Share security.idl.

1 files changed, 394 insertions, 0 deletions

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
new file mode 100644
index 0000000000..6704e300a5
--- /dev/null
+++ b/librpc/idl/security.idl
@@ -0,0 +1,394 @@
+#include "idl_types.h"
+
+/*
+  security IDL structures
+*/
+
+import "misc.idl";
+
+/* 
+   use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
+   just a dom sid, but with the sub_auths represented as a conformant
+   array. As with all in-structure conformant arrays, the array length
+   is placed before the start of the structure. That's what gives rise
+   to the extra num_auths elemenent. We don't want the Samba code to
+   have to bother with such esoteric NDR details, so its easier to just
+   define it as a dom_sid and use pidl magic to make it all work. It
+   just means you need to mark a sid as a "dom_sid2" in the IDL when you
+   know it is of the conformant array variety
+*/
+cpp_quote("#define dom_sid2 dom_sid")
+
+/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
+cpp_quote("#define dom_sid28 dom_sid")
+
+/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
+cpp_quote("#define dom_sid0 dom_sid")
+
+[
+	pointer_default(unique)
+]
+interface security
+{
+	/*
+	  access masks are divided up like this:
+                0xabccdddd
+		where 
+		   a = generic rights bits        SEC_GENERIC_
+		   b = flags                      SEC_FLAG_
+		   c = standard rights bits       SEC_STD_
+		   d = object type specific bits  SEC_{FILE,DIR,REG,xxx}_
+		   
+          common combinations of bits are prefixed with SEC_RIGHTS_
+	*/
+	const int SEC_MASK_GENERIC         = 0xF0000000;
+	const int SEC_MASK_FLAGS           = 0x0F000000;
+	const int SEC_MASK_STANDARD        = 0x00FF0000;
+	const int SEC_MASK_SPECIFIC        = 0x0000FFFF;
+
+	/* generic bits */
+	const int SEC_GENERIC_ALL          = 0x10000000;
+	const int SEC_GENERIC_EXECUTE      = 0x20000000;
+	const int SEC_GENERIC_WRITE        = 0x40000000;
+	const int SEC_GENERIC_READ         = 0x80000000;
+
+	/* flag bits */
+	const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
+	const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;
+
+	/* standard bits */
+	const int SEC_STD_DELETE           = 0x00010000;
+	const int SEC_STD_READ_CONTROL     = 0x00020000;
+	const int SEC_STD_WRITE_DAC        = 0x00040000;
+	const int SEC_STD_WRITE_OWNER      = 0x00080000;
+	const int SEC_STD_SYNCHRONIZE      = 0x00100000;
+	const int SEC_STD_REQUIRED         = 0x000F0000;
+	const int SEC_STD_ALL              = 0x001F0000;
+
+	/* file specific bits */
+	const int SEC_FILE_READ_DATA       = 0x00000001;
+	const int SEC_FILE_WRITE_DATA      = 0x00000002;
+	const int SEC_FILE_APPEND_DATA     = 0x00000004;
+	const int SEC_FILE_READ_EA         = 0x00000008;
+	const int SEC_FILE_WRITE_EA        = 0x00000010;
+	const int SEC_FILE_EXECUTE         = 0x00000020;
+	const int SEC_FILE_READ_ATTRIBUTE  = 0x00000080;
+	const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
+	const int SEC_FILE_ALL             = 0x000001ff;
+
+	/* directory specific bits */
+	const int SEC_DIR_LIST             = 0x00000001;
