source4/include/rpc_secdes.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    SMB parameters and setup
   4    Copyright (C) Andrew Tridgell              1992-2000
   5    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 2 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program; if not, write to the Free Software
  19    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  20 */
  21
  22 typedef struct security_descriptor SEC_DESC;
  23
  24 #ifndef _RPC_SECDES_H /* _RPC_SECDES_H */
  25 #define _RPC_SECDES_H
  26
  27 #define SEC_RIGHTS_QUERY_VALUE          0x00000001
  28 #define SEC_RIGHTS_SET_VALUE            0x00000002
  29 #define SEC_RIGHTS_CREATE_SUBKEY        0x00000004
  30 #define SEC_RIGHTS_ENUM_SUBKEYS         0x00000008
  31 #define SEC_RIGHTS_NOTIFY               0x00000010
  32 #define SEC_RIGHTS_CREATE_LINK          0x00000020
  33 #define SEC_RIGHTS_READ                 0x00020019
  34 #define SEC_RIGHTS_FULL_CONTROL         0x000f003f
  35 #define SEC_RIGHTS_MAXIMUM_ALLOWED      0x02000000
  36
  37 /* for ADS */
  38 #define SEC_RIGHTS_LIST_CONTENTS        0x4
  39 #define SEC_RIGHTS_LIST_OBJECT          0x80
  40 #define SEC_RIGHTS_READ_ALL_PROP        0x10
  41 #define SEC_RIGHTS_READ_PERMS           0x20000
  42 #define SEC_RIGHTS_WRITE_ALL_VALID      0x8
  43 #define SEC_RIGHTS_WRITE_ALL_PROP       0x20
  44 #define SEC_RIGHTS_MODIFY_OWNER         0x80000
  45 #define SEC_RIGHTS_MODIFY_PERMS         0x40000
  46 #define SEC_RIGHTS_CREATE_CHILD         0x1
  47 #define SEC_RIGHTS_DELETE_CHILD         0x2
  48 #define SEC_RIGHTS_DELETE_SUBTREE       0x40
  49 #define SEC_RIGHTS_DELETE               0x10000 /* advanced/special/object/delete */
  50 #define SEC_RIGHTS_EXTENDED             0x100 /* change/reset password, receive/send as*/
  51 #define SEC_RIGHTS_CHANGE_PASSWD        SEC_RIGHTS_EXTENDED
  52 #define SEC_RIGHTS_RESET_PASSWD         SEC_RIGHTS_EXTENDED
  53 #define SEC_RIGHTS_FULL_CTRL            0xf01ff
  54
  55 #define SEC_ACE_OBJECT_PRESENT           0x00000001 /* thanks for Jim McDonough <jmcd@us.ibm.com> */
  56 #define SEC_ACE_OBJECT_INHERITED_PRESENT 0x00000002
  57
  58 #define SEC_ACE_FLAG_OBJECT_INHERIT             0x1
  59 #define SEC_ACE_FLAG_CONTAINER_INHERIT          0x2
  60 #define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       0x4
  61 #define SEC_ACE_FLAG_INHERIT_ONLY               0x8
  62 #define SEC_ACE_FLAG_INHERITED_ACE              0x10 /* New for Windows 2000 */
  63 #define SEC_ACE_FLAG_VALID_INHERIT              0xf
  64 #define SEC_ACE_FLAG_SUCCESSFUL_ACCESS          0x40
  65 #define SEC_ACE_FLAG_FAILED_ACCESS              0x80
  66
  67 #define SEC_ACE_TYPE_ACCESS_ALLOWED             0x0
  68 #define SEC_ACE_TYPE_ACCESS_DENIED              0x1
  69 #define SEC_ACE_TYPE_SYSTEM_AUDIT               0x2
  70 #define SEC_ACE_TYPE_SYSTEM_ALARM               0x3
  71 #define SEC_ACE_TYPE_ALLOWED_COMPOUND           0x4
  72 #define SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT      0x5
  73 #define SEC_ACE_TYPE_ACCESS_DENIED_OBJECT       0x6
  74 #define SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT        0x7
  75 #define SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT        0x8
  76
  77 #define SEC_DESC_OWNER_DEFAULTED        0x0001
  78 #define SEC_DESC_GROUP_DEFAULTED        0x0002
  79 #define SEC_DESC_DACL_PRESENT           0x0004
  80 #define SEC_DESC_DACL_DEFAULTED         0x0008
  81 #define SEC_DESC_SACL_PRESENT           0x0010
  82 #define SEC_DESC_SACL_DEFAULTED         0x0020
  83 #define SEC_DESC_DACL_TRUSTED           0x0040
  84 #define SEC_DESC_SERVER_SECURITY        0x0080
  85 /*
  86  * New Windows 2000 bits.
