xref: /titanic_51/usr/src/uts/common/smbsrv/ntaccess.h (revision da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0)
1*da6c28aaSamw /*
2*da6c28aaSamw  * CDDL HEADER START
3*da6c28aaSamw  *
4*da6c28aaSamw  * The contents of this file are subject to the terms of the
5*da6c28aaSamw  * Common Development and Distribution License (the "License").
6*da6c28aaSamw  * You may not use this file except in compliance with the License.
7*da6c28aaSamw  *
8*da6c28aaSamw  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9*da6c28aaSamw  * or http://www.opensolaris.org/os/licensing.
10*da6c28aaSamw  * See the License for the specific language governing permissions
11*da6c28aaSamw  * and limitations under the License.
12*da6c28aaSamw  *
13*da6c28aaSamw  * When distributing Covered Code, include this CDDL HEADER in each
14*da6c28aaSamw  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15*da6c28aaSamw  * If applicable, add the following below this CDDL HEADER, with the
16*da6c28aaSamw  * fields enclosed by brackets "[]" replaced with your own identifying
17*da6c28aaSamw  * information: Portions Copyright [yyyy] [name of copyright owner]
18*da6c28aaSamw  *
19*da6c28aaSamw  * CDDL HEADER END
20*da6c28aaSamw  */
21*da6c28aaSamw /*
22*da6c28aaSamw  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23*da6c28aaSamw  * Use is subject to license terms.
24*da6c28aaSamw  */
25*da6c28aaSamw 
26*da6c28aaSamw #ifndef _SMBSRV_NTACCESS_H
27*da6c28aaSamw #define	_SMBSRV_NTACCESS_H
28*da6c28aaSamw 
29*da6c28aaSamw #pragma ident	"%Z%%M%	%I%	%E% SMI"
30*da6c28aaSamw 
31*da6c28aaSamw /*
32*da6c28aaSamw  * This file defines the NT compatible access control masks and values.
33*da6c28aaSamw  * An access mask as a 32-bit value arranged as shown below.
34*da6c28aaSamw  *
35*da6c28aaSamw  *   31-28    Generic bits, interpreted per object type
36*da6c28aaSamw  *   27-26    Reserved, must-be-zero
37*da6c28aaSamw  *   25       Maximum allowed
38*da6c28aaSamw  *   24       System Security rights (SACL is SD)
39*da6c28aaSamw  *   23-16    Standard access rights, generic to all object types
40*da6c28aaSamw  *   15-0     Specific access rights, object specific
41*da6c28aaSamw  *
42*da6c28aaSamw  *   3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
43*da6c28aaSamw  *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
44*da6c28aaSamw  *   +---------------+---------------+-------------------------------+
45*da6c28aaSamw  *   |G|G|G|G|Res'd|A| StandardRights|         SpecificRights        |
46*da6c28aaSamw  *   |R|W|E|A|     |S|               |                               |
47*da6c28aaSamw  *   +-+-------------+---------------+-------------------------------+
48*da6c28aaSamw  */
49*da6c28aaSamw 
50*da6c28aaSamw #ifdef __cplusplus
51*da6c28aaSamw extern "C" {
52*da6c28aaSamw #endif
53*da6c28aaSamw 
54*da6c28aaSamw /*
55*da6c28aaSamw  * Specific rights for files, pipes and directories.
