1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * Copyright 2018 Nexenta Systems, Inc. All rights reserved. 26 */ 27 28 #ifndef _SMBSRV_NTACCESS_H 29 #define _SMBSRV_NTACCESS_H 30 31 /* 32 * This file defines the NT compatible access control masks and values. 33 * An access mask as a 32-bit value arranged as shown below. 34 * 35 * 31-28 Generic bits, interpreted per object type 36 * 27-26 Reserved, must-be-zero 37 * 25 Maximum allowed 38 * 24 System Security rights (SACL is SD) 39 * 23-16 Standard access rights, generic to all object types 40 * 15-0 Specific access rights, object specific 41 * 42 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 43 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 44 * +---------------+---------------+-------------------------------+ 45 * |G|G|G|G|Res'd|A| StandardRights| SpecificRights | 46 * |R|W|E|A| |S| | | 47 * +-+-------------+---------------+-------------------------------+ 48 */ 49 50 #ifdef __cplusplus 51 extern "C" { 52 #endif 53 54 /* 55 * Specific rights for files, pipes and directories. 56 */ 57 #define FILE_READ_DATA (0x0001) /* file & pipe */ 58 #define FILE_LIST_DIRECTORY (0x0001) /* directory */ 59 #define FILE_WRITE_DATA (0x0002) /* file & pipe */ 60 #define FILE_ADD_FILE (0x0002) /* directory */ 61 #define FILE_APPEND_DATA (0x0004) /* file */ 62 #define FILE_ADD_SUBDIRECTORY (0x0004) /* directory */ 63 #define FILE_CREATE_PIPE_INSTANCE (0x0004) /* named pipe */ 64 #define FILE_READ_EA (0x0008) /* file & directory */ 65 #define FILE_READ_PROPERTIES (0x0008) /* pipe */ 66 #define FILE_WRITE_EA (0x0010) /* file & directory */ 67 #define FILE_WRITE_PROPERTIES (0x0010) /* pipe */ 68 #define FILE_EXECUTE (0x0020) /* file */ 69 #define FILE_TRAVERSE (0x0020) /* directory */ 70 #define FILE_DELETE_CHILD (0x0040) /* directory */ 71 #define FILE_READ_ATTRIBUTES (0x0080) /* all */ 72 #define FILE_WRITE_ATTRIBUTES (0x0100) /* all */ 73 #define FILE_SPECIFIC_ALL (0x000001FFL) 74 #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL) 75 76 77 /* 78 * Standard rights: 79 * 80 * DELETE The right to delete the object. 81 * 82 * READ_CONTROL The right to read the information in the object's security 83 * descriptor, not including the information in the SACL. 84 * 85 * WRITE_DAC The right to modify the DACL in the object's security 86 * descriptor. 87 * 88 * WRITE_OWNER The right to change the owner in the object's security 89 * descriptor. 90 * 91 * SYNCHRONIZE The right to use the object for synchronization. This enables 92 * a thread to wait until the object is in the signaled state. 93 */ 94 #define DELETE (0x00010000L) 95 #define READ_CONTROL (0x00020000L) 96 #define WRITE_DAC (0x00040000L) 97 #define WRITE_OWNER (0x00080000L) /* take ownership */ 98 #define SYNCHRONIZE (0x00100000L) 99 #define STANDARD_RIGHTS_REQUIRED (0x000F0000L) 100 #define STANDARD_RIGHTS_ALL (0x001F0000L) 101 102 103 #define STANDARD_RIGHTS_READ (READ_CONTROL) 104 #define STANDARD_RIGHTS_WRITE (READ_CONTROL) 105 #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL) 106 107 #define FILE_METADATA_ALL (FILE_READ_EA |\ 108 FILE_READ_ATTRIBUTES |\ 109 READ_CONTROL |\ 110 FILE_WRITE_EA |\ 111 FILE_WRITE_ATTRIBUTES |\ 112 WRITE_DAC |\ 113 WRITE_OWNER |\ 114 SYNCHRONIZE) 115 116 #define FILE_DATA_ALL (FILE_READ_DATA |\ 117 FILE_WRITE_DATA |\ 118 FILE_APPEND_DATA |\ 119 FILE_EXECUTE |\ 120 DELETE) 121 122 #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) 123 124 125 /* 126 * Miscellaneous bits: SACL access and maximum allowed access. 127 */ 128 #define ACCESS_SYSTEM_SECURITY (0x01000000L) 129 #define MAXIMUM_ALLOWED (0x02000000L) 130 131 132 /* 133 * Generic rights. These are shorthands that are interpreted as 134 * appropriate for the type of secured object being accessed. 