2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/security.h"
24 #include "libcli/security/security.h"
28 enum sec_privilege privilege;
29 uint64_t privilege_mask;
31 const char *display_name;
32 } privilege_names[] = {
35 "SeSecurityPrivilege",
41 "Backup files and directories"},
46 "Restore files and directories"},
50 "SeSystemtimePrivilege",
51 "Set the system clock"},
55 "SeShutdownPrivilege",
56 "Shutdown the system"},
58 {SEC_PRIV_REMOTE_SHUTDOWN,
60 "SeRemoteShutdownPrivilege",
61 "Shutdown the system remotely"},
63 {SEC_PRIV_TAKE_OWNERSHIP,
65 "SeTakeOwnershipPrivilege",
66 "Take ownership of files and directories"},
73 {SEC_PRIV_SYSTEM_ENVIRONMENT,
74 SE_SYSTEM_ENVIRONMENT,
75 "SeSystemEnvironmentPrivilege",
76 "Modify system environment"},
78 {SEC_PRIV_SYSTEM_PROFILE,
80 "SeSystemProfilePrivilege",
81 "Profile the system"},
83 {SEC_PRIV_PROFILE_SINGLE_PROCESS,
84 SE_PROFILE_SINGLE_PROCESS,
85 "SeProfileSingleProcessPrivilege",
86 "Profile one process"},
88 {SEC_PRIV_INCREASE_BASE_PRIORITY,
89 SE_INCREASE_BASE_PRIORITY,
90 "SeIncreaseBasePriorityPrivilege",
91 "Increase base priority"},
93 {SEC_PRIV_LOAD_DRIVER,
95 "SeLoadDriverPrivilege",
98 {SEC_PRIV_CREATE_PAGEFILE,
100 "SeCreatePagefilePrivilege",
101 "Create page files"},
103 {SEC_PRIV_INCREASE_QUOTA,
105 "SeIncreaseQuotaPrivilege",
108 {SEC_PRIV_CHANGE_NOTIFY,
110 "SeChangeNotifyPrivilege",
111 "Register for change notify"},
118 {SEC_PRIV_MANAGE_VOLUME,
120 "SeManageVolumePrivilege",
121 "Manage system volumes"},
123 {SEC_PRIV_IMPERSONATE,
125 "SeImpersonatePrivilege",
126 "Impersonate users"},
128 {SEC_PRIV_CREATE_GLOBAL,
130 "SeCreateGlobalPrivilege",
133 {SEC_PRIV_ENABLE_DELEGATION,
134 SE_ENABLE_DELEGATION,
135 "SeEnableDelegationPrivilege",
136 "Enable Delegation"},
138 {SEC_PRIV_INTERACTIVE_LOGON,
139 SE_INTERACTIVE_LOGON,
140 "SeInteractiveLogonRight",
141 "Interactive logon"},
143 {SEC_PRIV_NETWORK_LOGON,
145 "SeNetworkLogonRight",
148 {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
149 SE_REMOTE_INTERACTIVE_LOGON,
150 "SeRemoteInteractiveLogonRight",
151 "Remote Interactive logon"},
153 {SEC_PRIV_MACHINE_ACCOUNT,
155 "SeMachineAccountPrivilege",
156 "Add workstations to domain"},
158 /* These last 3 are Samba only */
159 {SEC_PRIV_PRINT_OPERATOR,
161 "SePrintOperatorPrivilege",
166 "SeAddUsersPrivilege",
167 "Add users and groups to the domain"},
169 {SEC_PRIV_DISK_OPERATOR,
171 "SeDiskOperatorPrivilege",
172 "Manage disk shares"},
177 map a privilege id to the wire string constant
179 const char *sec_privilege_name(enum sec_privilege privilege)
182 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
183 if (privilege_names[i].privilege == privilege) {
184 return privilege_names[i].name;
191 map a privilege id to a privilege display name. Return NULL if not found
193 TODO: this should use language mappings
195 const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
198 if (privilege < 1 || privilege > 64) {
201 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
202 if (privilege_names[i].privilege == privilege) {
203 return privilege_names[i].display_name;
210 map a privilege name to a privilege id. Return -1 if not found
212 enum sec_privilege sec_privilege_id(const char *name)
215 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
216 if (strcasecmp(privilege_names[i].name, name) == 0) {
217 return privilege_names[i].privilege;
224 map a privilege name to a privilege id. Return -1 if not found
226 enum sec_privilege sec_privilege_from_mask(uint64_t mask)
229 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
230 if (privilege_names[i].privilege_mask == mask) {
231 return privilege_names[i].privilege;
239 return a privilege mask given a privilege id
241 static uint64_t sec_privilege_mask(enum sec_privilege privilege)
244 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
245 if (privilege_names[i].privilege == privilege) {
246 return privilege_names[i].privilege_mask;
255 return true if a security_token has a particular privilege bit set
257 bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
261 mask = sec_privilege_mask(privilege);
266 if (token->privilege_mask & mask) {
273 set a bit in the privilege mask
275 void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
277 /* Relies on the fact that an invalid privilage will return 0, so won't change this */
278 token->privilege_mask |= sec_privilege_mask(privilege);
281 void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
283 DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
284 (unsigned long long) token->privilege_mask));
286 if (token->privilege_mask) {
289 for (mask = 1; mask != 0; mask = mask << 1) {
290 if (token->privilege_mask & mask) {
291 enum sec_privilege privilege = sec_privilege_from_mask(mask);
292 DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++,
293 sec_privilege_name(privilege)));