interface security
{
+ typedef bitmap lsa_SystemAccessModeFlags lsa_SystemAccessModeFlags;
+
typedef [public,gensize,noprint,nosize,nopull,nopush] struct {
uint8 sid_rev_num; /**< SID revision number */
[range(0,15)] int8 num_auths; /**< Number of sub-authorities */
const int BUILTIN_RID_TS_LICENSE_SERVERS = 561;
/********************************************************************
- This is a list of privileges reported by a WIndows 2000 SP4 AD DC
+ This is a list of privileges reported by a WIndows 2008 R2 DC
just for reference purposes (and I know the LUID is not guaranteed
across reboots):
- SeCreateTokenPrivilege Create a token object ( 0x0, 0x2 )
- SeAssignPrimaryTokenPrivilege Replace a process level token ( 0x0, 0x3 )
- SeLockMemoryPrivilege Lock pages in memory ( 0x0, 0x4 )
- SeIncreaseQuotaPrivilege Increase quotas ( 0x0, 0x5 )
- SeMachineAccountPrivilege Add workstations to domain ( 0x0, 0x6 )
- SeTcbPrivilege Act as part of the operating system ( 0x0, 0x7 )
- SeSecurityPrivilege Manage auditing and security log ( 0x0, 0x8 )
- SeTakeOwnershipPrivilege Take ownership of files or other objects ( 0x0, 0x9 )
- SeLoadDriverPrivilege Load and unload device drivers ( 0x0, 0xa )
- SeSystemProfilePrivilege Profile system performance ( 0x0, 0xb )
- SeSystemtimePrivilege Change the system time ( 0x0, 0xc )
- SeProfileSingleProcessPrivilege Profile single process ( 0x0, 0xd )
- SeIncreaseBasePriorityPrivilege Increase scheduling priority ( 0x0, 0xe )
- SeCreatePagefilePrivilege Create a pagefile ( 0x0, 0xf )
- SeCreatePermanentPrivilege Create permanent shared objects ( 0x0, 0x10 )
- SeBackupPrivilege Back up files and directories ( 0x0, 0x11 )
- SeRestorePrivilege Restore files and directories ( 0x0, 0x12 )
- SeShutdownPrivilege Shut down the system ( 0x0, 0x13 )
- SeDebugPrivilege Debug programs ( 0x0, 0x14 )
- SeAuditPrivilege Generate security audits ( 0x0, 0x15 )
- SeSystemEnvironmentPrivilege Modify firmware environment values ( 0x0, 0x16 )
- SeChangeNotifyPrivilege Bypass traverse checking ( 0x0, 0x17 )
- SeRemoteShutdownPrivilege Force shutdown from a remote system ( 0x0, 0x18 )
- SeUndockPrivilege Remove computer from docking station ( 0x0, 0x19 )
- SeSyncAgentPrivilege Synchronize directory service data ( 0x0, 0x1a )
- SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
- SeManageVolumePrivilege Perform volume maintenance tasks ( 0x0, 0x1c )
- SeImpersonatePrivilege Impersonate a client after authentication ( 0x0, 0x1d )
- SeCreateGlobalPrivilege Create global objects ( 0x0, 0x1e )
+0x00000002 SeCreateTokenPrivilege "Create a token object"
+0x00000003 SeAssignPrimaryTokenPrivilege "Replace a process level token"
+0x00000004 SeLockMemoryPrivilege "Lock pages in memory"
+0x00000005 SeIncreaseQuotaPrivilege "Adjust memory quotas for a process"
+0x00000006 SeMachineAccountPrivilege "Add workstations to domain"
+0x00000007 SeTcbPrivilege "Act as part of the operating system"
+0x00000008 SeSecurityPrivilege "Manage auditing and security log"
+0x00000009 SeTakeOwnershipPrivilege "Take ownership of files or other objects"
