1*da6c28aaSamw /* 2*da6c28aaSamw * CDDL HEADER START 3*da6c28aaSamw * 4*da6c28aaSamw * The contents of this file are subject to the terms of the 5*da6c28aaSamw * Common Development and Distribution License (the "License"). 6*da6c28aaSamw * You may not use this file except in compliance with the License. 7*da6c28aaSamw * 8*da6c28aaSamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*da6c28aaSamw * or http://www.opensolaris.org/os/licensing. 10*da6c28aaSamw * See the License for the specific language governing permissions 11*da6c28aaSamw * and limitations under the License. 12*da6c28aaSamw * 13*da6c28aaSamw * When distributing Covered Code, include this CDDL HEADER in each 14*da6c28aaSamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*da6c28aaSamw * If applicable, add the following below this CDDL HEADER, with the 16*da6c28aaSamw * fields enclosed by brackets "[]" replaced with your own identifying 17*da6c28aaSamw * information: Portions Copyright [yyyy] [name of copyright owner] 18*da6c28aaSamw * 19*da6c28aaSamw * CDDL HEADER END 20*da6c28aaSamw */ 21*da6c28aaSamw /* 22*da6c28aaSamw * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23*da6c28aaSamw * Use is subject to license terms. 24*da6c28aaSamw */ 25*da6c28aaSamw 26*da6c28aaSamw #ifndef _SMBSRV_NTACCESS_H 27*da6c28aaSamw #define _SMBSRV_NTACCESS_H 28*da6c28aaSamw 29*da6c28aaSamw #pragma ident "%Z%%M% %I% %E% SMI" 30*da6c28aaSamw 31*da6c28aaSamw /* 32*da6c28aaSamw * This file defines the NT compatible access control masks and values. 33*da6c28aaSamw * An access mask as a 32-bit value arranged as shown below. 34*da6c28aaSamw * 35*da6c28aaSamw * 31-28 Generic bits, interpreted per object type 36*da6c28aaSamw * 27-26 Reserved, must-be-zero 37*da6c28aaSamw * 25 Maximum allowed 38*da6c28aaSamw * 24 System Security rights (SACL is SD) 39*da6c28aaSamw * 23-16 Standard access rights, generic to all object types 40*da6c28aaSamw * 15-0 Specific access rights, object specific 41*da6c28aaSamw * 42*da6c28aaSamw * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 43*da6c28aaSamw * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 44*da6c28aaSamw * +---------------+---------------+-------------------------------+ 45*da6c28aaSamw * |G|G|G|G|Res'd|A| StandardRights| SpecificRights | 46*da6c28aaSamw * |R|W|E|A| |S| | | 47*da6c28aaSamw * +-+-------------+---------------+-------------------------------+ 48*da6c28aaSamw */ 49*da6c28aaSamw 50*da6c28aaSamw #ifdef __cplusplus 51*da6c28aaSamw extern "C" { 52*da6c28aaSamw #endif 53*da6c28aaSamw 54*da6c28aaSamw /* 55*da6c28aaSamw * Specific rights for files, pipes and directories. 