diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2008-10-15 02:33:16 +0200 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2008-10-15 02:33:16 +0200 |
commit | 4695504a6c0929da20bb8c53d7c14d0dca88933f (patch) | |
tree | 2aa4c96aaa29b02a3bd1f3ef5e5d78cdfa5fd8cf /librpc | |
parent | f75b46081457cd3801d93c91cce51f3d10976234 (diff) | |
download | samba-4695504a6c0929da20bb8c53d7c14d0dca88933f.tar.gz samba-4695504a6c0929da20bb8c53d7c14d0dca88933f.tar.bz2 samba-4695504a6c0929da20bb8c53d7c14d0dca88933f.zip |
Share security.idl.
Diffstat (limited to 'librpc')
-rw-r--r-- | librpc/idl/security.idl | 394 |
1 files changed, 394 insertions, 0 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl new file mode 100644 index 0000000000..6704e300a5 --- /dev/null +++ b/librpc/idl/security.idl @@ -0,0 +1,394 @@ +#include "idl_types.h" + +/* + security IDL structures +*/ + +import "misc.idl"; + +/* + use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really + just a dom sid, but with the sub_auths represented as a conformant + array. As with all in-structure conformant arrays, the array length + is placed before the start of the structure. That's what gives rise + to the extra num_auths elemenent. We don't want the Samba code to + have to bother with such esoteric NDR details, so its easier to just + define it as a dom_sid and use pidl magic to make it all work. It + just means you need to mark a sid as a "dom_sid2" in the IDL when you + know it is of the conformant array variety +*/ +cpp_quote("#define dom_sid2 dom_sid") + +/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */ +cpp_quote("#define dom_sid28 dom_sid") + +/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */ +cpp_quote("#define dom_sid0 dom_sid") + +[ + pointer_default(unique) +] +interface security +{ + /* + access masks are divided up like this: + 0xabccdddd + where + a = generic rights bits SEC_GENERIC_ + b = flags SEC_FLAG_ + c = standard rights bits SEC_STD_ + d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ + + common combinations of bits are prefixed with SEC_RIGHTS_ + */ + const int SEC_MASK_GENERIC = 0xF0000000; + const int SEC_MASK_FLAGS = 0x0F000000; + const int SEC_MASK_STANDARD = 0x00FF0000; + const int SEC_MASK_SPECIFIC = 0x0000FFFF; + + /* generic bits */ + const int SEC_GENERIC_ALL = 0x10000000; + const int SEC_GENERIC_EXECUTE = 0x20000000; + const int SEC_GENERIC_WRITE = 0x40000000; + const int SEC_GENERIC_READ = 0x80000000; + + /* flag bits */ + const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; + const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; + + /* standard bits */ + const int SEC_STD_DELETE = 0x00010000; + const int SEC_STD_READ_CONTROL = 0x00020000; + const int SEC_STD_WRITE_DAC = 0x00040000; + const int SEC_STD_WRITE_OWNER = 0x00080000; + const int SEC_STD_SYNCHRONIZE = 0x00100000; + const int SEC_STD_REQUIRED = 0x000F0000; + const int SEC_STD_ALL = 0x001F0000; + + /* file specific bits */ + const int SEC_FILE_READ_DATA = 0x00000001; + const int SEC_FILE_WRITE_DATA = 0x00000002; + const int SEC_FILE_APPEND_DATA = 0x00000004; + const int SEC_FILE_READ_EA = 0x00000008; + const int SEC_FILE_WRITE_EA = 0x00000010; + const int SEC_FILE_EXECUTE = 0x00000020; + const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; + const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; + const int SEC_FILE_ALL = 0x000001ff; + + /* directory specific bits */ + const int SEC_DIR_LIST = 0x00000001; + const int SEC_DIR_ADD_FILE = 0x00000002; + const int SEC_DIR_ADD_SUBDIR = 0x00000004; + const int SEC_DIR_READ_EA = 0x00000008; + const int SEC_DIR_WRITE_EA = 0x00000010; + const int