1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 26 */ 27 28 #ifndef _SMB_PRIVILEGE_H 29 #define _SMB_PRIVILEGE_H 30 31 #include <smbsrv/wintypes.h> 32 33 #ifdef __cplusplus 34 extern "C" { 35 #endif 36 37 /* 38 * Privileges 39 * 40 * Privileges apply to all objects and over-ride the access controls 41 * in an object's security descriptor in a manner specific to each 42 * privilege. Privileges are still not full defined. Privileges are 43 * defined in a set structure (LUID = Locally Unique Identifier). 44 * 45 * The default LUID, name and display names defined on NT 4.0 are: 46 * LUID Privilege Name Display Name 47 * ---- -------------- ------------ 48 * 0:2 SeCreateTokenPrivilege Create a token object 49 * 0:3 SeAssignPrimaryTokenPrivilege Replace a process level token 50 * 0:4 SeLockMemoryPrivilege Lock pages in memory 51 * 0:5 SeIncreaseQuotaPrivilege Increase quotas 52 * 0:6 SeMachineAccountPrivilege Add workstations to domain 53 * 0:7 SeTcbPrivilege Act as part of the operating system 54 * 0:8 SeSecurityPrivilege Manage auditing and security log 55 * 0:9 SeTakeOwnershipPrivilege Take ownership of files or other objects 56 * 0:10 SeLoadDriverPrivilege Load and unload device drivers 57 * 0:11 SeSystemProfilePrivilege Profile system performance 58 * 0:12 SeSystemtimePrivilege Change the system time 59 * 0:13 SeProfileSingleProcessPrivilege Profile single process 60 * 0:14 SeIncreaseBasePriorityPrivilege Increase scheduling priority 61 * 0:15 SeCreatePagefilePrivilege Create a pagefile 62 * 0:16 SeCreatePermanentPrivilege Create permanent shared objects 63 * 0:17 SeBackupPrivilege Back up files and directories 64 * 0:18 SeRestorePrivilege Restore files and directories 65 * 0:19 SeShutdownPrivilege Shut down the system 66 * 0:20 SeDebugPrivilege Debug programs 67 * 0:21 SeAuditPrivilege Generate security audits 68 * 0:22 SeSystemEnvironmentPrivilege Modify firmware environment values 69 * 0:23 SeChangeNotifyPrivilege Bypass traverse checking 70 * 0:24 SeRemoteShutdownPrivilege Force shutdown from a remote system 71 */ 72 73 /* 74 * Privilege names 75 */ 76 #define SE_CREATE_TOKEN_NAME "SeCreateTokenPrivilege" 77 #define SE_ASSIGNPRIMARYTOKEN_NAME "SeAssignPrimaryTokenPrivilege" 78 #define SE_LOCK_MEMORY_NAME "SeLockMemoryPrivilege" 79 #define SE_INCREASE_QUOTA_NAME "SeIncreaseQuotaPrivilege" 80 #define SE_UNSOLICITED_INPUT_NAME "SeUnsolicitedInputPrivilege" 81 #define SE_MACHINE_ACCOUNT_NAME "SeMachineAccountPrivilege" 82 #define SE_TCB_NAME "SeTcbPrivilege" 83 #define SE_SECURITY_NAME "SeSecurityPrivilege" 84 #define SE_TAKE_OWNERSHIP_NAME "SeTakeOwnershipPrivilege" 85 #define SE_LOAD_DRIVER_NAME "SeLoadDriverPrivilege" 86 #define SE_SYSTEM_PROFILE_NAME "SeSystemProfilePrivilege" 87 #define SE_SYSTEMTIME_NAME "SeSystemtimePrivilege" 88 #define SE_PROF_SINGLE_PROCESS_NAME "SeProfileSingleProcessPrivilege" 89 #define SE_INC_BASE_PRIORITY_NAME "SeIncreaseBasePriorityPrivilege" 90 #define SE_CREATE_PAGEFILE_NAME "SeCreatePagefilePrivilege" 91 #define SE_CREATE_PERMANENT_NAME "SeCreatePermanentPrivilege" 92 #define SE_BACKUP_NAME "SeBackupPrivilege" 93 #define SE_RESTORE_NAME "SeRestorePrivilege" 94 #define SE_SHUTDOWN_NAME "SeShutdownPrivilege" 95 #define SE_DEBUG_NAME "SeDebugPrivilege" 96 #define SE_AUDIT_NAME "SeAuditPrivilege" 97 #define SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironmentPrivilege" 98 #define SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" 99 #define SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" 100 101 #define SE_MIN_LUID 2 102 #define SE_CREATE_TOKEN_LUID 2 103 #define SE_ASSIGNPRIMARYTOKEN_LUID 3 104 #define SE_LOCK_MEMORY_LUID 4 105 #define SE_INCREASE_QUOTA_LUID 5 106 #define SE_MACHINE_ACCOUNT_LUID 6 107 #define SE_TCB_LUID 7 108 #define SE_SECURITY_LUID 8 109 #define SE_TAKE_OWNERSHIP_LUID 9 110 #define SE_LOAD_DRIVER_LUID 10 111 #define SE_SYSTEM_PROFILE_LUID 11 112 #define SE_SYSTEMTIME_LUID 12 113 #define SE_PROF_SINGLE_PROCESS_LUID 13 114 #define SE_INC_BASE_PRIORITY_LUID 14 115 #define SE_CREATE_PAGEFILE_LUID 15 116 #define SE_CREATE_PERMANENT_LUID 16 117 #define SE_BACKUP_LUID 17 118 #define SE_RESTORE_LUID 18 119 #define SE_SHUTDOWN_LUID 19 120 #define SE_DEBUG_LUID 20 121 #define SE_AUDIT_LUID 21 122 #define SE_SYSTEM_ENVIRONMENT_LUID 22 123 #define SE_CHANGE_NOTIFY_LUID 23 124 #define SE_REMOTE_SHUTDOWN_LUID 24 125 #define SE_MAX_LUID 24 126 127 /* 128 * Privilege attributes 129 */ 130 #define SE_PRIVILEGE_DISABLED 0x00000000 131 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT 0x00000001 132 #define SE_PRIVILEGE_ENABLED 0x00000002 133 #define SE_PRIVILEGE_USED_FOR_ACCESS 0x80000000 134 135 /* 136 * Privilege Set Control flags 137 */ 138 #define PRIVILEGE_SET_ALL_NECESSARY 1 139 140 /* 141 * Local User ID (an NT thing, not a Unix UID) 142 * See also: smb_luid_xdr() 143 */ 144 typedef struct smb_luid { 145 uint32_t lo_part; 146 uint32_t hi_part; 147 } smb_luid_t; 148 149 /* 150 * Local User ID and attributes (again, an NT thing) 151 * See also: smb_luid_attrs_xdr() 152 */ 153 typedef struct smb_luid_attrs { 154 smb_luid_t luid; 155 uint32_t attrs; 156 } smb_luid_attrs_t; 157 158 /* 159 * An (NT-style) collection of privileges. 160 * See also: smb_privset_xdr() 161 */ 162 typedef struct smb_privset { 163 uint32_t priv_cnt; 164 uint32_t control; 165 smb_luid_attrs_t priv[ANY_SIZE_ARRAY]; 166 } smb_privset_t; 167 168 /* 169 * These are possible value for smb_privinfo_t.flags 170 * 171 * PF_PRESENTABLE Privilege is user visible 172 */ 173 #define PF_PRESENTABLE 0x1 174 175 /* 176 * Structure for passing privilege name and id information around within 177 * the system. Note that we are only storing the low uint32_t of the LUID; 178 * the high part is always zero here. 179 */ 180 typedef struct smb_privinfo { 181 uint32_t id; 182 char *name; 183 char *display_name; 184 uint16_t flags; 185 } smb_privinfo_t; 186 187 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id); 188 smb_privinfo_t *smb_priv_getbyname(char *name); 189 int smb_priv_presentable_num(void); 190 int smb_priv_presentable_ids(uint32_t *ids, int num); 191 smb_privset_t *smb_privset_new(); 192 int smb_privset_size(); 193 void smb_privset_init(smb_privset_t *privset); 194 void smb_privset_free(smb_privset_t *privset); 195 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src); 196 void smb_privset_merge(smb_privset_t *dst, smb_privset_t *src); 197 void smb_privset_enable(smb_privset_t *privset, uint32_t id); 198 int smb_privset_query(smb_privset_t *privset, uint32_t id); 199 void smb_privset_log(smb_privset_t *privset); 200 201 #ifdef __cplusplus 202 } 203 #endif 204 205 #endif /* _SMB_PRIVILEGE_H */