summaryrefslogtreecommitdiff
path: root/source3/include
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2004-03-01 16:10:28 +0000
committerSimo Sorce <idra@samba.org>2004-03-01 16:10:28 +0000
commiteebc94d84af736bb1fdd8e0c511237b0da978e7a (patch)
tree3d39c50ac039a7fc56d677b90e60421f7d6fc878 /source3/include
parentf986f33aa13f8672e2154f29906f657c023777dc (diff)
downloadsamba-eebc94d84af736bb1fdd8e0c511237b0da978e7a.tar.gz
samba-eebc94d84af736bb1fdd8e0c511237b0da978e7a.tar.bz2
samba-eebc94d84af736bb1fdd8e0c511237b0da978e7a.zip
Ok here it is my latest work on privileges
This patch add privilege support for samba Currently it is implemented only for tdbsam backend but estending it to other sam backends is straightforward. I must make a big thank to JFM for his teachings on the matter and the functions at the base of this work. At thye moment only samr_create_user honours SeAddUsersPrivilege and SeMachineAccountPrivilege to permit any user to add machines and/or users to the server. The command "net priv" has been provided to manipulate the privileges database. There are still many things to do (like support in "net rpc vampire") but the working core is here. Feel free to comment/extend on this work. Of course I will deny that any bug may affect this code :-) Simo. This patch adds also my patch about add share command enhancements. (This used to be commit 7a78c3605e203bd8e0d7ae244605f076a5d0b0bc)
Diffstat (limited to 'source3/include')
-rw-r--r--source3/include/auth.h1
-rw-r--r--source3/include/includes.h4
-rw-r--r--source3/include/passdb.h20
-rw-r--r--source3/include/privileges.h47
-rw-r--r--source3/include/smb.h3
5 files changed, 64 insertions, 11 deletions
diff --git a/source3/include/auth.h b/source3/include/auth.h
index ecf4d539d8..27cdc1e3f5 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -86,6 +86,7 @@ typedef struct auth_serversupplied_info
/* NT group information taken from the info3 structure */
NT_USER_TOKEN *ptok;
+ PRIVILEGE_SET *privs;
DATA_BLOB nt_session_key;
DATA_BLOB lm_session_key;
diff --git a/source3/include/includes.h b/source3/include/includes.h
index db060907e4..a594e309df 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -783,6 +783,8 @@ extern int errno;
#include "version.h"
+#include "privileges.h"
+
#include "smb.h"
#include "nameserv.h"
@@ -791,8 +793,6 @@ extern int errno;
#include "byteorder.h"
-#include "privileges.h"
-
#include "rpc_creds.h"
#include "mapping.h"
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 668bbcc2de..d471eb53f3 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -362,6 +362,16 @@ typedef struct pdb_context
NTSTATUS (*pdb_update_trust_passwd)(struct pdb_context *context, SAM_TRUST_PASSWD* trust);
NTSTATUS (*pdb_delete_trust_passwd)(struct pdb_context *context, SAM_TRUST_PASSWD* trust);
+
+ /* privileges functions */
+
+ NTSTATUS (*pdb_add_sid_to_privilege)(struct pdb_context *context, const char *priv_name, const DOM_SID *sid);
+
+ NTSTATUS (*pdb_remove_sid_from_privilege)(struct pdb_context *context, const char *priv_name, const DOM_SID *sid);
+
+ NTSTATUS (*pdb_get_privilege_set)(struct pdb_context *context, NT_USER_TOKEN *token, PRIVILEGE_SET *privs);
+