56*da6c28aaSamw  */
57*da6c28aaSamw #define	FILE_READ_DATA			(0x0001) /* file & pipe */
58*da6c28aaSamw #define	FILE_LIST_DIRECTORY		(0x0001) /* directory */
59*da6c28aaSamw #define	FILE_WRITE_DATA			(0x0002) /* file & pipe */
60*da6c28aaSamw #define	FILE_ADD_FILE			(0x0002) /* directory */
61*da6c28aaSamw #define	FILE_APPEND_DATA		(0x0004) /* file */
62*da6c28aaSamw #define	FILE_ADD_SUBDIRECTORY		(0x0004) /* directory */
63*da6c28aaSamw #define	FILE_CREATE_PIPE_INSTANCE	(0x0004) /* named pipe */
64*da6c28aaSamw #define	FILE_READ_EA			(0x0008) /* file & directory */
65*da6c28aaSamw #define	FILE_READ_PROPERTIES		(0x0008) /* pipe */
66*da6c28aaSamw #define	FILE_WRITE_EA			(0x0010) /* file & directory */
67*da6c28aaSamw #define	FILE_WRITE_PROPERTIES		(0x0010) /* pipe */
68*da6c28aaSamw #define	FILE_EXECUTE			(0x0020) /* file */
69*da6c28aaSamw #define	FILE_TRAVERSE			(0x0020) /* directory */
70*da6c28aaSamw #define	FILE_DELETE_CHILD		(0x0040) /* directory */
71*da6c28aaSamw #define	FILE_READ_ATTRIBUTES		(0x0080) /* all */
72*da6c28aaSamw #define	FILE_WRITE_ATTRIBUTES		(0x0100) /* all */
73*da6c28aaSamw #define	FILE_SPECIFIC_ALL		(0x000001FFL)
74*da6c28aaSamw #define	SPECIFIC_RIGHTS_ALL		(0x0000FFFFL)
75*da6c28aaSamw 
76*da6c28aaSamw 
77*da6c28aaSamw /*
78*da6c28aaSamw  * Standard rights:
79*da6c28aaSamw  *
80*da6c28aaSamw  * DELETE	The right to delete the object.
81*da6c28aaSamw  *
82*da6c28aaSamw  * READ_CONTROL The right to read the information in the object's security
83*da6c28aaSamw  *              descriptor, not including the information in the SACL.
84*da6c28aaSamw  *
85*da6c28aaSamw  * WRITE_DAC    The right to modify the DACL in the object's security
86*da6c28aaSamw  *	        descriptor.
87*da6c28aaSamw  *
88*da6c28aaSamw  * WRITE_OWNER  The right to change the owner in the object's security
89*da6c28aaSamw  *	        descriptor.
90*da6c28aaSamw  *
91*da6c28aaSamw  * SYNCHRONIZE  The right to use the object for synchronization. This enables
92*da6c28aaSamw  *              a thread to wait until the object is in the signaled state.
93*da6c28aaSamw  */
94*da6c28aaSamw #define	DELETE				(0x00010000L)
95*da6c28aaSamw #define	READ_CONTROL			(0x00020000L)
96*da6c28aaSamw #define	WRITE_DAC			(0x00040000L)
97*da6c28aaSamw #define	WRITE_OWNER			(0x00080000L) /* take ownership */
98*da6c28aaSamw #define	SYNCHRONIZE			(0x00100000L)
99*da6c28aaSamw #define	STANDARD_RIGHTS_REQUIRED	(0x000F0000L)
100*da6c28aaSamw #define	STANDARD_RIGHTS_ALL		(0x001F0000L)
101*da6c28aaSamw 
102*da6c28aaSamw 
103*da6c28aaSamw #define	STANDARD_RIGHTS_READ		(READ_CONTROL)
104*da6c28aaSamw #define	STANDARD_RIGHTS_WRITE		(READ_CONTROL)
105*da6c28aaSamw #define	STANDARD_RIGHTS_EXECUTE		(READ_CONTROL)
106*da6c28aaSamw 
107*da6c28aaSamw #define	FILE_METADATA_ALL		(FILE_READ_EA		|\
108*da6c28aaSamw 					FILE_READ_ATTRIBUTES	|\
109*da6c28aaSamw 					READ_CONTROL		|\
110*da6c28aaSamw 					FILE_WRITE_EA		|\
111*da6c28aaSamw 					FILE_WRITE_ATTRIBUTES	|\
112*da6c28aaSamw 					WRITE_DAC		|\
113*da6c28aaSamw 					WRITE_OWNER		|\
114*da6c28aaSamw 					SYNCHRONIZE)
115*da6c28aaSamw 
116*da6c28aaSamw #define	FILE_DATA_ALL			(FILE_READ_DATA		|\
117*da6c28aaSamw 					FILE_WRITE_DATA		|\
118*da6c28aaSamw 					FILE_APPEND_DATA	|\
119*da6c28aaSamw 					FILE_EXECUTE		|\
120*da6c28aaSamw 					DELETE)
121*da6c28aaSamw 
122*da6c28aaSamw #define	FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
123*da6c28aaSamw 
124*da6c28aaSamw 
125*da6c28aaSamw /*
126*da6c28aaSamw  * Miscellaneous bits: SACL access and maximum allowed access.