SEC_DIR_TRAVERSE = 0x00000020; + const int SEC_DIR_DELETE_CHILD = 0x00000040; + const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; + const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; + + /* registry entry specific bits */ + const int SEC_REG_QUERY_VALUE = 0x00000001; + const int SEC_REG_SET_VALUE = 0x00000002; + const int SEC_REG_CREATE_SUBKEY = 0x00000004; + const int SEC_REG_ENUM_SUBKEYS = 0x00000008; + const int SEC_REG_NOTIFY = 0x00000010; + const int SEC_REG_CREATE_LINK = 0x00000020; + + /* ldap specific access bits */ + const int SEC_ADS_CREATE_CHILD = 0x00000001; + const int SEC_ADS_DELETE_CHILD = 0x00000002; + const int SEC_ADS_LIST = 0x00000004; + const int SEC_ADS_SELF_WRITE = 0x00000008; + const int SEC_ADS_READ_PROP = 0x00000010; + const int SEC_ADS_WRITE_PROP = 0x00000020; + const int SEC_ADS_DELETE_TREE = 0x00000040; + const int SEC_ADS_LIST_OBJECT = 0x00000080; + const int SEC_ADS_CONTROL_ACCESS = 0x00000100; + + /* invalid bits */ + const int SEC_MASK_INVALID = 0x0ce0fe00; + + /* generic->specific mappings for files */ + const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_READ_DATA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_READ_EA; + + const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_WRITE_DATA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_FILE_WRITE_EA | + SEC_FILE_APPEND_DATA; + + const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | + SEC_STD_READ_CONTROL | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_EXECUTE; + + const int SEC_RIGHTS_FILE_ALL = SEC_STD_ALL | SEC_FILE_ALL; + + /* generic->specific mappings for directories (same as files) */ + const int SEC_RIGHTS_DIR_READ = SEC_RIGHTS_FILE_READ; + const int SEC_RIGHTS_DIR_WRITE = SEC_RIGHTS_FILE_WRITE; + const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE; + const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL; + + + /***************************************************************/ + /* WELL KNOWN SIDS */ + + /* a NULL sid */ + const string SID_NULL = "S-1-0-0"; + + /* the world domain */ + const string NAME_WORLD = "WORLD"; + + const string SID_WORLD_DOMAIN = "S-1-1"; + const string SID_WORLD = "S-1-1-0"; + + /* SECURITY_CREATOR_SID_AUTHORITY */ + const string SID_CREATOR_OWNER_DOMAIN = "S-1-3"; + const string SID_CREATOR_OWNER = "S-1-3-0"; + const string SID_CREATOR_GROUP = "S-1-3-1"; + const string SID_OWNER_RIGHTS = "S-1-3-4"; + + /* SECURITY_NT_AUTHORITY */ + const string NAME_NT_AUTHORITY = "NT AUTHORITY"; + + const string SID_NT_AUTHORITY = "S-1-5"; + const string SID_NT_DIALUP = "S-1-5-1"; + const string SID_NT_NETWORK = "S-1-5-2"; + const string SID_NT_BATCH = "S-1-5-3"; + const string SID_NT_INTERACTIVE = "S-1-5-4"; + const string SID_NT_SERVICE = "S-1-5-6"; + const string SID_NT_ANONYMOUS = "S-1-5-7"; + const string SID_NT_PROXY = "S-1-5-8"; + const string SID_NT_ENTERPRISE_DCS = "S-1-5-9"; + const string SID_NT_SELF = "S-1-5-10"; + const string SID_NT_AUTHENTICATED_USERS = "S-1-5-11"; + const string SID_NT_RESTRICTED = "S-1-5-12"; + const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13"; + const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14"; + const string SID_NT_THIS_ORGANISATION = "S-1-5-15"; + const string SID_NT_IUSR = "S-1-5-17"; + const string SID_NT_SYSTEM = "S-1-5-18"; + const string SID_NT_LOCAL_SERVICE = "S-1-5-19"; + const string SID_NT_NETWORK_SERVICE = "S-1-5-20"; + const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21"; + const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10"; + const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14"; + const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000"; + + /* SECURITY_BUILTIN_DOMAIN_RID */ + const string NAME_BUILTIN = "BUILTIN"; + + const string SID_BUILTIN = "S-1-5-32"; + const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544"; + const string SID_BUILTIN_USERS = "S-1-5-32-545"; + const string SID_BUILTIN_GUESTS = "S-1-5-32-546"; + const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547"; + const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548"; + const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549"; + const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550"; + const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551"; + const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552"; + const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553"; + const string SID_BUILTIN_PREW2K = "S-1-5-32-554"; + + /* well-known domain RIDs */ + const int DOMAIN_RID_LOGON = 9; + const int DOMAIN_RID_ADMINISTRATOR = 500; + const int DOMAIN_RID_GUEST = 501; + const int DOMAIN_RID_ADMINS = 512; + const int DOMAIN_RID_USERS = 513; + const int DOMAIN_RID_DOMAIN_MEMBERS = 515; + const int DOMAIN_RID_DCS = 516; + const int DOMAIN_RID_CERT_ADMINS = 517; + const int DOMAIN_RID_SCHEMA_ADMINS = 518; + const int DOMAIN_RID_ENTERPRISE_ADMINS = 519; + + + /* + privilege IDs. Please keep the IDs below 64. If we get more + than 64 then we need to change security_token + */ + typedef enum { + SEC_PRIV_SECURITY = 1, + SEC_PRIV_BACKUP = 2, + SEC_PRIV_RESTORE = 3, + SEC_PRIV_SYSTEMTIME = 4, + SEC_PRIV_SHUTDOWN = 5, + SEC_PRIV_REMOTE_SHUTDOWN = 6, + SEC_PRIV_TAKE_OWNERSHIP = 7, + SEC_PRIV_DEBUG = 8, + SEC_PRIV_SYSTEM_ENVIRONMENT = 9, + SEC_PRIV_SYSTEM_PROFILE = 10, + SEC_PRIV_PROFILE_SINGLE_PROCESS = 11, + SEC_PRIV_INCREASE_BASE_PRIORITY = 12, + SEC_PRIV_LOAD_DRIVER = 13, + SEC_PRIV_CREATE_PAGEFILE = 14, + SEC_PRIV_INCREASE_QUOTA = 15, + SEC_PRIV_CHANGE_NOTIFY = 16, + SEC_PRIV_UNDOCK = 17, + SEC_PRIV_MANAGE_VOLUME = 18, + SEC_PRIV_IMPERSONATE = 19, + SEC_PRIV_CREATE_GLOBAL = 20, + SEC_PRIV_ENABLE_DELEGATION = 21, + SEC_PRIV_INTERACTIVE_LOGON = 22, + SEC_PRIV_NETWORK_LOGON = 23, + SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24 + } sec_privilege; + + + typedef [bitmap8bit] bitmap { + SEC_ACE_FLAG_OBJECT_INHERIT = 0x01, + SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02, + SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x04, + SEC_ACE_FLAG_INHERIT_ONLY = 0x08, + SEC_ACE_FLAG_INHERITED_ACE = 0x10, + SEC_ACE_FLAG_VALID_INHERIT = 0x0f, + SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x40, + SEC_ACE_FLAG_FAILED_ACCESS = 0x80 + } security_ace_flags; + + typedef [enum8bit] enum { + SEC_ACE_TYPE_ACCESS_ALLOWED = 0, + SEC_ACE_TYPE_ACCESS_DENIED = 1, + SEC_ACE_TYPE_SYSTEM_AUDIT = 2, + SEC_ACE_TYPE_SYSTEM_ALARM = 3, + SEC_ACE_TYPE_ALLOWED_COMPOUND = 4, + SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 5, + SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 6, + SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 7, + SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8 + } security_ace_type; + + typedef [bitmap32bit] bitmap { + SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001, + SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002 + } security_ace_object_flags; + + typedef [nodiscriminant] union { + /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */ + [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type; + [default]; + } security_ace_object_type; + + typedef [nodiscriminant] union { + /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context + * (of the parent container) + */ + [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type; + [default]; + } security_ace_object_inherited_type; + + typedef