+ NTSTATUS (*pdb_get_privilege_entry)(struct pdb_context *context, const char *privname, char **sid_list);
void (*free_fn)(struct pdb_context **);
@@ -467,6 +477,16 @@ typedef struct pdb_methods
NTSTATUS (*delete_trust_passwd)(struct pdb_methods *methods, const SAM_TRUST_PASSWD* trust);
+ /* privileges functions */
+
+ NTSTATUS (*add_sid_to_privilege)(struct pdb_methods *methods, const char *priv_name, const DOM_SID *sid);
+
+ NTSTATUS (*remove_sid_from_privilege)(struct pdb_methods *methods, const char *priv_name, const DOM_SID *sid);
+
+ NTSTATUS (*get_privilege_set)(struct pdb_methods *methods, NT_USER_TOKEN *token, PRIVILEGE_SET *privs);
+
+ NTSTATUS (*get_privilege_entry)(struct pdb_methods *methods, const char *privname, char **sid_list);
+
} PDB_METHODS;
typedef NTSTATUS (*pdb_init_function)(struct pdb_context *,
diff --git a/source3/include/privileges.h b/source3/include/privileges.h
index b7e1b44c2a..289afa234e 100644
--- a/source3/include/privileges.h
+++ b/source3/include/privileges.h
@@ -23,15 +23,39 @@
#ifndef PRIVILEGES_H
#define PRIVILEGES_H
-#define PRIV_ALL_INDEX 5
+#define PRIV_ALL_INDEX 30
-#define SE_PRIV_NONE 0x0000
-#define SE_PRIV_ADD_MACHINES 0x0006
-#define SE_PRIV_SEC_PRIV 0x0008
-#define SE_PRIV_TAKE_OWNER 0x0009
-#define SE_PRIV_ADD_USERS 0xff01
-#define SE_PRIV_PRINT_OPERATOR 0xff03
-#define SE_PRIV_ALL 0xffff
+#define SE_NONE 0
+#define SE_ASSIGN_PRIMARY_TOKEN 1
+#define SE_CREATE_TOKEN 2
+#define SE_LOCK_MEMORY 3
+#define SE_INCREASE_QUOTA 4
+#define SE_UNSOLICITED_INPUT 5
+#define SE_MACHINE_ACCOUNT 6
+#define SE_TCB 7
+#define SE_SECURITY 8
+#define SE_TAKE_OWNERSHIP 9
+#define SE_LOAD_DRIVER 10
+#define SE_SYSTEM_PROFILE 11
+#define SE_SYSTEM_TIME 12
+#define SE_PROF_SINGLE_PROCESS 13
+#define SE_INC_BASE_PRIORITY 14
+#define SE_CREATE_PAGEFILE 15
+#define SE_CREATE_PERMANENT 16
+#define SE_BACKUP 17
+#define SE_RESTORE 18
+#define SE_SHUTDOWN 19
+#define SE_DEBUG 20
+#define SE_AUDIT 21
+#define SE_SYSTEM_ENVIRONMENT 22
+#define SE_CHANGE_NOTIFY 23
+#define SE_REMOTE_SHUTDOWN 24
+#define SE_UNDOCK 25
+#define SE_SYNC_AGENT 26
+#define SE_ENABLE_DELEGATION 27
+#define SE_PRINT_OPERATOR 28
+#define SE_ADD_USERS 29
+#define SE_ALL_PRIVS 0xffff
#define PR_NONE 0x0000
#define PR_LOG_ON_LOCALLY 0x0001
@@ -39,6 +63,11 @@
#define PR_LOG_ON_BATCH_JOB 0x0004
#define PR_LOG_ON_SERVICE 0x0010
+#ifndef _BOOL
+typedef int BOOL;
+#define _BOOL /* So we don't typedef BOOL again in vfs.h */
+#endif
+
typedef struct LUID
{
uint32 low;
@@ -49,7 +78,7 @@ typedef struct LUID_ATTR
{
LUID luid;
uint32 attr;
-} LUID_ATTR ;
+} LUID_ATTR;
typedef struct privilege_set
{
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 5cd5e71f74..ab6f4c70d6 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -500,6 +500,7 @@ typedef struct connection_struct
int ngroups;
gid_t *groups;
NT_USER_TOKEN *nt_user_token;
+ PRIVILEGE_SET *privs;
time_t lastused;
BOOL used;
@@ -519,6 +520,7 @@ struct current_user
int ngroups;
gid_t *groups;
NT_USER_TOKEN *nt_user_token;
+ PRIVILEGE_SET *privs;
};
/* Defines for the sent_oplock_break field above. */
@@ -1546,6 +1548,7 @@ typedef struct user_struct
gid_t *groups;
NT_USER_TOKEN *nt_user_token;
+ PRIVILEGE_SET *privs;
DATA_BLOB session_key;