127*da6c28aaSamw  */
128*da6c28aaSamw #define	ACCESS_SYSTEM_SECURITY		(0x01000000L)
129*da6c28aaSamw #define	MAXIMUM_ALLOWED			(0x02000000L)
130*da6c28aaSamw 
131*da6c28aaSamw 
132*da6c28aaSamw /*
133*da6c28aaSamw  * Generic rights. These are shorthands that are interpreted as
134*da6c28aaSamw  * appropriate for the type of secured object being accessed.
135*da6c28aaSamw  */
136*da6c28aaSamw #define	GENERIC_ALL			(0x10000000UL)
137*da6c28aaSamw #define	GENERIC_EXECUTE			(0x20000000UL)
138*da6c28aaSamw #define	GENERIC_WRITE			(0x40000000UL)
139*da6c28aaSamw #define	GENERIC_READ			(0x80000000UL)
140*da6c28aaSamw 
141*da6c28aaSamw #define	FILE_GENERIC_READ (STANDARD_RIGHTS_READ |		\
142*da6c28aaSamw 	    FILE_READ_DATA		|			\
143*da6c28aaSamw 	    FILE_READ_ATTRIBUTES	|			\
144*da6c28aaSamw 	    FILE_READ_EA		|			\
145*da6c28aaSamw 	    SYNCHRONIZE)
146*da6c28aaSamw 
147*da6c28aaSamw #define	FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |		\
148*da6c28aaSamw 	    FILE_WRITE_DATA		|			\
149*da6c28aaSamw 	    FILE_WRITE_ATTRIBUTES	|			\
150*da6c28aaSamw 	    FILE_WRITE_EA		|			\
151*da6c28aaSamw 	    FILE_APPEND_DATA		|			\
152*da6c28aaSamw 	    SYNCHRONIZE)
153*da6c28aaSamw 
154*da6c28aaSamw #define	FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |		\
155*da6c28aaSamw 	    FILE_READ_ATTRIBUTES	|			\
156*da6c28aaSamw 	    FILE_EXECUTE		|			\
157*da6c28aaSamw 	    SYNCHRONIZE)
158*da6c28aaSamw 
159*da6c28aaSamw #define	FILE_GENERIC_ALL (FILE_GENERIC_READ |			\
160*da6c28aaSamw 	    FILE_GENERIC_WRITE		|			\
161*da6c28aaSamw 	    FILE_GENERIC_EXECUTE)
162*da6c28aaSamw 
163*da6c28aaSamw 
164*da6c28aaSamw /*
165*da6c28aaSamw  * LSA policy desired access masks.
166*da6c28aaSamw  */
167*da6c28aaSamw #define	POLICY_VIEW_LOCAL_INFORMATION		0x00000001L
168*da6c28aaSamw #define	POLICY_VIEW_AUDIT_INFORMATION		0x00000002L
169*da6c28aaSamw #define	POLICY_GET_PRIVATE_INFORMATION		0x00000004L
170*da6c28aaSamw #define	POLICY_TRUST_ADMIN			0x00000008L
171*da6c28aaSamw #define	POLICY_CREATE_ACCOUNT			0x00000010L
172*da6c28aaSamw #define	POLICY_CREATE_SECRET			0x00000020L
173*da6c28aaSamw #define	POLICY_CREATE_PRIVILEGE			0x00000040L
174*da6c28aaSamw #define	POLICY_SET_DEFAULT_QUOTA_LIMITS		0x00000080L
175*da6c28aaSamw #define	POLICY_SET_AUDIT_REQUIREMENTS		0x00000100L
176*da6c28aaSamw #define	POLICY_AUDIT_LOG_ADMIN			0x00000200L
177*da6c28aaSamw #define	POLICY_SERVER_ADMIN			0x00000400L
178*da6c28aaSamw #define	POLICY_LOOKUP_NAMES			0x00000800L
179*da6c28aaSamw 
180*da6c28aaSamw 
181*da6c28aaSamw /*
182*da6c28aaSamw  * SAM specific rights desired access masks. These definitions are listed
183*da6c28aaSamw  * mostly as a convenience; they don't seem to be documented. Setting the
184*da6c28aaSamw  * desired access mask to GENERIC_EXECUTE and STANDARD_RIGHTS_EXECUTE
185*da6c28aaSamw  * seems to work when just looking up information.
