1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  *
  25  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  26  */
  27 
  28 #ifndef _SMB_PRIVILEGE_H
  29 #define _SMB_PRIVILEGE_H
  30 
  31 #include <smbsrv/wintypes.h>
  32 
  33 #ifdef __cplusplus
  34 extern "C" {
  35 #endif
  36 
  37 /*
  38  * Privileges
  39  *
  40  * Privileges apply to all objects and over-ride the access controls
  41  * in an object's security descriptor in a manner specific to each
  42  * privilege. Privileges are still not full defined. Privileges are
  43  * defined in a set structure (LUID = Locally Unique Identifier).
  44  *
  45  * The default LUID, name and display names defined on NT 4.0 are:
  46  * LUID Privilege Name                Display Name
  47  * ---- --------------                ------------
  48  * 0:2  SeCreateTokenPrivilege        Create a token object
  49  * 0:3  SeAssignPrimaryTokenPrivilege Replace a process level token
  50  * 0:4  SeLockMemoryPrivilege         Lock pages in memory
  51  * 0:5  SeIncreaseQuotaPrivilege      Increase quotas
  52  * 0:6  SeMachineAccountPrivilege     Add workstations to domain
  53  * 0:7  SeTcbPrivilege                Act as part of the operating system
  54  * 0:8  SeSecurityPrivilege           Manage auditing and security log
  55  * 0:9  SeTakeOwnershipPrivilege      Take ownership of files or other objects
  56  * 0:10 SeLoadDriverPrivilege         Load and unload device drivers
  57  * 0:11 SeSystemProfilePrivilege      Profile system performance
  58  * 0:12 SeSystemtimePrivilege         Change the system time
  59  * 0:13 SeProfileSingleProcessPrivilege  Profile single process
  60  * 0:14 SeIncreaseBasePriorityPrivilege  Increase scheduling priority
  61  * 0:15 SeCreatePagefilePrivilege     Create a pagefile
  62  * 0:16 SeCreatePermanentPrivilege    Create permanent shared objects
  63  * 0:17 SeBackupPrivilege             Back up files and directories
  64  * 0:18 SeRestorePrivilege            Restore files and directories
  65  * 0:19 SeShutdownPrivilege           Shut down the system
  66  * 0:20 SeDebugPrivilege              Debug programs
  67  * 0:21 SeAuditPrivilege              Generate security audits
  68  * 0:22 SeSystemEnvironmentPrivilege  Modify firmware environment values
  69  * 0:23 SeChangeNotifyPrivilege       Bypass traverse checking
  70  * 0:24 SeRemoteShutdownPrivilege     Force shutdown from a remote system
  71  */
  72 
  73 /*
  74  * Privilege names
  75  */
  76 #define SE_CREATE_TOKEN_NAME            "SeCreateTokenPrivilege"
  77 #define SE_ASSIGNPRIMARYTOKEN_NAME      "SeAssignPrimaryTokenPrivilege"
  78 #define SE_LOCK_MEMORY_NAME             "SeLockMemoryPrivilege"
  79 #define SE_INCREASE_QUOTA_NAME          "SeIncreaseQuotaPrivilege"
  80 #define SE_UNSOLICITED_INPUT_NAME       "SeUnsolicitedInputPrivilege"
  81 #define SE_MACHINE_ACCOUNT_NAME         "SeMachineAccountPrivilege"
  82 #define SE_TCB_NAME                     "SeTcbPrivilege"
  83 #define SE_SECURITY_NAME                "SeSecurityPrivilege"
  84 #define SE_TAKE_OWNERSHIP_NAME          "SeTakeOwnershipPrivilege"
  85 #define SE_LOAD_DRIVER_NAME             "SeLoadDriverPrivilege"
  86 #define SE_SYSTEM_PROFILE_NAME          "SeSystemProfilePrivilege"
  87 #define SE_SYSTEMTIME_NAME              "SeSystemtimePrivilege"
  88 #define SE_PROF_SINGLE_PROCESS_NAME     "SeProfileSingleProcessPrivilege"
  89 #define SE_INC_BASE_PRIORITY_NAME       "SeIncreaseBasePriorityPrivilege"
  90 #define SE_CREATE_PAGEFILE_NAME         "SeCreatePagefilePrivilege"
  91 #define SE_CREATE_PERMANENT_NAME        "SeCreatePermanentPrivilege"
  92 #define SE_BACKUP_NAME                  "SeBackupPrivilege"
  93 #define SE_RESTORE_NAME                 "SeRestorePrivilege"
  94 #define SE_SHUTDOWN_NAME                "SeShutdownPrivilege"
  95 #define SE_DEBUG_NAME                   "SeDebugPrivilege"
  96 #define SE_AUDIT_NAME                   "SeAuditPrivilege"
