diff options
-rw-r--r-- | librpc/idl/security.idl | 100 | ||||
-rw-r--r-- | source4/libcli/security/privilege.c | 86 |
2 files changed, 140 insertions, 46 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 20cbb4189b..922b264df9 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -315,36 +315,78 @@ interface security const int BUILTIN_RID_AUTH_ACCESS = 560; const int BUILTIN_RID_TS_LICENSE_SERVERS = 561; - /* - privilege IDs. Please keep the IDs below 64. If we get more - than 64 then we need to change security_token - */ +/******************************************************************** + This is a list of privileges reported by a WIndows 2000 SP4 AD DC + just for reference purposes (and I know the LUID is not guaranteed + across reboots): + + SeCreateTokenPrivilege Create a token object ( 0x0, 0x2 ) + SeAssignPrimaryTokenPrivilege Replace a process level token ( 0x0, 0x3 ) + SeLockMemoryPrivilege Lock pages in memory ( 0x0, 0x4 ) + SeIncreaseQuotaPrivilege Increase quotas ( 0x0, 0x5 ) + SeMachineAccountPrivilege Add workstations to domain ( 0x0, 0x6 ) + SeTcbPrivilege Act as part of the operating system ( 0x0, 0x7 ) + SeSecurityPrivilege Manage auditing and security log ( 0x0, 0x8 ) + SeTakeOwnershipPrivilege Take ownership of files or other objects ( 0x0, 0x9 ) + SeLoadDriverPrivilege Load and unload device drivers ( 0x0, 0xa ) + SeSystemProfilePrivilege Profile system performance ( 0x0, 0xb ) + SeSystemtimePrivilege Change the system time ( 0x0, 0xc ) + SeProfileSingleProcessPrivilege Profile single process ( 0x0, 0xd ) + SeIncreaseBasePriorityPrivilege Increase scheduling priority ( 0x0, 0xe ) + SeCreatePagefilePrivilege Create a pagefile ( 0x0, 0xf ) + SeCreatePermanentPrivilege Create permanent shared objects ( 0x0, 0x10 ) + SeBackupPrivilege Back up files and directories ( 0x0, 0x11 ) + SeRestorePrivilege Restore files and directories ( 0x0, 0x12 ) + SeShutdownPrivilege Shut down the system ( 0x0, 0x13 ) + SeDebugPrivilege Debug programs ( 0x0, 0x14 ) + SeAuditPrivilege Generate security audits ( 0x0, 0x15 ) + SeSystemEnvironmentPrivilege Modify firmware environment values ( 0x0, 0x16 ) + SeChangeNotifyPrivilege Bypass traverse checking ( 0x0, 0x17 ) + SeRemoteShutdownPrivilege Force shutdown from a remote system ( 0x0, 0x18 ) + SeUndockPrivilege Remove computer from docking station ( 0x0, 0x19 ) + SeSyncAgentPrivilege Synchronize directory service data ( 0x0, 0x1a ) + SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b ) + SeManageVolumePrivilege Perform volume maintenance tasks ( 0x0, 0x1c ) + SeImpersonatePrivilege Impersonate a client after authentication ( 0x0, 0x1d ) + SeCreateGlobalPrivilege Create global objects ( 0x0, 0x1e ) + + ********************************************************************/ + +/* we have to define the LUID here due to a horrible check by printmig.exe + that requires the SeBackupPrivilege match what is in Windows. So match + those that we implement and start Samba privileges at 0x1001 */ + typedef enum { - SEC_PRIV_SECURITY = 1, - SEC_PRIV_BACKUP = 2, - SEC_PRIV_RESTORE = 3, - SEC_PRIV_SYSTEMTIME = 4, - SEC_PRIV_SHUTDOWN = 5, - SEC_PRIV_REMOTE_SHUTDOWN = 6, - SEC_PRIV_TAKE_OWNERSHIP = 7, - SEC_PRIV_DEBUG = 8, - SEC_PRIV_SYSTEM_ENVIRONMENT = 9, - SEC_PRIV_SYSTEM_PROFILE = 10, - SEC_PRIV_PROFILE_SINGLE_PROCESS = 11, - SEC_PRIV_INCREASE_BASE_PRIORITY = 12, - SEC_PRIV_LOAD_DRIVER = 13, - SEC_PRIV_CREATE_PAGEFILE = 14, - SEC_PRIV_INCREASE_QUOTA = 15, - SEC_PRIV_CHANGE_NOTIFY = 16, - SEC_PRIV_UNDOCK = 17, - SEC_PRIV_MANAGE_VOLUME = 18, - SEC_PRIV_IMPERSONATE = 19, - SEC_PRIV_CREATE_GLOBAL = 20, - SEC_PRIV_ENABLE_DELEGATION = 21, - SEC_PRIV_INTERACTIVE_LOGON = 22, - SEC_PRIV_NETWORK_LOGON = 23, - SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 24, - SEC_PRIV_MACHINE_ACCOUNT = 25 + SEC_PRIV_INCREASE_QUOTA = 0x5, + SEC_PRIV_MACHINE_ACCOUNT = 0x6, + SEC_PRIV_SECURITY = 0x8, + SEC_PRIV_TAKE_OWNERSHIP = 0x09, + SEC_PRIV_LOAD_DRIVER = 0x0a, + SEC_PRIV_SYSTEM_PROFILE = 0x0b, + SEC_PRIV_SYSTEMTIME = 0x0c, + SEC_PRIV_PROFILE_SINGLE_PROCESS = 0x0d, + SEC_PRIV_INCREASE_BASE_PRIORITY = 0x0e, + SEC_PRIV_CREATE_PAGEFILE = 0x0f, + SEC_PRIV_BACKUP = 0x11, + SEC_PRIV_RESTORE = 0x12, + SEC_PRIV_SHUTDOWN = 0x13, + SEC_PRIV_DEBUG = 0x14, + SEC_PRIV_SYSTEM_ENVIRONMENT = 0x16, + SEC_PRIV_CHANGE_NOTIFY = 0x17, + SEC_PRIV_REMOTE_SHUTDOWN = 0x18, + SEC_PRIV_UNDOCK = 0x19, + SEC_PRIV_ENABLE_DELEGATION = 0x1b, + SEC_PRIV_MANAGE_VOLUME = 0x1c, + SEC_PRIV_IMPERSONATE = 0x1d, + SEC_PRIV_CREATE_GLOBAL = 0x1e, + /* Samba-specific privs */ + SEC_PRIV_PRINT_OPERATOR = 0x1001, + SEC_PRIV_ADD_USERS = 0x1002, + SEC_PRIV_DISK_OPERATOR = 0x1003, + /* Windows privs not in the list above */ + SEC_PRIV_INTERACTIVE_LOGON = 0x2022, + SEC_PRIV_NETWORK_LOGON = 0x2023, + SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 0x2024 } sec_privilege; /* diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c index 8263830654..374dc4a449 100644 --- a/source4/libcli/security/privilege.c +++ b/source4/libcli/security/privilege.c @@ -26,108 +26,150 @@ static const struct { enum sec_privilege privilege; + uint64_t privilege_mask; const char *name; const char *display_name; } privilege_names[] = { {SEC_PRIV_SECURITY, + SE_SECURITY, "SeSecurityPrivilege", "System security"}, {SEC_PRIV_BACKUP, + SE_BACKUP, "SeBackupPrivilege", "Backup files and directories"}, {SEC_PRIV_RESTORE, + SE_RESTORE, "SeRestorePrivilege", "Restore files and directories"}, {SEC_PRIV_SYSTEMTIME, + SE_SYSTEMTIME, "SeSystemtimePrivilege", "Set the system clock"}, {SEC_PRIV_SHUTDOWN, + SE_SHUTDOWN, "SeShutdownPrivilege", "Shutdown the system"}, {SEC_PRIV_REMOTE_SHUTDOWN, + SE_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege", "Shutdown the system remotely"}, {SEC_PRIV_TAKE_OWNERSHIP, + SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files and directories"}, {SEC_PRIV_DEBUG, + SE_DEBUG, "SeDebugPrivilege", "Debug processes"}, {SEC_PRIV_SYSTEM_ENVIRONMENT, + SE_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege", "Modify system environment"}, {SEC_PRIV_SYSTEM_PROFILE, + SE_SYSTEM_PROFILE, "SeSystemProfilePrivilege", "Profile the system"}, {SEC_PRIV_PROFILE_SINGLE_PROCESS, + SE_PROFILE_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege", "Profile one process"}, {SEC_PRIV_INCREASE_BASE_PRIORITY, + SE_INCREASE_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege", "Increase base priority"}, {SEC_PRIV_LOAD_DRIVER, + SE_LOAD_DRIVER, "SeLoadDriverPrivilege", "Load drivers"}, {SEC_PRIV_CREATE_PAGEFILE, + SE_CREATE_PAGEFILE, "SeCreatePagefilePrivilege", "Create page files"}, {SEC_PRIV_INCREASE_QUOTA, + SE_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege", "Increase