diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-08-27 09:35:55 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-11 18:46:07 +1000 |
commit | dbee98d30fc9c7db6693170215b8c1819b3e2f3d (patch) | |
tree | 416b01e118de9d0b409b878b09754fb226233d4c /source4/libcli | |
parent | 0d25212cc161dee2f38c8ad60e50543596000f18 (diff) | |
download | samba-dbee98d30fc9c7db6693170215b8c1819b3e2f3d.tar.gz samba-dbee98d30fc9c7db6693170215b8c1819b3e2f3d.tar.bz2 samba-dbee98d30fc9c7db6693170215b8c1819b3e2f3d.zip |
libcli/security Move source4/ privileges code into the common libcli/security
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/security/privilege.c | 309 | ||||
-rw-r--r-- | source4/libcli/security/security.h | 1 | ||||
-rw-r--r-- | source4/libcli/security/wscript_build | 2 |
3 files changed, 2 insertions, 310 deletions
diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c deleted file mode 100644 index 9fd7192883..0000000000 --- a/source4/libcli/security/privilege.c +++ /dev/null @@ -1,309 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - manipulate privileges - - Copyright (C) Andrew Tridgell 2004 - Copyright (C) Andrew Bartlett 2010 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "librpc/gen_ndr/security.h" -#include "libcli/security/security.h" - - -static const struct { - enum sec_privilege privilege; - uint64_t privilege_mask; - const char *name; - const char *display_name; -} privilege_names[] = { - {SEC_PRIV_SECURITY, - SE_SECURITY, - "SeSecurityPrivilege", - "System security"}, - - {SEC_PRIV_BACKUP, - SE_BACKUP, - "SeBackupPrivilege", - "Backup files and directories"}, - - {SEC_PRIV_RESTORE, - SE_RESTORE, - "SeRestorePrivilege", - "Restore files and directories"}, - - {SEC_PRIV_SYSTEMTIME, - SE_SYSTEMTIME, - "SeSystemtimePrivilege", - "Set the system clock"}, - - {SEC_PRIV_SHUTDOWN, - SE_SHUTDOWN, - "SeShutdownPrivilege", - "Shutdown the system"}, - - {SEC_PRIV_REMOTE_SHUTDOWN, - SE_REMOTE_SHUTDOWN, - "SeRemoteShutdownPrivilege", - "Shutdown the system remotely"}, - - {SEC_PRIV_TAKE_OWNERSHIP, - SE_TAKE_OWNERSHIP, - "SeTakeOwnershipPrivilege", - "Take ownership of files and directories"}, - - {SEC_PRIV_DEBUG, - SE_DEBUG, - "SeDebugPrivilege", - "Debug processes"}, - - {SEC_PRIV_SYSTEM_ENVIRONMENT, - SE_SYSTEM_ENVIRONMENT, - "SeSystemEnvironmentPrivilege", - "Modify system environment"}, - - {SEC_PRIV_SYSTEM_PROFILE, - SE_SYSTEM_PROFILE, - "SeSystemProfilePrivilege", - "Profile the system"}, - - {SEC_PRIV_PROFILE_SINGLE_PROCESS, - SE_PROFILE_SINGLE_PROCESS, - "SeProfileSingleProcessPrivilege", - "Profile one process"}, - - {SEC_PRIV_INCREASE_BASE_PRIORITY, - SE_INCREASE_BASE_PRIORITY, - "SeIncreaseBasePriorityPrivilege", - "Increase base priority"}, - - {SEC_PRIV_LOAD_DRIVER, - SE_LOAD_DRIVER, - "SeLoadDriverPrivilege", - "Load drivers"}, - - {SEC_PRIV_CREATE_PAGEFILE, - SE_CREATE_PAGEFILE, - "SeCreatePagefilePrivilege", - "Create page files"}, - - {SEC_PRIV_INCREASE_QUOTA, - SE_INCREASE_QUOTA, - "SeIncreaseQuotaPrivilege", - "Increase quota"}, - - {SEC_PRIV_CHANGE_NOTIFY, - SE_CHANGE_NOTIFY, - "SeChangeNotifyPrivilege", - "Register for change notify"}, - - {SEC_PRIV_UNDOCK, - SE_UNDOCK, - "SeUndockPrivilege", - "Undock devices"}, - - {SEC_PRIV_MANAGE_VOLUME, - SE_MANAGE_VOLUME, - "SeManageVolumePrivilege", - "Manage system volumes"}, - - {SEC_PRIV_IMPERSONATE, - SE_IMPERSONATE, - "SeImpersonatePrivilege", - "Impersonate users"}, - - {SEC_PRIV_CREATE_GLOBAL, - SE_CREATE_GLOBAL, - "SeCreateGlobalPrivilege", - "Create global"}, - - {SEC_PRIV_ENABLE_DELEGATION, - SE_ENABLE_DELEGATION, - "SeEnableDelegationPrivilege", - "Enable Delegation"}, - - {SEC_PRIV_INTERACTIVE_LOGON, - SE_INTERACTIVE_LOGON, - "SeInteractiveLogonRight", - "Interactive logon"}, - - {SEC_PRIV_NETWORK_LOGON, - SE_NETWORK_LOGON, - "SeNetworkLogonRight", - "Network logon"}, - - {SEC_PRIV_REMOTE_INTERACTIVE_LOGON, - SE_REMOTE_INTERACTIVE_LOGON, - "SeRemoteInteractiveLogonRight", - "Remote Interactive logon"}, - - {SEC_PRIV_MACHINE_ACCOUNT, - SE_MACHINE_ACCOUNT, - "SeMachineAccountPrivilege", - "Add workstations to domain"}, - - /* These last 3 are Samba only */ - {SEC_PRIV_PRINT_OPERATOR, - SE_PRINT_OPERATOR, - "SePrintOperatorPrivilege", - "Manage