+0x0000000a SeLoadDriverPrivilege "Load and unload device drivers"
+0x0000000b SeSystemProfilePrivilege "Profile system performance"
+0x0000000c SeSystemtimePrivilege "Change the system time"
+0x0000000d SeProfileSingleProcessPrivilege "Profile single process"
+0x0000000e SeIncreaseBasePriorityPrivilege "Increase scheduling priority"
+0x0000000f SeCreatePagefilePrivilege "Create a pagefile"
+0x00000010 SeCreatePermanentPrivilege "Create permanent shared objects"
+0x00000011 SeBackupPrivilege "Back up files and directories"
+0x00000012 SeRestorePrivilege "Restore files and directories"
+0x00000013 SeShutdownPrivilege "Shut down the system"
+0x00000014 SeDebugPrivilege "Debug programs"
+0x00000015 SeAuditPrivilege "Generate security audits"
+0x00000016 SeSystemEnvironmentPrivilege "Modify firmware environment values"
+0x00000017 SeChangeNotifyPrivilege "Bypass traverse checking"
+0x00000018 SeRemoteShutdownPrivilege "Force shutdown from a remote system"
+0x00000019 SeUndockPrivilege "Remove computer from docking station"
+0x0000001a SeSyncAgentPrivilege "Synchronize directory service data"
+0x0000001b SeEnableDelegationPrivilege "Enable computer and user accounts to be trusted for delegation"
+0x0000001c SeManageVolumePrivilege "Perform volume maintenance tasks"
+0x0000001d SeImpersonatePrivilege "Impersonate a client after authentication"
+0x0000001e SeCreateGlobalPrivilege "Create global objects"
+0x0000001f SeTrustedCredManAccessPrivilege "Access Credential Manager as a trusted caller"
+0x00000020 SeRelabelPrivilege "Modify an object label"
+0x00000021 SeIncreaseWorkingSetPrivilege "Increase a process working set"
+0x00000022 SeTimeZonePrivilege "Change the time zone"
+0x00000023 SeCreateSymbolicLinkPrivilege "Create symbolic links"
********************************************************************/
- /* LUID values for privileges known about by Samba (bottom 32 bit of enum, top bits are 0) */
+ /* LUID values for privileges known about by Samba (bottom 32 bits of enum, top bits are 0) */
/* we have to define the LUID here due to a horrible check by printmig.exe
that requires the SeBackupPrivilege match what is in Windows. So match
those that we implement and start Samba privileges at 0x1001 */
typedef enum {
+ SEC_PRIV_INVALID = 0x0,
SEC_PRIV_INCREASE_QUOTA = 0x5,
SEC_PRIV_MACHINE_ACCOUNT = 0x6,
SEC_PRIV_SECURITY = 0x8,
/* Samba-specific privs */
SEC_PRIV_PRINT_OPERATOR = 0x1001,
SEC_PRIV_ADD_USERS = 0x1002,
- SEC_PRIV_DISK_OPERATOR = 0x1003,
- /* Windows privs not in the list above */
- SEC_PRIV_INTERACTIVE_LOGON = 0x2022,
- SEC_PRIV_NETWORK_LOGON = 0x2023,
- SEC_PRIV_REMOTE_INTERACTIVE_LOGON = 0x2024
+ SEC_PRIV_DISK_OPERATOR = 0x1003
} sec_privilege;
* as a bitmap (privilages.ldb uses the string forms).
*/
typedef [bitmap64bit] bitmap {
- SE_NETWORK_LOGON = 0x00000001,
- SE_INTERACTIVE_LOGON = 0x00000002,
- SE_BATCH_LOGON = 0x00000004,
- SE_SERVICE_LOGON = 0x00000008,
- SE_MACHINE_ACCOUNT = 0x00000010,
+ SEC_PRIV_MACHINE_ACCOUNT_BIT = 0x00000010,
/* Samba-specific privs */
- SE_PRINT_OPERATOR = 0x00000020,
- SE_ADD_USERS = 0x00000040,
