From fdc9f417d89fdf9dd6afbc22843d70585e195c9d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Nov 2004 04:33:27 +0000 Subject: r4011: get rid of rpc_secdes.h and replace it with a single sane set of definitions for security access masks, in security.idl The previous definitions were inconsistently named, and contained many duplicate and misleading entries. I kept finding myself tripping up while using them. (This used to be commit 01c0fa722f80ceeb3f81f01987de95f365a2ed3d) --- source4/librpc/idl/security.idl | 94 +++++++++++++++++++++++++++++++++++++++++ source4/librpc/rpc/dcerpc_smb.c | 11 ++--- 2 files changed, 100 insertions(+), 5 deletions(-) (limited to 'source4/librpc') diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl index 9625153ec1..817b57a780 100644 --- a/source4/librpc/idl/security.idl +++ b/source4/librpc/idl/security.idl @@ -6,6 +6,90 @@ interface security { + /* + access masks are divided up like this: + 0xabccdddd + where + a = generic rights bits SEC_GENERIC_ + b = flags SEC_FLAG_ + c = standard rights bits SEC_STD_ + d = object type specific bits SEC_{FILE,DIR,REG,xxx}_ + + common combinations of bits are prefixed with SEC_RIGHTS_ + */ + const int SEC_MASK_GENERIC = 0xF0000000; + const int SEC_MASK_FLAGS = 0x0F000000; + const int SEC_MASK_STANDARD = 0x00FF0000; + const int SEC_MASK_SPECIFIC = 0x0000FFFF; + + /* generic bits */ + const int SEC_GENERIC_ALL = 0x10000000; + const int SEC_GENERIC_EXECUTE = 0x20000000; + const int SEC_GENERIC_WRITE = 0x40000000; + const int SEC_GENERIC_READ = 0x80000000; + + /* flag bits */ + const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000; + const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000; + + /* standard bits */ + const int SEC_STD_DELETE = 0x00010000; + const int SEC_STD_READ_CONTROL = 0x00020000; + const int SEC_STD_WRITE_DAC = 0x00040000; + const int SEC_STD_WRITE_OWNER = 0x00080000; + const int SEC_STD_SYNCHRONIZE = 0x00100000; + const int SEC_STD_REQUIRED = 0x000F0000; + const int SEC_STD_ALL = 0x001F0000; + + /* file specific bits */ + const int SEC_FILE_READ_DATA = 0x00000001; + const int SEC_FILE_WRITE_DATA = 0x00000002; + const int SEC_FILE_APPEND_DATA = 0x00000004; + const int SEC_FILE_READ_EA = 0x00000008; + const int SEC_FILE_WRITE_EA = 0x00000010; + const int SEC_FILE_EXECUTE = 0x00000020; + const int SEC_FILE_READ_ATTRIBUTE = 0x00000080; + const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100; + const int SEC_FILE_ALL = 0x000001ff; + + /* directory specific bits */ + const int SEC_DIR_LIST = 0x00000001; + const int SEC_DIR_ADD_FILE = 0x00000002; + const int SEC_DIR_ADD_SUBDIR = 0x00000004; + const int SEC_DIR_READ_EA = 0x00000008; + const int SEC_DIR_WRITE_EA = 0x00000010; + const int SEC_DIR_TRAVERSE = 0x00000020; + const int SEC_DIR_DELETE_CHILD = 0x00000040; + const int SEC_DIR_READ_ATTRIBUTE = 0x00000080; + const int SEC_DIR_WRITE_ATTRIBUTE = 0x00000100; + + /* registry entry specific bits */ + const int SEC_REG_QUERY_VALUE = 0x00000001; + const int SEC_REG_SET_VALUE = 0x00000002; + const int SEC_REG_CREATE_SUBKEY = 0x00000004; + const int SEC_REG_ENUM_SUBKEYS = 0x00000008; + const int SEC_REG_NOTIFY = 0x00000010; + const int SEC_REG_CREATE_LINK = 0x00000020; + + /* common combinations of bits */ + const int SEC_RIGHTS_FULL_CONTROL = SEC_STD_ALL | SEC_FILE_ALL; + + const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_READ_DATA | + SEC_FILE_READ_ATTRIBUTE | + SEC_FILE_READ_EA; + + const int SEC_RIGHTS_FILE_WRITE = SEC_STD_READ_CONTROL | + SEC_STD_SYNCHRONIZE | + SEC_FILE_WRITE_DATA | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_FILE_WRITE_EA | + SEC_FILE_APPEND_DATA; + + const int SEC_RIGHTS_MAXIMUM_ALLOWED = SEC_FLAG_MAXIMUM_ALLOWED; + + /* a NULL sid */ const string SID_NULL = "S-1-0-0"; @@ -83,6 +167,8 @@ interface security dom_sid trustee; } security_ace; + const int NT4_ACL_REVISION = 0x2; + typedef [public] struct { uint16 revision; [value(ndr_size_security_acl(r))] uint16 size; @@ -111,6 +197,14 @@ interface security const int SEC_DESC_RM_CONTROL_VALID = 0x4000; const int SEC_DESC_SELF_RELATIVE = 0x8000; + /* bits that determine which parts of a security descriptor + are being queried/set */ + const int SECINFO_OWNER = 0x00000001; + const int SECINFO_GROUP = 0x00000002; + const int SECINFO_DACL = 0x00000004; + const int SECINFO_SACL = 0x00000008; + + typedef [public,flag(NDR_LITTLE_ENDIAN)] struct { uint8 revision; uint16 type; /* SEC_DESC_xxxx flags */ diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c index 25f3ea277a..d04b067eeb 100644 --- a/source4/librpc/rpc/dcerpc_smb.c +++ b/source4/librpc/rpc/dcerpc_smb.c @@ -23,6 +23,7 @@ #include "includes.h" #include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" /* transport private information used by SMB pipe transport */ struct smb_private { @@ -379,11 +380,11 @@ NTSTATUS dcerpc_pipe_open_smb(struct dcerpc_pipe **p, io.ntcreatex.in.flags = 0; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.access_mask = - STD_RIGHT_READ_CONTROL_ACCESS | - SA_RIGHT_FILE_WRITE_ATTRIBUTES | - SA_RIGHT_FILE_WRITE_EA | - GENERIC_RIGHTS_FILE_READ | - GENERIC_RIGHTS_FILE_WRITE; + SEC_STD_READ_CONTROL | + SEC_FILE_WRITE_ATTRIBUTE | + SEC_FILE_WRITE_EA | + SEC_FILE_READ_DATA | + SEC_FILE_WRITE_DATA; io.ntcreatex.in.file_attr = 0; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.share_access = -- cgit