+	const int SEC_DIR_ADD_FILE         = 0x00000002;
+	const int SEC_DIR_ADD_SUBDIR       = 0x00000004;
+	const int SEC_DIR_READ_EA          = 0x00000008;
+	const int SEC_DIR_WRITE_EA         = 0x00000010;
+	const int SEC_DIR_TRAVERSE         = 0x00000020;
+	const int SEC_DIR_DELETE_CHILD     = 0x00000040;
+	const int SEC_DIR_READ_ATTRIBUTE   = 0x00000080;
+	const int SEC_DIR_WRITE_ATTRIBUTE  = 0x00000100;
+
+	/* registry entry specific bits */
+	const int SEC_REG_QUERY_VALUE      = 0x00000001;
+	const int SEC_REG_SET_VALUE        = 0x00000002;
+	const int SEC_REG_CREATE_SUBKEY    = 0x00000004;
+	const int SEC_REG_ENUM_SUBKEYS     = 0x00000008;
+	const int SEC_REG_NOTIFY           = 0x00000010;
+	const int SEC_REG_CREATE_LINK      = 0x00000020;
+
+	/* ldap specific access bits */
+	const int SEC_ADS_CREATE_CHILD     = 0x00000001;
+	const int SEC_ADS_DELETE_CHILD     = 0x00000002;
+	const int SEC_ADS_LIST             = 0x00000004;
+	const int SEC_ADS_SELF_WRITE       = 0x00000008;
+	const int SEC_ADS_READ_PROP        = 0x00000010;
+	const int SEC_ADS_WRITE_PROP       = 0x00000020;
+	const int SEC_ADS_DELETE_TREE      = 0x00000040;
+	const int SEC_ADS_LIST_OBJECT      = 0x00000080;
+	const int SEC_ADS_CONTROL_ACCESS   = 0x00000100;
+
+	/* invalid bits */
+	const int SEC_MASK_INVALID         = 0x0ce0fe00;
+
+	/* generic->specific mappings for files */
+	const int SEC_RIGHTS_FILE_READ    = SEC_STD_READ_CONTROL | 
+	                                    SEC_STD_SYNCHRONIZE | 
+					    SEC_FILE_READ_DATA | 
+                                            SEC_FILE_READ_ATTRIBUTE | 
+                                            SEC_FILE_READ_EA;
+
+	const int SEC_RIGHTS_FILE_WRITE   = SEC_STD_READ_CONTROL | 
+	                                    SEC_STD_SYNCHRONIZE | 
+					    SEC_FILE_WRITE_DATA | 
+                                            SEC_FILE_WRITE_ATTRIBUTE | 
+                                            SEC_FILE_WRITE_EA |
+                                            SEC_FILE_APPEND_DATA;
+	
+	const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | 
+	                                    SEC_STD_READ_CONTROL | 
+	                                    SEC_FILE_READ_ATTRIBUTE | 
+                                            SEC_FILE_EXECUTE;
+
+	const int SEC_RIGHTS_FILE_ALL     = SEC_STD_ALL | SEC_FILE_ALL;
+
+	/* generic->specific mappings for directories (same as files) */
+	const int SEC_RIGHTS_DIR_READ     = SEC_RIGHTS_FILE_READ;
+	const int SEC_RIGHTS_DIR_WRITE    = SEC_RIGHTS_FILE_WRITE;
+	const int SEC_RIGHTS_DIR_EXECUTE  = SEC_RIGHTS_FILE_EXECUTE;
+	const int SEC_RIGHTS_DIR_ALL      = SEC_RIGHTS_FILE_ALL;
+
+
+	/***************************************************************/
+	/* WELL KNOWN SIDS */
+
+	/* a NULL sid */
+	const string SID_NULL = "S-1-0-0";
+
+	/* the world domain */
+	const string NAME_WORLD       = "WORLD";
+
+	const string SID_WORLD_DOMAIN = "S-1-1";
+	const string SID_WORLD        = "S-1-1-0";
+
+	/* SECURITY_CREATOR_SID_AUTHORITY */
+	const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
+	const string SID_CREATOR_OWNER        = "S-1-3-0";