56*da6c28aaSamw */ 57*da6c28aaSamw #define FILE_READ_DATA (0x0001) /* file & pipe */ 58*da6c28aaSamw #define FILE_LIST_DIRECTORY (0x0001) /* directory */ 59*da6c28aaSamw #define FILE_WRITE_DATA (0x0002) /* file & pipe */ 60*da6c28aaSamw #define FILE_ADD_FILE (0x0002) /* directory */ 61*da6c28aaSamw #define FILE_APPEND_DATA (0x0004) /* file */ 62*da6c28aaSamw #define FILE_ADD_SUBDIRECTORY (0x0004) /* directory */ 63*da6c28aaSamw #define FILE_CREATE_PIPE_INSTANCE (0x0004) /* named pipe */ 64*da6c28aaSamw #define FILE_READ_EA (0x0008) /* file & directory */ 65*da6c28aaSamw #define FILE_READ_PROPERTIES (0x0008) /* pipe */ 66*da6c28aaSamw #define FILE_WRITE_EA (0x0010) /* file & directory */ 67*da6c28aaSamw #define FILE_WRITE_PROPERTIES (0x0010) /* pipe */ 68*da6c28aaSamw #define FILE_EXECUTE (0x0020) /* file */ 69*da6c28aaSamw #define FILE_TRAVERSE (0x0020) /* directory */ 70*da6c28aaSamw #define FILE_DELETE_CHILD (0x0040) /* directory */ 71*da6c28aaSamw #define FILE_READ_ATTRIBUTES (0x0080) /* all */ 72*da6c28aaSamw #define FILE_WRITE_ATTRIBUTES (0x0100) /* all */ 73*da6c28aaSamw #define FILE_SPECIFIC_ALL (0x000001FFL) 74*da6c28aaSamw #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL) 75*da6c28aaSamw 76*da6c28aaSamw 77*da6c28aaSamw /* 78*da6c28aaSamw * Standard rights: 79*da6c28aaSamw * 80*da6c28aaSamw * DELETE The right to delete the object. 81*da6c28aaSamw * 82*da6c28aaSamw * READ_CONTROL The right to read the information in the object's security 83*da6c28aaSamw * descriptor, not including the information in the SACL. 84*da6c28aaSamw * 85*da6c28aaSamw * WRITE_DAC The right to modify the DACL in the object's security 86*da6c28aaSamw * descriptor. 87*da6c28aaSamw * 88*da6c28aaSamw * WRITE_OWNER The right to change the owner in the object's security 89*da6c28aaSamw * descriptor. 90*da6c28aaSamw * 91*da6c28aaSamw * SYNCHRONIZE The right to use the object for synchronization. This enables 92*da6c28aaSamw * a thread to wait until the object is in the signaled state. 93*da6c28aaSamw */ 94*da6c28aaSamw #define DELETE (0x00010000L) 95*da6c28aaSamw #define READ_CONTROL (0x00020000L) 96*da6c28aaSamw #define WRITE_DAC (0x00040000L) 97*da6c28aaSamw #define WRITE_OWNER (0x00080000L) /* take ownership */ 98*da6c28aaSamw #define SYNCHRONIZE (0x00100000L) 99*da6c28aaSamw #define STANDARD_RIGHTS_REQUIRED (0x000F0000L) 100*da6c28aaSamw #define STANDARD_RIGHTS_ALL (0x001F0000L) 101*da6c28aaSamw 102*da6c28aaSamw 103*da6c28aaSamw #define STANDARD_RIGHTS_READ (READ_CONTROL) 104*da6c28aaSamw #define STANDARD_RIGHTS_WRITE (READ_CONTROL) 105*da6c28aaSamw #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL) 106*da6c28aaSamw 107*da6c28aaSamw #define FILE_METADATA_ALL (FILE_READ_EA |\ 108*da6c28aaSamw FILE_READ_ATTRIBUTES |\ 109*da6c28aaSamw READ_CONTROL |\ 110*da6c28aaSamw FILE_WRITE_EA |\ 111*da6c28aaSamw FILE_WRITE_ATTRIBUTES |\ 112*da6c28aaSamw WRITE_DAC |\ 113*da6c28aaSamw WRITE_OWNER |\ 114*da6c28aaSamw SYNCHRONIZE) 115*da6c28aaSamw 116*da6c28aaSamw #define FILE_DATA_ALL (FILE_READ_DATA |\ 117*da6c28aaSamw FILE_WRITE_DATA |\ 118*da6c28aaSamw FILE_APPEND_DATA |\ 119*da6c28aaSamw FILE_EXECUTE |\ 120*da6c28aaSamw DELETE) 121*da6c28aaSamw 122*da6c28aaSamw #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) 123*da6c28aaSamw 124*da6c28aaSamw 125*da6c28aaSamw /* 126*da6c28aaSamw * Miscellaneous bits: SACL access and maximum allowed access. 