source4/librpc/idl/security.idl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

#include "idl_types.h"

/*
  security IDL structures
*/

interface security
{
	/*
	  access masks are divided up like this:
                0xabccdddd
		where 
		   a = generic rights bits        SEC_GENERIC_
		   b = flags                      SEC_FLAG_
		   c = standard rights bits       SEC_STD_
		   d = object type specific bits  SEC_{FILE,DIR,REG,xxx}_
		   
          common combinations of bits are prefixed with SEC_RIGHTS_
	*/
        const int SEC_MASK_GENERIC         = 0xF0000000;
        const int SEC_MASK_FLAGS           = 0x0F000000;
        const int SEC_MASK_STANDARD        = 0x00FF0000;
	const int SEC_MASK_SPECIFIC        = 0x0000FFFF;

	/* generic bits */
	const int SEC_GENERIC_ALL          = 0x10000000;
	const int SEC_GENERIC_EXECUTE      = 0x20000000;
	const int SEC_GENERIC_WRITE        = 0x40000000;
	const int SEC_GENERIC_READ         = 0x80000000;

	/* flag bits */
	const int SEC_FLAG_SYSTEM_SECURITY = 0x01000000;
	const int SEC_FLAG_MAXIMUM_ALLOWED = 0x02000000;

	/* standard bits */
	const int SEC_STD_DELETE           = 0x00010000;
	const int SEC_STD_READ_CONTROL     = 0x00020000;
	const int SEC_STD_WRITE_DAC        = 0x00040000;
	const int SEC_STD_WRITE_OWNER      = 0x00080000;
	const int SEC_STD_SYNCHRONIZE      = 0x00100000;
	const int SEC_STD_REQUIRED         = 0x000F0000;
	const int SEC_STD_ALL              = 0x001F0000;

	/* file specific bits */
	const int SEC_FILE_READ_DATA       = 0x00000001;
	const int SEC_FILE_WRITE_DATA      = 0x00000002;
	const int SEC_FILE_APPEND_DATA     = 0x00000004;
	const int SEC_FILE_READ_EA         = 0x00000008;
	const int SEC_FILE_WRITE_EA        = 0x00000010;
	const int SEC_FILE_EXECUTE         = 0x00000020;
	const int SEC_FILE_READ_ATTRIBUTE  = 0x00000080;
	const int SEC_FILE_WRITE_ATTRIBUTE = 0x00000100;
	const int SEC_FILE_ALL             = 0x000001ff;

	/* directory specific bits */
	const int SEC_DIR_LIST             = 0x00000001;
	const int SEC_DIR_ADD_FILE         = 0x00000002;
	const int SEC_DIR_ADD_SUBDIR       = 0x00000004;
	const int SEC_DIR_READ_EA          = 0x00000008;
	const int SEC_DIR_WRITE_EA         = 0x00000010;
	const int SEC_DIR_TRAVERSE         = 0x00000020;
	const int SEC_DIR_DELETE_CHILD     = 0x00000040;
	const int SEC_DIR_READ_ATTRIBUTE   = 0x00000080;
	const int SEC_DIR_WRITE_ATTRIBUTE  = 0x00000100;

	/* registry entry specific bits */
	const int SEC_REG_QUERY_VALUE      = 0x00000001;
	const int SEC_REG_SET_VALUE        = 0x00000002;
	const int SEC_REG_CREATE_SUBKEY    = 0x00000004;
	const int SEC_REG_ENUM_SUBKEYS     = 0x00000008;
	const int SEC_REG_NOTIFY           = 0x00000010;
	const int SEC_REG_CREATE_LINK      = 0x00000020;