+	const string SID_CREATOR_GROUP        = "S-1-3-1";
+	const string SID_OWNER_RIGHTS         = "S-1-3-4";
+
+	/* SECURITY_NT_AUTHORITY */
+	const string NAME_NT_AUTHORITY            = "NT AUTHORITY";
+
+	const string SID_NT_AUTHORITY             = "S-1-5";
+	const string SID_NT_DIALUP                = "S-1-5-1";
+	const string SID_NT_NETWORK               = "S-1-5-2";
+	const string SID_NT_BATCH                 = "S-1-5-3";
+	const string SID_NT_INTERACTIVE           = "S-1-5-4";
+	const string SID_NT_SERVICE               = "S-1-5-6";
+	const string SID_NT_ANONYMOUS             = "S-1-5-7";
+	const string SID_NT_PROXY                 = "S-1-5-8";
+	const string SID_NT_ENTERPRISE_DCS        = "S-1-5-9";
+	const string SID_NT_SELF                  = "S-1-5-10";
+	const string SID_NT_AUTHENTICATED_USERS   = "S-1-5-11";
+	const string SID_NT_RESTRICTED            = "S-1-5-12";
+	const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
+	const string SID_NT_REMOTE_INTERACTIVE    = "S-1-5-14";
+	const string SID_NT_THIS_ORGANISATION     = "S-1-5-15";
+	const string SID_NT_IUSR                  = "S-1-5-17";
+	const string SID_NT_SYSTEM                = "S-1-5-18";
+	const string SID_NT_LOCAL_SERVICE         = "S-1-5-19";
+	const string SID_NT_NETWORK_SERVICE       = "S-1-5-20";
+	const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
+	const string SID_NT_NTLM_AUTHENTICATION   = "S-1-5-64-10";
+	const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
+	const string SID_NT_OTHER_ORGANISATION    = "S-1-5-1000";
+
+	/* SECURITY_BUILTIN_DOMAIN_RID */
+	const string NAME_BUILTIN                  = "BUILTIN";
+
+	const string SID_BUILTIN                   = "S-1-5-32";
+	const string SID_BUILTIN_ADMINISTRATORS    = "S-1-5-32-544";
+	const string SID_BUILTIN_USERS             = "S-1-5-32-545";
+	const string SID_BUILTIN_GUESTS            = "S-1-5-32-546";
+	const string SID_BUILTIN_POWER_USERS       = "S-1-5-32-547";
+	const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
+	const string SID_BUILTIN_SERVER_OPERATORS  = "S-1-5-32-549";
+	const string SID_BUILTIN_PRINT_OPERATORS   = "S-1-5-32-550";
+	const string SID_BUILTIN_BACKUP_OPERATORS  = "S-1-5-32-551";
+	const string SID_BUILTIN_REPLICATOR        = "S-1-5-32-552";
+	const string SID_BUILTIN_RAS_SERVERS       = "S-1-5-32-553";
+	const string SID_BUILTIN_PREW2K            = "S-1-5-32-554";
+
+	/* well-known domain RIDs */
+	const int DOMAIN_RID_LOGON                 = 9;
+	const int DOMAIN_RID_ADMINISTRATOR         = 500;
+	const int DOMAIN_RID_GUEST                 = 501;
+	const int DOMAIN_RID_ADMINS                = 512;
+	const int DOMAIN_RID_USERS                 = 513;
+	const int DOMAIN_RID_DOMAIN_MEMBERS        = 515;
+	const int DOMAIN_RID_DCS                   = 516;
+	const int DOMAIN_RID_CERT_ADMINS           = 517;
+	const int DOMAIN_RID_SCHEMA_ADMINS         = 518;
+	const int DOMAIN_RID_ENTERPRISE_ADMINS     = 519;
+
+
+	/*
+	  privilege IDs. Please keep the IDs below 64. If we get more
+	  than 64 then we need to change security_token
+	*/
+	typedef enum {
+		SEC_PRIV_SECURITY                  = 1,
+		SEC_PRIV_BACKUP                    = 2,