135 */ 136 #define GENERIC_ALL (0x10000000UL) 137 #define GENERIC_EXECUTE (0x20000000UL) 138 #define GENERIC_WRITE (0x40000000UL) 139 #define GENERIC_READ (0x80000000UL) 140 141 #define FILE_GENERIC_READ (STANDARD_RIGHTS_READ | \ 142 FILE_READ_DATA | \ 143 FILE_READ_ATTRIBUTES | \ 144 FILE_READ_EA | \ 145 SYNCHRONIZE) 146 147 #define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE | \ 148 FILE_WRITE_DATA | \ 149 FILE_WRITE_ATTRIBUTES | \ 150 FILE_WRITE_EA | \ 151 FILE_APPEND_DATA | \ 152 SYNCHRONIZE) 153 154 #define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ 155 FILE_READ_ATTRIBUTES | \ 156 FILE_EXECUTE | \ 157 SYNCHRONIZE) 158 159 #define FILE_GENERIC_ALL (FILE_GENERIC_READ | \ 160 FILE_GENERIC_WRITE | \ 161 FILE_GENERIC_EXECUTE) 162 163 164 /* 165 * LSA policy desired access masks. 166 */ 167 #define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L 168 #define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L 169 #define POLICY_GET_PRIVATE_INFORMATION 0x00000004L 170 #define POLICY_TRUST_ADMIN 0x00000008L 171 #define POLICY_CREATE_ACCOUNT 0x00000010L 172 #define POLICY_CREATE_SECRET 0x00000020L 173 #define POLICY_CREATE_PRIVILEGE 0x00000040L 174 #define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L 175 #define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L 176 #define POLICY_AUDIT_LOG_ADMIN 0x00000200L 177 #define POLICY_SERVER_ADMIN 0x00000400L 178 #define POLICY_LOOKUP_NAMES 0x00000800L 179 180 181 /* 182 * SAM specific rights desired access masks. These definitions are listed 183 * mostly as a convenience; they don't seem to be documented. Setting the 184 * desired access mask to GENERIC_EXECUTE and STANDARD_RIGHTS_EXECUTE 185 * seems to work when just looking up information. 186 */ 187 #define SAM_LOOKUP_INFORMATION (GENERIC_EXECUTE \ 188 | STANDARD_RIGHTS_EXECUTE) 189 190 #define SAM_ACCESS_USER_READ 0x0000031BL 191 #define SAM_ACCESS_USER_UPDATE 0x0000031FL 192 #define SAM_ACCESS_USER_SETPWD 0x0000037FL 193 #define SAM_CONNECT_CREATE_ACCOUNT 0x00000020L 194 #define SAM_ENUM_LOCAL_DOMAIN 0x00000030L 195 #define SAM_DOMAIN_CREATE_ACCOUNT 0x00000211L 196 197 198 /* 199 * File attributes 200 * 201 * Note: 0x00000008 is reserved for use for the old DOS VOLID (volume ID) 202 * and is therefore not considered valid in NT. 203 * 204 * Note: 0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag 205 * and is therefore not considered valid in NT. This flag has 206 * been disassociated with file attributes since the other flags are 207 * protected with READ_ and WRITE_ATTRIBUTES access to the file. 208 * 209 * Note: Note also that the order of these flags is set to allow both the 210 * FAT and the Pinball File Systems to directly set the attributes 211 * flags in attributes words without having to pick each flag out 212 * individually. The order of these flags should not be changed! 213 * 214 * The file attributes are defined in smbsrv/smb_vops.h 215 */ 216 217 /* Filesystem Attributes */ 218 #define FILE_CASE_SENSITIVE_SEARCH 0x00000001 219 #define FILE_CASE_PRESERVED_NAMES 0x00000002 220 #define FILE_UNICODE_ON_DISK 0x00000004 221 #define FILE_PERSISTENT_ACLS 0x00000008 222 #define FILE_FILE_COMPRESSION 0x00000010 223 #define FILE_VOLUME_QUOTAS 0x00000020 224 #define FILE_SUPPORTS_SPARSE_FILES 0x00000040 225 #define FILE_SUPPORTS_REPARSE_POINTS 0x00000080 226 #define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100 227 #define FILE_VOLUME_IS_COMPRESSED 0x00008000 228 #define FILE_SUPPORTS_OBJECT_IDS 0x00010000 229 #define FILE_SUPPORTS_ENCRYPTION 0x00020000 230 #define FILE_NAMED_STREAMS 0x00040000 231 #define FILE_READ_ONLY_VOLUME 0x00080000 232 233 #ifdef __cplusplus 234 } 235 #endif 236 237 #endif /* _SMBSRV_NTACCESS_H */ 238