quota"}, {SEC_PRIV_CHANGE_NOTIFY, + SE_CHANGE_NOTIFY, "SeChangeNotifyPrivilege", "Register for change notify"}, {SEC_PRIV_UNDOCK, + SE_UNDOCK, "SeUndockPrivilege", "Undock devices"}, {SEC_PRIV_MANAGE_VOLUME, + SE_MANAGE_VOLUME, "SeManageVolumePrivilege", "Manage system volumes"}, {SEC_PRIV_IMPERSONATE, + SE_IMPERSONATE, "SeImpersonatePrivilege", "Impersonate users"}, {SEC_PRIV_CREATE_GLOBAL, + SE_CREATE_GLOBAL, "SeCreateGlobalPrivilege", "Create global"}, {SEC_PRIV_ENABLE_DELEGATION, + SE_ENABLE_DELEGATION, "SeEnableDelegationPrivilege", "Enable Delegation"}, {SEC_PRIV_INTERACTIVE_LOGON, + SE_INTERACTIVE_LOGON, "SeInteractiveLogonRight", "Interactive logon"}, {SEC_PRIV_NETWORK_LOGON, + SE_NETWORK_LOGON, "SeNetworkLogonRight", "Network logon"}, {SEC_PRIV_REMOTE_INTERACTIVE_LOGON, + SE_REMOTE_INTERACTIVE_LOGON, "SeRemoteInteractiveLogonRight", "Remote Interactive logon"}, {SEC_PRIV_MACHINE_ACCOUNT, + SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", - "Add workstations to domain"} + "Add workstations to domain"}, + + /* These last 3 are Samba only */ + {SEC_PRIV_PRINT_OPERATOR, + SE_PRINT_OPERATOR, + "SePrintOperatorPrivilege", + "Manage printers"}, + + {SEC_PRIV_ADD_USERS, + SE_ADD_USERS, + "SeAddUsersPrivilege", + "Add users and groups to the domain"}, + + {SEC_PRIV_DISK_OPERATOR, + SE_DISK_OPERATOR, + "SeDiskOperatorPrivilege", + "Manage disk shares"}, }; @@ -178,20 +220,34 @@ enum sec_privilege sec_privilege_id(const char *name) return -1; } +/* + map a privilege name to a privilege id. Return -1 if not found +*/ +enum sec_privilege sec_privilege_from_mask(uint64_t mask) +{ + int i; + for (i=0;i<ARRAY_SIZE(privilege_names);i++) { + if (privilege_names[i].privilege_mask == mask) { + return privilege_names[i].privilege; + } + } + return -1; +} + /* return a privilege mask given a privilege id */ static uint64_t sec_privilege_mask(enum sec_privilege privilege) { - uint64_t mask = 1; - - if (privilege < 1 || privilege > 64) { - return 0; + int i; + for (i=0;i<ARRAY_SIZE(privilege_names);i++) { + if (privilege_names[i].privilege == privilege) { + return privilege_names[i].privilege_mask; + } } - mask <<= (privilege-1); - return mask; + return 0; } @@ -202,11 +258,11 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p { uint64_t mask; - if (privilege < 1 || privilege > 64) { + mask = sec_privilege_mask(privilege); + if (mask == 0) { return false; } - mask = sec_privilege_mask(privilege); if (token->privilege_mask & mask) { return true; } @@ -218,9 +274,7 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p */ void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege) { - if (privilege < 1 || privilege > 64) { - return; - } + /* Relies on the fact that an invalid privilage will return 0, so won't change this */ token->privilege_mask |= sec_privilege_mask(privilege); } @@ -231,12 +285,10 @@ void security_token_debug_privileges(int dbg_lev, const struct security_token *t if (token->privilege_mask) { int i = 0; - unsigned int privilege; - - for (privilege = 1; privilege <= 64; privilege++) { - uint64_t mask = sec_privilege_mask(privilege); - + uint64_t mask; + for (mask = 1; mask != 0; mask = mask << 1) { if (token->privilege_mask & mask) { + enum sec_privilege privilege = sec_privilege_from_mask(mask); DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++, sec_privilege_name(privilege))); } |