struct { + security_ace_object_flags flags; + [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type; + [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type; + } security_ace_object; + + typedef [nodiscriminant] union { + [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object; + [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object; + [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object; + [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object; + [default]; + } security_ace_object_ctr; + + typedef [public,gensize,nosize] struct { + security_ace_type type; /* SEC_ACE_TYPE_* */ + security_ace_flags flags; /* SEC_ACE_FLAG_* */ + [value(ndr_size_security_ace(r,ndr->flags))] uint16 size; + uint32 access_mask; + [switch_is(type)] security_ace_object_ctr object; + dom_sid trustee; + } security_ace; + + typedef enum { + SECURITY_ACL_REVISION_NT4 = 2, + SECURITY_ACL_REVISION_ADS = 4 + } security_acl_revision; + + const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4; + + typedef [public,gensize,nosize] struct { + security_acl_revision revision; + [value(ndr_size_security_acl(r,ndr->flags))] uint16 size; + [range(0,1000)] uint32 num_aces; + security_ace aces[num_aces]; + } security_acl; + + /* default revision for new ACLs */ + typedef [enum8bit] enum { + SECURITY_DESCRIPTOR_REVISION_1 = 1 + } security_descriptor_revision; + + const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1; + + /* security_descriptor->type bits */ + typedef [bitmap16bit] bitmap { + SEC_DESC_OWNER_DEFAULTED = 0x0001, + SEC_DESC_GROUP_DEFAULTED = 0x0002, + SEC_DESC_DACL_PRESENT = 0x0004, + SEC_DESC_DACL_DEFAULTED = 0x0008, + SEC_DESC_SACL_PRESENT = 0x0010, + SEC_DESC_SACL_DEFAULTED = 0x0020, + SEC_DESC_DACL_TRUSTED = 0x0040, + SEC_DESC_SERVER_SECURITY = 0x0080, + SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100, + SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200, + SEC_DESC_DACL_AUTO_INHERITED = 0x0400, + SEC_DESC_SACL_AUTO_INHERITED = 0x0800, + SEC_DESC_DACL_PROTECTED = 0x1000, + SEC_DESC_SACL_PROTECTED = 0x2000, + SEC_DESC_RM_CONTROL_VALID = 0x4000, + SEC_DESC_SELF_RELATIVE = 0x8000 + } security_descriptor_type; + + typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct { + security_descriptor_revision revision; + security_descriptor_type type; /* SEC_DESC_xxxx flags */ + [relative] dom_sid *owner_sid; + [relative] dom_sid *group_sid; + [relative] security_acl *sacl; /* system ACL */ + [relative] security_acl *dacl; /* user (discretionary) ACL */ + } security_descriptor; + + typedef [public] struct { + [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size; + [subcontext(4)] security_descriptor *sd; + } sec_desc_buf; + + typedef [public] struct { + dom_sid *user_sid; + dom_sid *group_sid; + uint32 num_sids; + [size_is(num_sids)] dom_sid *sids[*]; + udlong privilege_mask; + } security_token; + + /* bits that determine which parts of a security descriptor + are being queried/set */ + typedef [public,bitmap32bit] bitmap { + SECINFO_OWNER = 0x00000001, + SECINFO_GROUP = 0x00000002, + SECINFO_DACL = 0x00000004, + SECINFO_SACL = 0x00000008, + SECINFO_UNPROTECTED_SACL = 0x10000000, + SECINFO_UNPROTECTED_DACL = 0x20000000, + SECINFO_PROTECTED_SACL = 0x40000000, + SECINFO_PROTECTED_DACL = 0x80000000 + } security_secinfo; + + typedef [public,bitmap32bit] bitmap { + KERB_ENCTYPE_DES_CBC_CRC = 0x00000001, + KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002, + KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, + KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010 + } kerb_EncTypes; +} |