  97 #define SE_SYSTEM_ENVIRONMENT_NAME      "SeSystemEnvironmentPrivilege"
  98 #define SE_CHANGE_NOTIFY_NAME           "SeChangeNotifyPrivilege"
  99 #define SE_REMOTE_SHUTDOWN_NAME         "SeRemoteShutdownPrivilege"
 100 
 101 #define SE_MIN_LUID                     2
 102 #define SE_CREATE_TOKEN_LUID            2
 103 #define SE_ASSIGNPRIMARYTOKEN_LUID      3
 104 #define SE_LOCK_MEMORY_LUID             4
 105 #define SE_INCREASE_QUOTA_LUID          5
 106 #define SE_MACHINE_ACCOUNT_LUID         6
 107 #define SE_TCB_LUID                     7
 108 #define SE_SECURITY_LUID                8
 109 #define SE_TAKE_OWNERSHIP_LUID          9
 110 #define SE_LOAD_DRIVER_LUID             10
 111 #define SE_SYSTEM_PROFILE_LUID          11
 112 #define SE_SYSTEMTIME_LUID              12
 113 #define SE_PROF_SINGLE_PROCESS_LUID     13
 114 #define SE_INC_BASE_PRIORITY_LUID       14
 115 #define SE_CREATE_PAGEFILE_LUID         15
 116 #define SE_CREATE_PERMANENT_LUID        16
 117 #define SE_BACKUP_LUID                  17
 118 #define SE_RESTORE_LUID                 18
 119 #define SE_SHUTDOWN_LUID                19
 120 #define SE_DEBUG_LUID                   20
 121 #define SE_AUDIT_LUID                   21
 122 #define SE_SYSTEM_ENVIRONMENT_LUID      22
 123 #define SE_CHANGE_NOTIFY_LUID           23
 124 #define SE_REMOTE_SHUTDOWN_LUID         24
 125 #define SE_MAX_LUID                     24
 126 
 127 /*
 128  * Privilege attributes
 129  */
 130 #define SE_PRIVILEGE_DISABLED                   0x00000000
 131 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT         0x00000001
 132 #define SE_PRIVILEGE_ENABLED                    0x00000002
 133 #define SE_PRIVILEGE_USED_FOR_ACCESS            0x80000000
 134 
 135 /*
 136  * Privilege Set Control flags
 137  */
 138 #define PRIVILEGE_SET_ALL_NECESSARY             1
 139 
 140 /*
 141  * Local User ID (an NT thing, not a Unix UID)
 142  * See also: smb_luid_xdr()
 143  */
 144 typedef struct smb_luid {
 145         uint32_t lo_part;
 146         uint32_t hi_part;
 147 } smb_luid_t;
 148 
 149 /*
 150  * Local User ID and attributes (again, an NT thing)
 151  * See also: smb_luid_attrs_xdr()
 152  */
 153 typedef struct smb_luid_attrs {
 154         smb_luid_t luid;
 155         uint32_t attrs;
 156 } smb_luid_attrs_t;
 157 
 158 /*
 159  * An (NT-style) collection of privileges.
 160  * See also: smb_privset_xdr()
 161  */
 162 typedef struct smb_privset {
 163         uint32_t priv_cnt;
 164         uint32_t control;
 165         smb_luid_attrs_t priv[ANY_SIZE_ARRAY];
 166 } smb_privset_t;
 167 
 168 /*
 169  * These are possible value for smb_privinfo_t.flags
 170  *
 171  * PF_PRESENTABLE       Privilege is user visible
 172  */
 173 #define PF_PRESENTABLE  0x1
 174 
 175 /*
 176  * Structure for passing privilege name and id information around within
 177  * the system. Note that we are only storing the low uint32_t of the LUID;
 178  * the high part is always zero here.
 179  */
 180 typedef struct smb_privinfo {
 181         uint32_t id;
 182         char *name;
 183         char *display_name;
 184         uint16_t flags;
 185 } smb_privinfo_t;
 186 
 187 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id);
 188 smb_privinfo_t *smb_priv_getbyname(char *name);
 189 int smb_priv_presentable_num(void);
 190 int smb_priv_presentable_ids(uint32_t *ids, int num);
 191 smb_privset_t *smb_privset_new();
 192 int smb_privset_size();
 193 void smb_privset_init(smb_privset_t *privset);
 194 void smb_privset_free(smb_privset_t *privset);
 195 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src);
 196 void smb_privset_merge(smb_privset_t *dst, smb_privset_t *src);
 197 void smb_privset_enable(smb_privset_t *privset, uint32_t id);
 198 int smb_privset_query(smb_privset_t *privset, uint32_t id);
 199 void smb_privset_log(smb_privset_t *privset);
 200 
 201 #ifdef __cplusplus
 202 }
 203 #endif
 204 
 205 #endif /* _SMB_PRIVILEGE_H */