- SE_DISK_OPERATOR = 0x00000080,
-
- SE_REMOTE_SHUTDOWN = 0x00000100,
- SE_BACKUP = 0x00000200,
- SE_RESTORE = 0x00000400,
- SE_TAKE_OWNERSHIP = 0x00000800,
- SE_INCREASE_QUOTA = 0x00001000,
- SE_SECURITY = 0x00002000,
- SE_LOAD_DRIVER = 0x00004000,
- SE_SYSTEM_PROFILE = 0x00008000,
- SE_SYSTEMTIME = 0x00010000,
- SE_PROFILE_SINGLE_PROCESS = 0x00020000,
- SE_INCREASE_BASE_PRIORITY = 0x00040000,
- SE_CREATE_PAGEFILE = 0x00080000,
- SE_SHUTDOWN = 0x00100000,
- SE_DEBUG = 0x00200000,
- SE_SYSTEM_ENVIRONMENT = 0x00400000,
- SE_CHANGE_NOTIFY = 0x00800000,
- SE_UNDOCK = 0x01000000,
- SE_ENABLE_DELEGATION = 0x02000000,
- SE_MANAGE_VOLUME = 0x04000000,
- SE_IMPERSONATE = 0x08000000,
- SE_CREATE_GLOBAL = 0x10000000,
- /* Windows privs not in the list above */
- SE_REMOTE_INTERACTIVE_LOGON = 0x20000000
+ SEC_PRIV_PRINT_OPERATOR_BIT = 0x00000020,
+ SEC_PRIV_ADD_USERS_BIT = 0x00000040,
+ SEC_PRIV_DISK_OPERATOR_BIT = 0x00000080,
+
+ SEC_PRIV_REMOTE_SHUTDOWN_BIT = 0x00000100,
+ SEC_PRIV_BACKUP_BIT = 0x00000200,
+ SEC_PRIV_RESTORE_BIT = 0x00000400,
+ SEC_PRIV_TAKE_OWNERSHIP_BIT = 0x00000800,
+ /* End of privilages implemented before merge to common code */
+
+ SEC_PRIV_INCREASE_QUOTA_BIT = 0x00001000,
+ SEC_PRIV_SECURITY_BIT = 0x00002000,
+ SEC_PRIV_LOAD_DRIVER_BIT = 0x00004000,
+ SEC_PRIV_SYSTEM_PROFILE_BIT = 0x00008000,
+ SEC_PRIV_SYSTEMTIME_BIT = 0x00010000,
+ SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT = 0x00020000,
+ SEC_PRIV_INCREASE_BASE_PRIORITY_BIT = 0x00040000,
+ SEC_PRIV_CREATE_PAGEFILE_BIT = 0x00080000,
+ SEC_PRIV_SHUTDOWN_BIT = 0x00100000,
+ SEC_PRIV_DEBUG_BIT = 0x00200000,
+ SEC_PRIV_SYSTEM_ENVIRONMENT_BIT = 0x00400000,
+ SEC_PRIV_CHANGE_NOTIFY_BIT = 0x00800000,
+ SEC_PRIV_UNDOCK_BIT = 0x01000000,
+ SEC_PRIV_ENABLE_DELEGATION_BIT = 0x02000000,
+ SEC_PRIV_MANAGE_VOLUME_BIT = 0x04000000,
+ SEC_PRIV_IMPERSONATE_BIT = 0x08000000,
+ SEC_PRIV_CREATE_GLOBAL_BIT = 0x10000000
} se_privilege;
+ typedef [bitmap32bit] bitmap {
+ LSA_POLICY_MODE_INTERACTIVE = 0x00000001,
+ LSA_POLICY_MODE_NETWORK = 0x00000002,
+ LSA_POLICY_MODE_BATCH = 0x00000004,
+ LSA_POLICY_MODE_SERVICE = 0x00000010,
+ LSA_POLICY_MODE_PROXY = 0x00000020,
+ LSA_POLICY_MODE_DENY_INTERACTIVE = 0x00000040,
+ LSA_POLICY_MODE_DENY_NETWORK = 0x00000080,
+ LSA_POLICY_MODE_DENY_BATCH = 0x00000100,
+ LSA_POLICY_MODE_DENY_SERVICE = 0x00000200,
+ LSA_POLICY_MODE_REMOTE_INTERACTIVE = 0x00000400,
+ LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE = 0x00000800,
+ LSA_POLICY_MODE_ALL = 0x00000FF7,
+ LSA_POLICY_MODE_ALL_NT4 = 0x00000037
+ } lsa_SystemAccessModeFlags;
+
typedef [public,bitmap8bit] bitmap {
SEC_ACE_FLAG_OBJECT_INHERIT = 0x01,
SEC_ACE_FLAG_CONTAINER_INHERIT = 0x02,
[subcontext(4)] security_descriptor *sd;
} sec_desc_buf;
+ /* This is not yet sent over the network, but is simply defined in IDL */
typedef [public] struct {
uint32 num_sids;
[size_is(num_sids)] dom_sid sids[*];
- udlong privilege_mask;
+ se_privilege privilege_mask;
+ lsa_SystemAccessModeFlags rights_mask;
} security_token;
/* bits that determine which parts of a security descriptor