	/* generic->specific mappings for files */
	const int SEC_RIGHTS_FILE_READ    = SEC_STD_READ_CONTROL | 
	                                    SEC_STD_SYNCHRONIZE | 
					    SEC_FILE_READ_DATA | 
                                            SEC_FILE_READ_ATTRIBUTE | 
                                            SEC_FILE_READ_EA;

	const int SEC_RIGHTS_FILE_WRITE   = SEC_STD_READ_CONTROL | 
	                                    SEC_STD_SYNCHRONIZE | 
					    SEC_FILE_WRITE_DATA | 
                                            SEC_FILE_WRITE_ATTRIBUTE | 
                                            SEC_FILE_WRITE_EA |
                                            SEC_FILE_APPEND_DATA;
	
	const int SEC_RIGHTS_FILE_EXECUTE = SEC_STD_SYNCHRONIZE | 
	                                    SEC_STD_READ_CONTROL | 
	                                    SEC_FILE_READ_ATTRIBUTE | 
                                            SEC_FILE_EXECUTE;

	const int SEC_RIGHTS_FILE_ALL     = SEC_STD_ALL | SEC_FILE_ALL;

	/* generic->specific mappings for directories (same as files) */
	const int SEC_RIGHTS_DIR_READ     = SEC_RIGHTS_FILE_READ;
	const int SEC_RIGHTS_DIR_WRITE    = SEC_RIGHTS_FILE_WRITE;
	const int SEC_RIGHTS_DIR_EXECUTE  = SEC_RIGHTS_FILE_EXECUTE;
	const int SEC_RIGHTS_DIR_ALL      = SEC_RIGHTS_FILE_ALL;


	/***************************************************************/
	/* WELL KNOWN SIDS */

	/* a NULL sid */
	const string SID_NULL = "S-1-0-0";

	/* the world domain */
	const string SID_WORLD_DOMAIN = "S-1-1";
	const string SID_WORLD        = "S-1-1-0";

	/* SECURITY_CREATOR_SID_AUTHORITY */
	const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
	const string SID_CREATOR_OWNER        = "S-1-3-0";
	const string SID_CREATOR_GROUP        = "S-1-3-1";

	/* SECURITY_NT_AUTHORITY */
	const string SID_NT_AUTHORITY        = "S-1-5";
	const string SID_NETWORK             = "S-1-5-2";
	const string SID_ANONYMOUS           = "S-1-5-7";
	const string SID_AUTHENTICATED_USERS = "S-1-5-11";
	const string SID_SYSTEM              = "S-1-5-18";

	/* SECURITY_BUILTIN_DOMAIN_RID */
	const string SID_BUILTIN                   = "S-1-5-32";
	const string SID_BUILTIN_ADMINISTRATORS    = "S-1-5-32-544";
	const string SID_BUILTIN_USERS             = "S-1-5-32-545";
	const string SID_BUILTIN_GUESTS            = "S-1-5-32-546";
	const string SID_BUILTIN_POWER_USERS       = "S-1-5-32-547";
	const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
	const string SID_BUILTIN_SERVER_OPERATORS  = "S-1-5-32-549";
	const string SID_BUILTIN_PRINT_OPERATORS   = "S-1-5-32-550";
	const string SID_BUILTIN_BACKUP_OPERATORS  = "S-1-5-32-551";
	const string SID_BUILTIN_REPLICATOR        = "S-1-5-32-552";

	/* a domain SID. Note that unlike Samba3 this contains a pointer,
	   so you can't copy them using assignment */
	typedef [public,noprint] struct {
		uint8  sid_rev_num;             /**< SID revision number */
		uint8  num_auths;               /**< Number of sub-authorities */
		uint8  id_auth[6];              /**< Identifier Authority */
		uint32 sub_auths[num_auths];
	} dom_sid;

	const int SEC_ACE_FLAG_OBJECT_INHERIT		= 0x001;
	const int SEC_ACE_FLAG_CONTAINER_INHERIT	= 0x002;
	const int SEC_ACE_FLAG_NO_PROPAGATE_INHERIT	= 0x004;
	const int SEC_ACE_FLAG_INHERIT_ONLY		= 0x008;
	const int SEC_ACE_FLAG_INHERITED_ACE		= 0x010;
	const int SEC_ACE_FLAG_VALID_INHERIT		= 0x00f;
	const int SEC_ACE_FLAG_SUCCESSFUL_ACCESS	= 0x040;
	const int SEC_ACE_FLAG_FAILED_ACCESS		= 0x080;