+		SEC_PRIV_RESTORE                   = 3,
+		SEC_PRIV_SYSTEMTIME                = 4,
+		SEC_PRIV_SHUTDOWN                  = 5,
+		SEC_PRIV_REMOTE_SHUTDOWN           = 6,
+		SEC_PRIV_TAKE_OWNERSHIP            = 7,
+		SEC_PRIV_DEBUG                     = 8,
+		SEC_PRIV_SYSTEM_ENVIRONMENT        = 9,
+		SEC_PRIV_SYSTEM_PROFILE            = 10,
+		SEC_PRIV_PROFILE_SINGLE_PROCESS    = 11,
+		SEC_PRIV_INCREASE_BASE_PRIORITY    = 12,
+		SEC_PRIV_LOAD_DRIVER               = 13,
+		SEC_PRIV_CREATE_PAGEFILE           = 14,
+		SEC_PRIV_INCREASE_QUOTA            = 15,
+		SEC_PRIV_CHANGE_NOTIFY             = 16,
+		SEC_PRIV_UNDOCK                    = 17,
+		SEC_PRIV_MANAGE_VOLUME             = 18,
+		SEC_PRIV_IMPERSONATE               = 19,
+		SEC_PRIV_CREATE_GLOBAL             = 20,
+		SEC_PRIV_ENABLE_DELEGATION         = 21,
+		SEC_PRIV_INTERACTIVE_LOGON         = 22,
+		SEC_PRIV_NETWORK_LOGON             = 23,
+		SEC_PRIV_REMOTE_INTERACTIVE_LOGON  = 24
+	} sec_privilege;
+
+
+	typedef [bitmap8bit] bitmap {
+		SEC_ACE_FLAG_OBJECT_INHERIT		= 0x01,
+		SEC_ACE_FLAG_CONTAINER_INHERIT		= 0x02,
+		SEC_ACE_FLAG_NO_PROPAGATE_INHERIT	= 0x04,
+		SEC_ACE_FLAG_INHERIT_ONLY		= 0x08,
+		SEC_ACE_FLAG_INHERITED_ACE		= 0x10,
+		SEC_ACE_FLAG_VALID_INHERIT		= 0x0f,
+		SEC_ACE_FLAG_SUCCESSFUL_ACCESS		= 0x40,
+		SEC_ACE_FLAG_FAILED_ACCESS		= 0x80
+	} security_ace_flags;
+
+	typedef [enum8bit] enum {
+		SEC_ACE_TYPE_ACCESS_ALLOWED		= 0,
+		SEC_ACE_TYPE_ACCESS_DENIED		= 1,
+		SEC_ACE_TYPE_SYSTEM_AUDIT		= 2,
+		SEC_ACE_TYPE_SYSTEM_ALARM		= 3,
+		SEC_ACE_TYPE_ALLOWED_COMPOUND		= 4,
+		SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT	= 5,
+		SEC_ACE_TYPE_ACCESS_DENIED_OBJECT	= 6,
+		SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT	= 7,
+		SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT	= 8
+	} security_ace_type;
+
+	typedef [bitmap32bit] bitmap {
+		SEC_ACE_OBJECT_TYPE_PRESENT		= 0x00000001,
+		SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT	= 0x00000002
+	} security_ace_object_flags;
+
+	typedef [nodiscriminant] union {
+		/* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
+		[case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
+		[default];
+	} security_ace_object_type;
+
+	typedef [nodiscriminant] union {
+		/* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
+		 * (of the parent container)
+		 */
+		[case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
+		[default];
+	} security_ace_object_inherited_type;
+
+	typedef struct {
+		security_ace_object_flags flags;
+		[switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
+		[switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
+	} security_ace_object;
+
+	typedef [nodiscriminant] union {
+		[case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
+		[case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
+		[case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
+		[case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
+		[default];
+	} security_ace_object_ctr;
+
+	typedef [public,gensize,nosize] struct {
+		security_ace_type type;  /* SEC_ACE_TYPE_* */