127*da6c28aaSamw */ 128*da6c28aaSamw #define ACCESS_SYSTEM_SECURITY (0x01000000L) 129*da6c28aaSamw #define MAXIMUM_ALLOWED (0x02000000L) 130*da6c28aaSamw 131*da6c28aaSamw 132*da6c28aaSamw /* 133*da6c28aaSamw * Generic rights. These are shorthands that are interpreted as 134*da6c28aaSamw * appropriate for the type of secured object being accessed. 135*da6c28aaSamw */ 136*da6c28aaSamw #define GENERIC_ALL (0x10000000UL) 137*da6c28aaSamw #define GENERIC_EXECUTE (0x20000000UL) 138*da6c28aaSamw #define GENERIC_WRITE (0x40000000UL) 139*da6c28aaSamw #define GENERIC_READ (0x80000000UL) 140*da6c28aaSamw 141*da6c28aaSamw #define FILE_GENERIC_READ (STANDARD_RIGHTS_READ | \ 142*da6c28aaSamw FILE_READ_DATA | \ 143*da6c28aaSamw FILE_READ_ATTRIBUTES | \ 144*da6c28aaSamw FILE_READ_EA | \ 145*da6c28aaSamw SYNCHRONIZE) 146*da6c28aaSamw 147*da6c28aaSamw #define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE | \ 148*da6c28aaSamw FILE_WRITE_DATA | \ 149*da6c28aaSamw FILE_WRITE_ATTRIBUTES | \ 150*da6c28aaSamw FILE_WRITE_EA | \ 151*da6c28aaSamw FILE_APPEND_DATA | \ 152*da6c28aaSamw SYNCHRONIZE) 153*da6c28aaSamw 154*da6c28aaSamw #define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ 155*da6c28aaSamw FILE_READ_ATTRIBUTES | \ 156*da6c28aaSamw FILE_EXECUTE | \ 157*da6c28aaSamw SYNCHRONIZE) 158*da6c28aaSamw 159*da6c28aaSamw #define FILE_GENERIC_ALL (FILE_GENERIC_READ | \ 160*da6c28aaSamw FILE_GENERIC_WRITE | \ 161*da6c28aaSamw FILE_GENERIC_EXECUTE) 162*da6c28aaSamw 163*da6c28aaSamw 164*da6c28aaSamw /* 165*da6c28aaSamw * LSA policy desired access masks. 166*da6c28aaSamw */ 167*da6c28aaSamw #define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L 168*da6c28aaSamw #define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L 169*da6c28aaSamw #define POLICY_GET_PRIVATE_INFORMATION 0x00000004L 170*da6c28aaSamw #define POLICY_TRUST_ADMIN 0x00000008L 171*da6c28aaSamw #define POLICY_CREATE_ACCOUNT 0x00000010L 172*da6c28aaSamw #define POLICY_CREATE_SECRET 0x00000020L 173*da6c28aaSamw #define POLICY_CREATE_PRIVILEGE 0x00000040L 174*da6c28aaSamw #define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L 175*da6c28aaSamw #define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L 176*da6c28aaSamw #define POLICY_AUDIT_LOG_ADMIN 0x00000200L 177*da6c28aaSamw #define POLICY_SERVER_ADMIN 0x00000400L 178*da6c28aaSamw #define POLICY_LOOKUP_NAMES 0x00000800L 179*da6c28aaSamw 180*da6c28aaSamw 181*da6c28aaSamw /* 182*da6c28aaSamw * SAM specific rights desired access masks. These definitions are listed 183*da6c28aaSamw * mostly as a convenience; they don't seem to be documented. Setting the 184*da6c28aaSamw * desired access mask to GENERIC_EXECUTE and STANDARD_RIGHTS_EXECUTE 185*da6c28aaSamw * seems to work when just looking up information. 