAGEFILE,
+ SE_CREATE_PAGEFILE,
"SeCreatePagefilePrivilege",
"Create page files"},
{SEC_PRIV_INCREASE_QUOTA,
+ SE_INCREASE_QUOTA,
"SeIncreaseQuotaPrivilege",
"Increase quota"},
{SEC_PRIV_CHANGE_NOTIFY,
+ SE_CHANGE_NOTIFY,
"SeChangeNotifyPrivilege",
"Register for change notify"},
{SEC_PRIV_UNDOCK,
+ SE_UNDOCK,
"SeUndockPrivilege",
"Undock devices"},
{SEC_PRIV_MANAGE_VOLUME,
+ SE_MANAGE_VOLUME,
"SeManageVolumePrivilege",
"Manage system volumes"},
{SEC_PRIV_IMPERSONATE,
+ SE_IMPERSONATE,
"SeImpersonatePrivilege",
"Impersonate users"},
{SEC_PRIV_CREATE_GLOBAL,
+ SE_CREATE_GLOBAL,
"SeCreateGlobalPrivilege",
"Create global"},
{SEC_PRIV_ENABLE_DELEGATION,
+ SE_ENABLE_DELEGATION,
"SeEnableDelegationPrivilege",
"Enable Delegation"},
{SEC_PRIV_INTERACTIVE_LOGON,
+ SE_INTERACTIVE_LOGON,
"SeInteractiveLogonRight",
"Interactive logon"},
{SEC_PRIV_NETWORK_LOGON,
+ SE_NETWORK_LOGON,
"SeNetworkLogonRight",
"Network logon"},
{SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
+ SE_REMOTE_INTERACTIVE_LOGON,
"SeRemoteInteractiveLogonRight",
"Remote Interactive logon"},
{SEC_PRIV_MACHINE_ACCOUNT,
+ SE_MACHINE_ACCOUNT,
"SeMachineAccountPrivilege",
- "Add workstations to domain"}
+ "Add workstations to domain"},
+
+ /* These last 3 are Samba only */
+ {SEC_PRIV_PRINT_OPERATOR,
+ SE_PRINT_OPERATOR,
+ "SePrintOperatorPrivilege",
+ "Manage printers"},
+
+ {SEC_PRIV_ADD_USERS,
+ SE_ADD_USERS,
+ "SeAddUsersPrivilege",
+ "Add users and groups to the domain"},
+
+ {SEC_PRIV_DISK_OPERATOR,
+ SE_DISK_OPERATOR,
+ "SeDiskOperatorPrivilege",
+ "Manage disk shares"},
};
@@ -178,20 +220,34 @@ enum sec_privilege sec_privilege_id(const char *name)
return -1;
}
+/*
+ map a privilege name to a privilege id. Return -1 if not found
+*/
+enum sec_privilege sec_privilege_from_mask(uint64_t mask)
+{
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege_mask == mask) {
+ return privilege_names[i].privilege;
+ }
+ }
+ return -1;
+}
+
/*
return a privilege mask given a privilege id
*/
static uint64_t sec_privilege_mask(enum sec_privilege privilege)
{
- uint64_t mask = 1;
-
- if (privilege < 1 || privilege > 64) {
- return 0;
+ int i;
+ for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
+ if (privilege_names[i].privilege == privilege) {
+ return privilege_names[i].privilege_mask;
+ }
}
- mask <<= (privilege-1);
- return mask;
+ return 0;
}
@@ -202,11 +258,11 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p
{
uint64_t mask;
- if (privilege < 1 || privilege > 64) {
+ mask = sec_privilege_mask(privilege);
+ if (mask == 0) {
return false;
}
- mask = sec_privilege_mask(privilege);
if (token->privilege_mask & mask) {
return true;
}
@@ -218,9 +274,7 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p
*/
void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
{
- if (privilege < 1 || privilege > 64) {
- return;
- }
+ /* Relies on the fact that an invalid privilage will return 0, so won't change this */
token->privilege_mask |= sec_privilege_mask(privilege);
}
@@ -231,12 +285,10 @@ void security_token_debug_privileges(int dbg_lev, const struct security_token *t
if (token->privilege_mask) {
int i = 0;
- unsigned int privilege;
-
- for (privilege = 1; privilege <= 64; privilege++) {
- uint64_t mask = sec_privilege_mask(privilege);
-
+ uint64_t mask;
+ for (mask = 1; mask != 0; mask = mask << 1) {
if (token->privilege_mask & mask) {
+ enum sec_privilege privilege = sec_privilege_from_mask(mask);
DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++,
sec_privilege_name(privilege)));
}