+		security_ace_flags flags; /* SEC_ACE_FLAG_* */
+		[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
+		uint32 access_mask;
+		[switch_is(type)] security_ace_object_ctr object;
+		dom_sid trustee;
+	} security_ace;
+
+	typedef enum {
+		SECURITY_ACL_REVISION_NT4	= 2,
+		SECURITY_ACL_REVISION_ADS	= 4
+	} security_acl_revision;
+
+	const uint NT4_ACL_REVISION	= SECURITY_ACL_REVISION_NT4;
+
+	typedef [public,gensize,nosize] struct {
+		security_acl_revision revision;
+		[value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
+		[range(0,1000)] uint32 num_aces;
+		security_ace aces[num_aces];
+	} security_acl;
+
+	/* default revision for new ACLs */
+	typedef [enum8bit] enum {
+		SECURITY_DESCRIPTOR_REVISION_1 = 1
+	} security_descriptor_revision;
+
+	const int SD_REVISION                    = SECURITY_DESCRIPTOR_REVISION_1;
+
+	/* security_descriptor->type bits */
+	typedef [bitmap16bit] bitmap {
+		SEC_DESC_OWNER_DEFAULTED	= 0x0001,
+		SEC_DESC_GROUP_DEFAULTED	= 0x0002,
+		SEC_DESC_DACL_PRESENT		= 0x0004,
+		SEC_DESC_DACL_DEFAULTED		= 0x0008,
+		SEC_DESC_SACL_PRESENT		= 0x0010,
+		SEC_DESC_SACL_DEFAULTED		= 0x0020,
+		SEC_DESC_DACL_TRUSTED		= 0x0040,
+		SEC_DESC_SERVER_SECURITY	= 0x0080,
+		SEC_DESC_DACL_AUTO_INHERIT_REQ	= 0x0100,
+		SEC_DESC_SACL_AUTO_INHERIT_REQ	= 0x0200,
+		SEC_DESC_DACL_AUTO_INHERITED	= 0x0400,
+		SEC_DESC_SACL_AUTO_INHERITED	= 0x0800,
+		SEC_DESC_DACL_PROTECTED		= 0x1000,
+		SEC_DESC_SACL_PROTECTED		= 0x2000,
+		SEC_DESC_RM_CONTROL_VALID	= 0x4000,
+		SEC_DESC_SELF_RELATIVE		= 0x8000
+	} security_descriptor_type;
+
+	typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
+		security_descriptor_revision revision;
+		security_descriptor_type type;     /* SEC_DESC_xxxx flags */
+		[relative] dom_sid *owner_sid; 
+		[relative] dom_sid *group_sid;
+		[relative] security_acl *sacl; /* system ACL */
+		[relative] security_acl *dacl; /* user (discretionary) ACL */
+	} security_descriptor;
+
+	typedef [public] struct {
+		[range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
+		[subcontext(4)] security_descriptor *sd;
+	} sec_desc_buf;
+
+	typedef [public] struct {
+		dom_sid *user_sid;
+		dom_sid *group_sid;
+		uint32 num_sids;
+		[size_is(num_sids)] dom_sid *sids[*];
+		udlong privilege_mask;
+	} security_token;
+
+	/* bits that determine which parts of a security descriptor
+	   are being queried/set */
+	typedef [public,bitmap32bit] bitmap {
+		SECINFO_OWNER                = 0x00000001,
+		SECINFO_GROUP                = 0x00000002,
+		SECINFO_DACL                 = 0x00000004,
+		SECINFO_SACL                 = 0x00000008,
+		SECINFO_UNPROTECTED_SACL     = 0x10000000,
+		SECINFO_UNPROTECTED_DACL     = 0x20000000,
+		SECINFO_PROTECTED_SACL	     = 0x40000000,
+		SECINFO_PROTECTED_DACL	     = 0x80000000
+	} security_secinfo;
+
+	typedef [public,bitmap32bit] bitmap {
+		KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
+		KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
+		KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
+		KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
+		KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
+	} kerb_EncTypes;
+}