summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-06-29 16:35:32 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:58:07 -0500
commit270b90e25f2ec5fcb1283588a9e605b7228e0e41 (patch)
treef84f6736eab9650035426c30acb781a11a7a2046 /source3/lib
parent2e7f22e833fbb549f698460f9ed4d81af68b86e9 (diff)
downloadsamba-270b90e25f2ec5fcb1283588a9e605b7228e0e41.tar.gz
samba-270b90e25f2ec5fcb1283588a9e605b7228e0e41.tar.bz2
samba-270b90e25f2ec5fcb1283588a9e605b7228e0e41.zip
r7995: * privileges are local except when they're *not*
printmig.exe assumes that the LUID of the SeBackupPrivlege on the target server matches the LUID of the privilege on the local client. Even though an LUID is never guaranteed to be the same across reboots. How *awful*! My cat could write better code! (more on my cat later....) * Set the privelege LUID in the global PRIVS[] array * Rename RegCreateKey() to RegCreateKeyEx() to better match MSDN * Rename the unknown field in RegCreateKeyEx() to disposition (guess according to MSDN) * Add the capability to define REG_TDB_ONLY for using the reg_db.c functions and stress the RegXXX() rpc functions. (This used to be commit 0d6352da4800aabc04dfd7c65a6afe6af7cd2d4b)
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/privileges.c124
1 files changed, 64 insertions, 60 deletions
diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c
index ae98d8940f..30db2fc2bb 100644
--- a/source3/lib/privileges.c
+++ b/source3/lib/privileges.c
@@ -25,8 +25,6 @@
#define PRIVPREFIX "PRIV_"
-#define GENERATE_LUID_LOW(x) (x)+1;
-
static const SE_PRIV se_priv_all = SE_ALL_PRIVS;
static const SE_PRIV se_priv_end = SE_END;
@@ -43,60 +41,65 @@ const SE_PRIV se_restore = SE_RESTORE;
/********************************************************************
This is a list of privileges reported by a WIndows 2000 SP4 AD DC
- just for reference purposes:
-
- SeCreateTokenPrivilege Create a token object
- SeAssignPrimaryTokenPrivilege Replace a process level token
- SeLockMemoryPrivilege Lock pages in memory
- SeIncreaseQuotaPrivilege Increase quotas
- SeMachineAccountPrivilege Add workstations to domain
- SeTcbPrivilege Act as part of the operating system
- SeSecurityPrivilege Manage auditing and security log
- SeTakeOwnershipPrivilege Take ownership of files or other objects
- SeLoadDriverPrivilege Load and unload device drivers
- SeSystemProfilePrivilege Profile system performance
- SeSystemtimePrivilege Change the system time
- SeProfileSingleProcessPrivilege Profile single process
- SeIncreaseBasePriorityPrivilege Increase scheduling priority
- SeCreatePagefilePrivilege Create a pagefile
- SeCreatePermanentPrivilege Create permanent shared objects
- SeBackupPrivilege Back up files and directories
- SeRestorePrivilege Restore files and directories
- SeShutdownPrivilege Shut down the system
- SeDebugPrivilege Debug programs
- SeAuditPrivilege Generate security audits
- SeSystemEnvironmentPrivilege Modify firmware environment values
- SeChangeNotifyPrivilege Bypass traverse checking
- SeRemoteShutdownPrivilege Force shutdown from a remote system
- SeUndockPrivilege Remove computer from docking station
- SeSyncAgentPrivilege Synchronize directory service data
- SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
- SeManageVolumePrivilege Perform volume maintenance tasks
- SeImpersonatePrivilege Impersonate a client after authentication
- SeCreateGlobalPrivilege Create global objects
-
-********************************************************************/
-
-
+ just for reference purposes (and I know the LUID is not guaranteed
+ across reboots):
+
+ SeCreateTokenPrivilege Create a token object ( 0x0, 0x2 )
+ SeAssignPrimaryTokenPrivilege Replace a process level token ( 0x0, 0x3 )
+ SeLockMemoryPrivilege Lock pages in memory ( 0x0, 0x4 )
+ SeIncreaseQuotaPrivilege Increase quotas ( 0x0, 0x5 )
+ SeMachineAccountPrivilege Add workstations to domain ( 0x0, 0x6 )
+ SeTcbPrivilege Act as part of the operating system ( 0x0, 0x7 )
+ SeSecurityPrivilege Manage auditing and security log ( 0x0, 0x8 )
+ SeTakeOwnershipPrivilege Take ownership of files or other objects ( 0x0, 0x9 )
+ SeLoadDriverPrivilege Load and unload device drivers ( 0x0, 0xa )
+ SeSystemProfilePrivilege Profile system performance ( 0x0, 0xb )
+ SeSystemtimePrivilege Change the system time ( 0x0, 0xc )
+ SeProfileSingleProcessPrivilege Profile single process ( 0x0, 0xd )
+ SeIncreaseBasePriorityPrivilege Increase scheduling priority ( 0x0, 0xe )
+ SeCreatePagefilePrivilege Create a pagefile ( 0x0, 0xf )
+ SeCreatePermanentPrivilege Create permanent shared objects ( 0x0, 0x10 )
+ SeBackupPrivilege Back up files and directories ( 0x0, 0x11 )
+ SeRestorePrivilege Restore files and directories ( 0x0, 0x12 )