printers"}, - - {SEC_PRIV_ADD_USERS, - SE_ADD_USERS, - "SeAddUsersPrivilege", - "Add users and groups to the domain"}, - - {SEC_PRIV_DISK_OPERATOR, - SE_DISK_OPERATOR, - "SeDiskOperatorPrivilege", - "Manage disk shares"}, -}; - - -/* - map a privilege id to the wire string constant -*/ -const char *sec_privilege_name(enum sec_privilege privilege) -{ - int i; - for (i=0;i<ARRAY_SIZE(privilege_names);i++) { - if (privilege_names[i].privilege == privilege) { - return privilege_names[i].name; - } - } - return NULL; -} - -/* - map a privilege id to a privilege display name. Return NULL if not found - - TODO: this should use language mappings -*/ -const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language) -{ - int i; - if (privilege < 1 || privilege > 64) { - return NULL; - } - for (i=0;i<ARRAY_SIZE(privilege_names);i++) { - if (privilege_names[i].privilege == privilege) { - return privilege_names[i].display_name; - } - } - return NULL; -} - -/* - map a privilege name to a privilege id. Return -1 if not found -*/ -enum sec_privilege sec_privilege_id(const char *name) -{ - int i; - for (i=0;i<ARRAY_SIZE(privilege_names);i++) { - if (strcasecmp(privilege_names[i].name, name) == 0) { - return privilege_names[i].privilege; - } - } - return -1; -} - -/* - map a privilege name to a privilege id. Return -1 if not found -*/ -enum sec_privilege sec_privilege_from_mask(uint64_t mask) -{ - int i; - for (i=0;i<ARRAY_SIZE(privilege_names);i++) { - if (privilege_names[i].privilege_mask == mask) { - return privilege_names[i].privilege; - } - } - return -1; -} - -/* - map a privilege name to a privilege id. Return -1 if not found -*/ -enum sec_privilege sec_privilege_from_index(int idx) -{ - if (idx >= 0 && idx<ARRAY_SIZE(privilege_names)) { - return privilege_names[idx].privilege; - } - return -1; -} - - -/* - return a privilege mask given a privilege id -*/ -static uint64_t sec_privilege_mask(enum sec_privilege privilege) -{ - int i; - for (i=0;i<ARRAY_SIZE(privilege_names);i++) { - if (privilege_names[i].privilege == privilege) { - return privilege_names[i].privilege_mask; - } - } - - return 0; -} - - -/* - return true if a security_token has a particular privilege bit set -*/ -bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege) -{ - uint64_t mask; - - mask = sec_privilege_mask(privilege); - if (mask == 0) { - return false; - } - - if (token->privilege_mask & mask) { - return true; - } - return false; -} - -/* - set a bit in the privilege mask -*/ -void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege) -{ - /* Relies on the fact that an invalid privilage will return 0, so won't change this */ - token->privilege_mask |= sec_privilege_mask(privilege); -} - -void security_token_debug_privileges(int dbg_lev, const struct security_token *token) -{ - DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n", - (unsigned long long) token->privilege_mask)); - - if (token->privilege_mask) { - int i = 0; - uint64_t mask; - for (mask = 1; mask != 0; mask = mask << 1) { - if (token->privilege_mask & mask) { - enum sec_privilege privilege = sec_privilege_from_mask(mask); - DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++, - sec_privilege_name(privilege))); - } - } - } -} diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h index 236096560c..dc5e3ca736 100644 --- a/source4/libcli/security/security.h +++ b/source4/libcli/security/security.h @@ -50,5 +50,6 @@ struct object_tree { #include "libcli/security/proto.h" #include "libcli/security/security_descriptor.h" #include "libcli/security/sddl.h" +#include "libcli/security/privileges.h" #endif diff --git a/source4/libcli/security/wscript_build b/source4/libcli/security/wscript_build index 3d1118790c..5d53022137 100644 --- a/source4/libcli/security/wscript_build +++ b/source4/libcli/security/wscript_build @@ -1,7 +1,7 @@ #!/usr/bin/env python bld.SAMBA_SUBSYSTEM('LIBSECURITY', - source='security_token.c access_check.c privilege.c create_descriptor.c object_tree.c', + source='security_token.c access_check.c create_descriptor.c object_tree.c', autoproto='proto.h', public_deps='LIBNDR LIBSECURITY_COMMON' ) |