186*da6c28aaSamw */ 187*da6c28aaSamw #define SAM_LOOKUP_INFORMATION (GENERIC_EXECUTE \ 188*da6c28aaSamw | STANDARD_RIGHTS_EXECUTE) 189*da6c28aaSamw 190*da6c28aaSamw #define SAM_ACCESS_USER_READ 0x0000031BL 191*da6c28aaSamw #define SAM_ACCESS_USER_UPDATE 0x0000031FL 192*da6c28aaSamw #define SAM_ACCESS_USER_SETPWD 0x0000037FL 193*da6c28aaSamw #define SAM_CONNECT_CREATE_ACCOUNT 0x00000020L 194*da6c28aaSamw #define SAM_ENUM_LOCAL_DOMAIN 0x00000030L 195*da6c28aaSamw #define SAM_DOMAIN_CREATE_ACCOUNT 0x00000211L 196*da6c28aaSamw 197*da6c28aaSamw 198*da6c28aaSamw /* 199*da6c28aaSamw * File attributes 200*da6c28aaSamw * 201*da6c28aaSamw * Note: 0x00000008 is reserved for use for the old DOS VOLID (volume ID) 202*da6c28aaSamw * and is therefore not considered valid in NT. 203*da6c28aaSamw * 204*da6c28aaSamw * Note: 0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag 205*da6c28aaSamw * and is therefore not considered valid in NT. This flag has 206*da6c28aaSamw * been disassociated with file attributes since the other flags are 207*da6c28aaSamw * protected with READ_ and WRITE_ATTRIBUTES access to the file. 208*da6c28aaSamw * 209*da6c28aaSamw * Note: Note also that the order of these flags is set to allow both the 210*da6c28aaSamw * FAT and the Pinball File Systems to directly set the attributes 211*da6c28aaSamw * flags in attributes words without having to pick each flag out 212*da6c28aaSamw * individually. The order of these flags should not be changed! 213*da6c28aaSamw * 214*da6c28aaSamw * The file attributes are defined in smbsrv/smb_vops.h 215*da6c28aaSamw */ 216*da6c28aaSamw 217*da6c28aaSamw /* Filesystem Attributes */ 218*da6c28aaSamw #define FILE_CASE_SENSITIVE_SEARCH 0x00000001 219*da6c28aaSamw #define FILE_CASE_PRESERVED_NAMES 0x00000002 220*da6c28aaSamw #define FILE_UNICODE_ON_DISK 0x00000004 221*da6c28aaSamw #define FILE_PERSISTENT_ACLS 0x00000008 222*da6c28aaSamw #define FILE_FILE_COMPRESSION 0x00000010 223*da6c28aaSamw #define FILE_VOLUME_QUOTAS 0x00000020 224*da6c28aaSamw #define FILE_SUPPORTS_SPARSE_FILES 0x00000040 225*da6c28aaSamw #define FILE_SUPPORTS_REPARSE_POINTS 0x00000080 226*da6c28aaSamw #define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100 227*da6c28aaSamw #define FILE_VOLUME_IS_COMPRESSED 0x00008000 228*da6c28aaSamw #define FILE_SUPPORTS_OBJECT_IDS 0x00010000 229*da6c28aaSamw #define FILE_SUPPORTS_ENCRYPTION 0x00020000 230*da6c28aaSamw #define FILE_NAMED_STREAMS 0x00040000 231*da6c28aaSamw #define FILE_READ_ONLY_VOLUME 0x00080000 232*da6c28aaSamw 233*da6c28aaSamw #ifdef __cplusplus 234*da6c28aaSamw } 235*da6c28aaSamw #endif 236*da6c28aaSamw 237*da6c28aaSamw #endif /* _SMBSRV_NTACCESS_H */ 238