1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. 26 */ 27 28 #ifndef _SMB_PRIVILEGE_H 29 #define _SMB_PRIVILEGE_H 30 31 #include <smb/wintypes.h> 32 33 #ifdef __cplusplus 34 extern "C" { 35 #endif 36 37 /* 38 * Privileges 39 * 40 * Privileges apply to all objects and over-ride the access controls 41 * in an object's security descriptor in a manner specific to each 42 * privilege. Privileges are still not full defined. Privileges are 43 * defined in a set structure (LUID = Locally Unique Identifier). 44 * 45 * The default LUID, name and display names defined on NT 4.0 are: 46 * LUID Privilege Name Display Name 47 * ---- -------------- ------------ 48 * 0:2 SeCreateTokenPrivilege Create a token object 49 * 0:3 SeAssignPrimaryTokenPrivilege Replace a process level token 50 * 0:4 SeLockMemoryPrivilege Lock pages in memory 51 * 0:5 SeIncreaseQuotaPrivilege Increase quotas 52 * 0:6 SeMachineAccountPrivilege Add workstations to domain 53 * 0:7 SeTcbPrivilege Act as part of the operating system 54 * 0:8 SeSecurityPrivilege Manage auditing and security log 55 * 0:9 SeTakeOwnershipPrivilege Take ownership of files or other objects 56 * 0:10 SeLoadDriverPrivilege Load and unload device drivers 57 * 0:11 SeSystemProfilePrivilege Profile system performance 58 * 0:12 SeSystemtimePrivilege Change the system time 59 * 0:13 SeProfileSingleProcessPrivilege Profile single process 60 * 0:14 SeIncreaseBasePriorityPrivilege Increase scheduling priority 61 * 0:15 SeCreatePagefilePrivilege Create a pagefile 62 * 0:16 SeCreatePermanentPrivilege Create permanent shared objects 63 * 0:17 SeBackupPrivilege Back up files and directories 64 * 0:18 SeRestorePrivilege Restore files and directories 65 * 0:19 SeShutdownPrivilege Shut down the system 66 * 0:20 SeDebugPrivilege Debug programs 67 * 0:21 SeAuditPrivilege Generate security audits 68 * 0:22 SeSystemEnvironmentPrivilege Modify firmware environment values 69 * 0:23 SeChangeNotifyPrivilege Bypass traverse checking 70 * 0:24 SeRemoteShutdownPrivilege Force shutdown from a remote system 71 */ 72 73 /* 74 * Privilege names 75 */ 76 #define SE_CREATE_TOKEN_NAME "SeCreateTokenPrivilege" 77 #define SE_ASSIGNPRIMARYTOKEN_NAME "SeAssignPrimaryTokenPrivilege" 78 #define SE_LOCK_MEMORY_NAME "SeLockMemoryPrivilege" 79 #define SE_INCREASE_QUOTA_NAME "SeIncreaseQuotaPrivilege" 80 #define SE_UNSOLICITED_INPUT_NAME "SeUnsolicitedInputPrivilege" 81 #define SE_MACHINE_ACCOUNT_NAME "SeMachineAccountPrivilege" 82 #define SE_TCB_NAME "SeTcbPrivilege" 83 #define SE_SECURITY_NAME "SeSecurityPrivilege" 84 #define SE_TAKE_OWNERSHIP_NAME "SeTakeOwnershipPrivilege" 85 #define SE_LOAD_DRIVER_NAME "SeLoadDriverPrivilege" 86 #define SE_SYSTEM_PROFILE_NAME "SeSystemProfilePrivilege" 87 #define SE_SYSTEMTIME_NAME "SeSystemtimePrivilege" 88 #define SE_PROF_SINGLE_PROCESS_NAME "SeProfileSingleProcessPrivilege" 89 #define SE_INC_BASE_PRIORITY_NAME "SeIncreaseBasePriorityPrivilege" 90 #define SE_CREATE_PAGEFILE_NAME "SeCreatePagefilePrivilege" 91 #define SE_CREATE_PERMANENT_NAME "SeCreatePermanentPrivilege" 92 #define SE_BACKUP_NAME "SeBackupPrivilege" 93 #define SE_RESTORE_NAME "SeRestorePrivilege" 94 #define SE_SHUTDOWN_NAME "SeShutdownPrivilege" 95 #define SE_DEBUG_NAME "SeDebugPrivilege" 96 #define SE_AUDIT_NAME "SeAuditPrivilege" 97 #define SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironmentPrivilege" 98 #define SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" 99 #define SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" 100 #define SE_READ_FILE_NAME "BypassAclRead" 101 #define SE_WRITE_FILE_NAME "BypassAclWrite" 102 103 #define SE_MIN_LUID 2 104 #define SE_CREATE_TOKEN_LUID 2 105 #define SE_ASSIGNPRIMARYTOKEN_LUID 3 106 #define SE_LOCK_MEMORY_LUID 4 107 #define SE_INCREASE_QUOTA_LUID 5 108 #define SE_MACHINE_ACCOUNT_LUID 6 109 #define SE_TCB_LUID 7 110 #define SE_SECURITY_LUID 8 111 #define SE_TAKE_OWNERSHIP_LUID 9 112 #define SE_LOAD_DRIVER_LUID 10 113 #define SE_SYSTEM_PROFILE_LUID 11 114 #define SE_SYSTEMTIME_LUID 12 115 #define SE_PROF_SINGLE_PROCESS_LUID 13 116 #define SE_INC_BASE_PRIORITY_LUID 14 117 #define SE_CREATE_PAGEFILE_LUID 15 118 #define SE_CREATE_PERMANENT_LUID 16 119 #define SE_BACKUP_LUID 17 120 #define SE_RESTORE_LUID 18 121 #define SE_SHUTDOWN_LUID 19 122 #define SE_DEBUG_LUID 20 123 #define SE_AUDIT_LUID 21 124 #define SE_SYSTEM_ENVIRONMENT_LUID 22 125 #define SE_CHANGE_NOTIFY_LUID 23 126 #define SE_REMOTE_SHUTDOWN_LUID 24 127 #define SE_READ_FILE_LUID 25 128 #define SE_WRITE_FILE_LUID 26 129 #define SE_MAX_LUID 26 130 131 /* 132 * Privilege attributes 133 */ 134 #define SE_PRIVILEGE_DISABLED 0x00000000 135 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT 0x00000001 136 #define SE_PRIVILEGE_ENABLED 0x00000002 137 #define SE_PRIVILEGE_USED_FOR_ACCESS 0x80000000 138 139 /* 140 * Privilege Set Control flags 141 */ 142 #define PRIVILEGE_SET_ALL_NECESSARY 1 143 144 /* 145 * Local User ID (an NT thing, not a Unix UID) 146 * See also: smb_luid_xdr() 147 */ 148 typedef struct smb_luid { 149 uint32_t lo_part; 150 uint32_t hi_part; 151 } smb_luid_t; 152 153 /* 154 * Local User ID and attributes (again, an NT thing) 155 * See also: smb_luid_attrs_xdr() 156 */ 157 typedef struct smb_luid_attrs { 158 smb_luid_t luid; 159 uint32_t attrs; 160 } smb_luid_attrs_t; 161 162 /* 163 * An (NT-style) collection of privileges. 164 * See also: smb_privset_xdr() 165 */ 166 typedef struct smb_privset { 167 uint32_t priv_cnt; 168 uint32_t control; 169 smb_luid_attrs_t priv[ANY_SIZE_ARRAY]; 170 } smb_privset_t; 171 172 /* 173 * These are possible value for smb_privinfo_t.flags 174 * 175 * PF_PRESENTABLE Privilege is user visible 176 */ 177 #define PF_PRESENTABLE 0x1 178 179 /* 180 * Structure for passing privilege name and id information around within 181 * the system. Note that we are only storing the low uint32_t of the LUID; 182 * the high part is always zero here. 183 */ 184 typedef struct smb_privinfo { 185 uint32_t id; 186 char *name; 187 char *display_name; 188 uint16_t flags; 189 } smb_privinfo_t; 190 191 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id); 192 smb_privinfo_t *smb_priv_getbyname(char *name); 193 int smb_priv_presentable_num(void); 194 int smb_priv_presentable_ids(uint32_t *ids, int num); 195 smb_privset_t *smb_privset_new(); 196 int smb_privset_size(); 197 void smb_privset_init(smb_privset_t *privset); 198 void smb_privset_free(smb_privset_t *privset); 199 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src); 200 void smb_privset_merge(smb_privset_t *dst, smb_privset_t *src); 201 void smb_privset_enable(smb_privset_t *privset, uint32_t id); 202 int smb_privset_query(smb_privset_t *privset, uint32_t id); 203 void smb_privset_log(smb_privset_t *privset); 204 205 #ifdef __cplusplus 206 } 207 #endif 208 209 #endif /* _SMB_PRIVILEGE_H */ 210