+ SeShutdownPrivilege Shut down the system ( 0x0, 0x13 )
+ SeDebugPrivilege Debug programs ( 0x0, 0x14 )
+ SeAuditPrivilege Generate security audits ( 0x0, 0x15 )
+ SeSystemEnvironmentPrivilege Modify firmware environment values ( 0x0, 0x16 )
+ SeChangeNotifyPrivilege Bypass traverse checking ( 0x0, 0x17 )
+ SeRemoteShutdownPrivilege Force shutdown from a remote system ( 0x0, 0x18 )
+ SeUndockPrivilege Remove computer from docking station ( 0x0, 0x19 )
+ SeSyncAgentPrivilege Synchronize directory service data ( 0x0, 0x1a )
+ SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
+ SeManageVolumePrivilege Perform volume maintenance tasks ( 0x0, 0x1c )
+ SeImpersonatePrivilege Impersonate a client after authentication ( 0x0, 0x1d )
+ SeCreateGlobalPrivilege Create global objects ( 0x0, 0x1e )
+
+ ********************************************************************/
+
+/* we have to define the LUID here due to a horrible check by printmig.exe
+ that requires the SeBackupPrivilege match what is in Windows. So match
+ those that we implement and start Samba privileges at 0x1001 */
+
PRIVS privs[] = {
#if 0 /* usrmgr will display these twice if you include them. We don't
use them but we'll keep the bitmasks reserved in privileges.h anyways */
- {SE_NETWORK_LOGON, "SeNetworkLogonRight", "Access this computer from network"},
- {SE_INTERACTIVE_LOGON, "SeInteractiveLogonRight", "Log on locally"},
- {SE_BATCH_LOGON, "SeBatchLogonRight", "Log on as a batch job"},
- {SE_SERVICE_LOGON, "SeServiceLogonRight", "Log on as a service"},
+ {SE_NETWORK_LOGON, "SeNetworkLogonRight", "Access this computer from network", { 0x0, 0x0 }},
+ {SE_INTERACTIVE_LOGON, "SeInteractiveLogonRight", "Log on locally", { 0x0, 0x0 }},
+ {SE_BATCH_LOGON, "SeBatchLogonRight", "Log on as a batch job", { 0x0, 0x0 }},
+ {SE_SERVICE_LOGON, "SeServiceLogonRight", "Log on as a service", { 0x0, 0x0 }},
#endif
- {SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Add machines to domain"},
- {SE_PRINT_OPERATOR, "SePrintOperatorPrivilege", "Manage printers"},
- {SE_ADD_USERS, "SeAddUsersPrivilege", "Add users and groups to the domain"},
- {SE_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege", "Force shutdown from a remote system"},
- {SE_DISK_OPERATOR, "SeDiskOperatorPrivilege", "Manage disk shares"},
- {SE_BACKUP, "SeBackupPrivilege", "Back up files and directories"},
- {SE_RESTORE, "SeRestorePrivilege", "Restore files and directories"},
- {SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files or other objects"},
-
- {SE_END, "", ""}
+ {SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Add machines to domain", { 0x0, 0x0006 }},
+ {SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files or other objects",{ 0x0, 0x0009 }},
+ {SE_BACKUP, "SeBackupPrivilege", "Back up files and directories", { 0x0, 0x0011 }},
+ {SE_RESTORE, "SeRestorePrivilege", "Restore files and directories", { 0x0, 0x0012 }},
+ {SE_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege", "Force shutdown from a remote system", { 0x0, 0x0018 }},
+
+ {SE_PRINT_OPERATOR, "SePrintOperatorPrivilege", "Manage printers", { 0x0, 0x1001 }},
+ {SE_ADD_USERS, "SeAddUsersPrivilege", "Add users and groups to the domain", { 0x0, 0x1002 }},
+ {SE_DISK_OPERATOR, "SeDiskOperatorPrivilege", "Manage disk shares", { 0x0, 0x1003 }},
+
+ {SE_END, "", "", { 0x0, 0x0 }}
};
typedef struct {
@@ -109,7 +112,6 @@ typedef struct {
SID_LIST sids;
} PRIV_SID_LIST;
-
/***************************************************************************
copy an SE_PRIV structure
****************************************************************************/
@@ -402,7 +404,7 @@ LUID_ATTR get_privilege_luid( SE_PRIV *mask )
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
if ( se_priv_equal( &privs[i].se_priv, mask ) ) {
- priv_luid.luid.low = GENERATE_LUID_LOW(i);
+ priv_luid.luid = privs[i].luid;
break;
}
}
@@ -746,17 +748,19 @@ BOOL user_has_any_privilege(NT_USER_TOKEN *token, const SE_PRIV *privilege)
char* luid_to_privilege_name(const LUID *set)
{
static fstring name;
- int max = count_all_privileges();
+ int i;
if (set->high != 0)
return NULL;
- if ( set->low > max )
- return NULL;
-
- fstrcpy( name, privs[set->low - 1].name );
+ for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+ if ( set->low == privs[i].luid.low ) {
+ fstrcpy( name, privs[set->low - 1].name );
+ return name;
+ }
+ }
- return name;
+ return NULL;
}
/*******************************************************************
@@ -792,7 +796,7 @@ BOOL se_priv_to_privilege_set( PRIVILEGE_SET *set, SE_PRIV *mask )
if ( !is_privilege_assigned(mask, &privs[i].se_priv) )
continue;
- luid.luid.low = GENERATE_LUID_LOW(i);
+ luid.luid = privs[i].luid;
if ( !privilege_set_add( set, luid ) )
return False;