source4/libcli/security/privilege.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    manipulate privileges
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "librpc/gen_ndr/security.h"
  24 #include "libcli/security/security.h"
  25
  26
  27 static const struct {
  28         enum sec_privilege privilege;
  29         const char *name;
  30         const char *display_name;
  31 } privilege_names[] = {
  32         {SEC_PRIV_SECURITY,
  33          "SeSecurityPrivilege",
  34         "System security"},
  35
  36         {SEC_PRIV_BACKUP,
  37          "SeBackupPrivilege",
  38          "Backup files and directories"},
  39
  40         {SEC_PRIV_RESTORE,
  41          "SeRestorePrivilege",
  42         "Restore files and directories"},
  43
  44         {SEC_PRIV_SYSTEMTIME,
  45          "SeSystemtimePrivilege",
  46         "Set the system clock"},
  47
  48         {SEC_PRIV_SHUTDOWN,
  49          "SeShutdownPrivilege",
  50         "Shutdown the system"},
  51
  52         {SEC_PRIV_REMOTE_SHUTDOWN,
  53          "SeRemoteShutdownPrivilege",
  54         "Shutdown the system remotely"},
  55
  56         {SEC_PRIV_TAKE_OWNERSHIP,
  57          "SeTakeOwnershipPrivilege",
  58         "Take ownership of files and directories"},
  59
  60         {SEC_PRIV_DEBUG,
  61          "SeDebugPrivilege",
  62         "Debug processes"},
  63
  64         {SEC_PRIV_SYSTEM_ENVIRONMENT,
  65          "SeSystemEnvironmentPrivilege",
  66         "Modify system environment"},
  67
  68         {SEC_PRIV_SYSTEM_PROFILE,
  69          "SeSystemProfilePrivilege",
  70         "Profile the system"},
  71
  72         {SEC_PRIV_PROFILE_SINGLE_PROCESS,
  73          "SeProfileSingleProcessPrivilege",
  74         "Profile one process"},
  75
  76         {SEC_PRIV_INCREASE_BASE_PRIORITY,
  77          "SeIncreaseBasePriorityPrivilege",
  78          "Increase base priority"},
  79
  80         {SEC_PRIV_LOAD_DRIVER,
  81          "SeLoadDriverPrivilege",
  82         "Load drivers"},
  83
  84         {SEC_PRIV_CREATE_PAGEFILE,
  85          "SeCreatePagefilePrivilege",
  86         "Create page files"},
  87
  88         {SEC_PRIV_INCREASE_QUOTA,
  89          "SeIncreaseQuotaPrivilege",
  90         "Increase quota"},
  91
  92         {SEC_PRIV_CHANGE_NOTIFY,
  93          "SeChangeNotifyPrivilege",
  94         "Register for change notify"},
  95
  96         {SEC_PRIV_UNDOCK,
  97          "SeUndockPrivilege",
  98         "Undock devices"},
  99
 100         {SEC_PRIV_MANAGE_VOLUME,
 101          "SeManageVolumePrivilege",
 102         "Manage system volumes"},
 103
 104         {SEC_PRIV_IMPERSONATE,
 105          "SeImpersonatePrivilege",
 106         "Impersonate users"},
 107
 108         {SEC_PRIV_CREATE_GLOBAL,
 109          "SeCreateGlobalPrivilege",
 110         "Create global"},
 111
 112         {SEC_PRIV_ENABLE_DELEGATION,
 113          "SeEnableDelegationPrivilege",
 114         "Enable Delegation"},
 115
 116         {SEC_PRIV_INTERACTIVE_LOGON,
 117          "SeInteractiveLogonRight",
 118         "Interactive logon"},
 119
 120         {SEC_PRIV_NETWORK_LOGON,
 121          "SeNetworkLogonRight",
 122         "Network logon"},
 123
 124         {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
 125          "SeRemoteInteractiveLogonRight",
 126         "Remote Interactive logon"}
 127 };
 128
 129
 130 /*
 131   map a privilege id to the wire string constant
 132 */
 133 const char *sec_privilege_name(enum sec_privilege privilege)
 134 {
 135         int i;
 136         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 137                 if (privilege_names[i].privilege == privilege) {
 138                         return privilege_names[i].name;
 139                 }
 140         }
 141         return NULL;
 142 }
 143
 144 /*
 145   map a privilege id to a privilege display name. Return NULL if not found
 146
 147   TODO: this should use language mappings
 148 */
 149 const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
 150 {
 151         int i;
 152         if (privilege < 1 || privilege > 64) {
 153                 return NULL;
 154         }
 155         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 156                 if (privilege_names[i].privilege == privilege) {
 157                         return privilege_names[i].display_name;
 158                 }
 159         }
 160         return NULL;
 161 }
 162
 163 /*
 164   map a privilege name to a privilege id. Return -1 if not found
 165 */
 166 enum sec_privilege sec_privilege_id(const char *name)
 167 {
 168         int i;
 169         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 170                 if (strcasecmp(privilege_names[i].name, name) == 0) {
 171                         return privilege_names[i].privilege;
 172                 }
 173         }
 174         return -1;
 175 }
 176
 177
 178 /*
 179   return a privilege mask given a privilege id
 180 */
 181 static uint64_t sec_privilege_mask(enum sec_privilege privilege)
 182 {
 183         uint64_t mask = 1;
 184
 185         if (privilege < 1 || privilege > 64) {
 186                 return 0;
 187         }
 188
 189         mask <<= (privilege-1);
 190         return mask;
 191 }
 192
 193
 194 /*
 195   return true if a security_token has a particular privilege bit set
 196 */
 197 bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
 198 {
 199         uint64_t mask;
 200
 201         if (privilege < 1 || privilege > 64) {
 202                 return false;
 203         }
 204
 205         mask = sec_privilege_mask(privilege);
 206         if (token->privilege_mask & mask) {
 207                 return true;
 208         }
 209         return false;
 210 }
 211
 212 /*
 213   set a bit in the privilege mask
 214 */
 215 void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
 216 {
 217         if (privilege < 1 || privilege > 64) {
 218                 return;
 219         }
 220         token->privilege_mask |= sec_privilege_mask(privilege);
 221 }
 222
 223 void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
 224 {
 225         DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
 226                             (unsigned long long) token->privilege_mask));
 227
 228         if (token->privilege_mask) {
 229                 int i = 0;
 230                 uint_t privilege;
 231
 232                 for (privilege = 1; privilege <= 64; privilege++) {
 233                         uint64_t mask = sec_privilege_mask(privilege);
 234
 235                         if (token->privilege_mask & mask) {
 236                                 DEBUGADD(dbg_lev, ("  Privilege[%3lu]: %s\n", (unsigned long)i++,
 237                                         sec_privilege_name(privilege)));
 238                         }
 239                 }
 240         }
 241 }