186*da6c28aaSamw  */
187*da6c28aaSamw #define	SAM_LOOKUP_INFORMATION (GENERIC_EXECUTE		\
188*da6c28aaSamw 	    | STANDARD_RIGHTS_EXECUTE)
189*da6c28aaSamw 
190*da6c28aaSamw #define	SAM_ACCESS_USER_READ		0x0000031BL
191*da6c28aaSamw #define	SAM_ACCESS_USER_UPDATE		0x0000031FL
192*da6c28aaSamw #define	SAM_ACCESS_USER_SETPWD		0x0000037FL
193*da6c28aaSamw #define	SAM_CONNECT_CREATE_ACCOUNT	0x00000020L
194*da6c28aaSamw #define	SAM_ENUM_LOCAL_DOMAIN		0x00000030L
195*da6c28aaSamw #define	SAM_DOMAIN_CREATE_ACCOUNT	0x00000211L
196*da6c28aaSamw 
197*da6c28aaSamw 
198*da6c28aaSamw /*
199*da6c28aaSamw  * File attributes
200*da6c28aaSamw  *
201*da6c28aaSamw  * Note:  0x00000008 is reserved for use for the old DOS VOLID (volume ID)
202*da6c28aaSamw  *        and is therefore not considered valid in NT.
203*da6c28aaSamw  *
204*da6c28aaSamw  * Note:  0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag
205*da6c28aaSamw  *        and is therefore not considered valid in NT.  This flag has
206*da6c28aaSamw  *        been disassociated with file attributes since the other flags are
207*da6c28aaSamw  *        protected with READ_ and WRITE_ATTRIBUTES access to the file.
208*da6c28aaSamw  *
209*da6c28aaSamw  * Note:  Note also that the order of these flags is set to allow both the
210*da6c28aaSamw  *        FAT and the Pinball File Systems to directly set the attributes
211*da6c28aaSamw  *        flags in attributes words without having to pick each flag out
212*da6c28aaSamw  *        individually.  The order of these flags should not be changed!
213*da6c28aaSamw  *
214*da6c28aaSamw  * The file attributes are defined in smbsrv/smb_vops.h
215*da6c28aaSamw  */
216*da6c28aaSamw 
217*da6c28aaSamw /* Filesystem Attributes */
218*da6c28aaSamw #define	FILE_CASE_SENSITIVE_SEARCH	0x00000001
219*da6c28aaSamw #define	FILE_CASE_PRESERVED_NAMES	0x00000002
220*da6c28aaSamw #define	FILE_UNICODE_ON_DISK		0x00000004
221*da6c28aaSamw #define	FILE_PERSISTENT_ACLS		0x00000008
222*da6c28aaSamw #define	FILE_FILE_COMPRESSION		0x00000010
223*da6c28aaSamw #define	FILE_VOLUME_QUOTAS		0x00000020
224*da6c28aaSamw #define	FILE_SUPPORTS_SPARSE_FILES	0x00000040
225*da6c28aaSamw #define	FILE_SUPPORTS_REPARSE_POINTS	0x00000080
226*da6c28aaSamw #define	FILE_SUPPORTS_REMOTE_STORAGE	0x00000100
227*da6c28aaSamw #define	FILE_VOLUME_IS_COMPRESSED	0x00008000
228*da6c28aaSamw #define	FILE_SUPPORTS_OBJECT_IDS	0x00010000
229*da6c28aaSamw #define	FILE_SUPPORTS_ENCRYPTION	0x00020000
230*da6c28aaSamw #define	FILE_NAMED_STREAMS		0x00040000
231*da6c28aaSamw #define	FILE_READ_ONLY_VOLUME		0x00080000
232*da6c28aaSamw 
233*da6c28aaSamw #ifdef __cplusplus
234*da6c28aaSamw }
235*da6c28aaSamw #endif
236*da6c28aaSamw 
237*da6c28aaSamw #endif /* _SMBSRV_NTACCESS_H */
238