	const int SEC_ACE_TYPE_ACCESS_ALLOWED		= 0x0;
	const int SEC_ACE_TYPE_ACCESS_DENIED		= 0x1;
	const int SEC_ACE_TYPE_SYSTEM_AUDIT		= 0x2;
	const int SEC_ACE_TYPE_SYSTEM_ALARM		= 0x3;
	const int SEC_ACE_TYPE_ALLOWED_COMPOUND		= 0x4;
	const int SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT	= 0x5;
	const int SEC_ACE_TYPE_ACCESS_DENIED_OBJECT     = 0x6;
	const int SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT      = 0x7;
	const int SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT	= 0x8;

	typedef [public] struct {
		uint8 type;  /* SEC_ACE_TYPE_* */
		uint8 flags; /* SEC_ACE_FLAG_* */
		[value(ndr_size_security_ace(r))] uint16 size;
		uint32 access_mask;

#if 0
		/* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
		struct {
			uint32 flags;
			GUID object_guid;
			GUID inherit_guid;
		} *obj;
#endif

		dom_sid trustee;
	} security_ace;

	const int NT4_ACL_REVISION  = 0x2;

	typedef [public] struct {
		uint16 revision;
		[value(ndr_size_security_acl(r))] uint16 size;
		uint32 num_aces;
		security_ace aces[num_aces];
	} security_acl;

	/* default revision for new ACLs */
	const int SD_REVISION                    = 1;

	/* security_descriptor->type bits */
	const int SEC_DESC_OWNER_DEFAULTED	 = 0x0001;
	const int SEC_DESC_GROUP_DEFAULTED	 = 0x0002;
	const int SEC_DESC_DACL_PRESENT		 = 0x0004;
	const int SEC_DESC_DACL_DEFAULTED	 = 0x0008;
	const int SEC_DESC_SACL_PRESENT		 = 0x0010;
	const int SEC_DESC_SACL_DEFAULTED	 = 0x0020;
	const int SEC_DESC_DACL_TRUSTED		 = 0x0040;
	const int SEC_DESC_SERVER_SECURITY	 = 0x0080;
	const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100;
	const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200;
	const int SEC_DESC_DACL_AUTO_INHERITED	 = 0x0400;
	const int SEC_DESC_SACL_AUTO_INHERITED	 = 0x0800;
	const int SEC_DESC_DACL_PROTECTED	 = 0x1000;
	const int SEC_DESC_SACL_PROTECTED	 = 0x2000;
	const int SEC_DESC_RM_CONTROL_VALID	 = 0x4000;
	const int SEC_DESC_SELF_RELATIVE	 = 0x8000;

	/* bits that determine which parts of a security descriptor
	   are being queried/set */
	const int SECINFO_OWNER                = 0x00000001;
	const int SECINFO_GROUP                = 0x00000002;
	const int SECINFO_DACL                 = 0x00000004;
	const int SECINFO_SACL                 = 0x00000008;


	typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
		uint8 revision;
		uint16 type;     /* SEC_DESC_xxxx flags */
		[relative] dom_sid *owner_sid; 
		[relative] dom_sid *group_sid;
		[relative] security_acl *sacl; /* system ACL */
		[relative] security_acl *dacl; /* user (discretionary) ACL */
	} security_descriptor;

	typedef [public] struct {
		[range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
		[subcontext(4)] security_descriptor *sd;
	} sec_desc_buf;

	typedef [public,printonly] struct {
		/* TODO */
		uint32 flags;
	} security_privilege;

	typedef [public,printonly] struct {
		uint32 flags;
		dom_sid *user_sid;
		dom_sid *group_sid;
		dom_sid *logon_sid;
		uint32 num_sids;
		dom_sid sids[num_sids];
		uint32 num_restricted_sids;
		dom_sid restricted_sids[num_restricted_sids];
		uint32 num_privileges;
		security_privilege privileges[num_privileges];
		security_acl *dacl;
	} security_token;

}