  87  */
  88 #define SE_DESC_DACL_AUTO_INHERIT_REQ   0x0100
  89 #define SE_DESC_SACL_AUTO_INHERIT_REQ   0x0200
  90 #define SE_DESC_DACL_AUTO_INHERITED     0x0400
  91 #define SE_DESC_SACL_AUTO_INHERITED     0x0800
  92 #define SE_DESC_DACL_PROTECTED          0x1000
  93 #define SE_DESC_SACL_PROTECTED          0x2000
  94
  95 /* Don't know what this means. */
  96 #define SEC_DESC_RM_CONTROL_VALID       0x4000
  97
  98 #define SEC_DESC_SELF_RELATIVE          0x8000
  99
 100 /* security information */
 101 #define OWNER_SECURITY_INFORMATION      0x00000001
 102 #define GROUP_SECURITY_INFORMATION      0x00000002
 103 #define DACL_SECURITY_INFORMATION       0x00000004
 104 #define SACL_SECURITY_INFORMATION       0x00000008
 105 /* Extra W2K flags. */
 106 #define UNPROTECTED_SACL_SECURITY_INFORMATION   0x10000000
 107 #define UNPROTECTED_DACL_SECURITY_INFORMATION   0x20000000
 108 #define PROTECTED_SACL_SECURITY_INFORMATION     0x40000000
 109 #define PROTECTED_DACL_SECURITY_INFORMATION     0x80000000
 110
 111 #define ALL_SECURITY_INFORMATION (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|\
 112                                         DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION|\
 113                                         UNPROTECTED_SACL_SECURITY_INFORMATION|\
 114                                         UNPROTECTED_DACL_SECURITY_INFORMATION|\
 115                                         PROTECTED_SACL_SECURITY_INFORMATION|\
 116                                         PROTECTED_DACL_SECURITY_INFORMATION)
 117
 118 #ifndef ACL_REVISION
 119 #define ACL_REVISION 0x3
 120 #endif
 121
 122 #ifndef NT4_ACL_REVISION
 123 #define NT4_ACL_REVISION 0x2
 124 #endif
 125
 126 #ifndef SEC_DESC_REVISION
 127 #define SEC_DESC_REVISION 0x1
 128 #endif
 129
 130
 131 /* Security Access Masks Rights */
 132
 133 #define SPECIFIC_RIGHTS_MASK    0x0000FFFF
 134 #define STANDARD_RIGHTS_MASK    0x00FF0000
 135 #define GENERIC_RIGHTS_MASK     0xF0000000
 136
 137 #define SEC_RIGHT_SYSTEM_SECURITY       0x01000000
 138 #define SEC_RIGHT_MAXIMUM_ALLOWED       0x02000000
 139
 140 /* Generic access rights */
 141
 142 #define GENERIC_RIGHT_ALL_ACCESS        0x10000000
 143 #define GENERIC_RIGHT_EXECUTE_ACCESS    0x20000000
 144 #define GENERIC_RIGHT_WRITE_ACCESS      0x40000000
 145 #define GENERIC_RIGHT_READ_ACCESS       0x80000000
 146
 147 /* Standard access rights. */
 148
 149 #define STD_RIGHT_DELETE_ACCESS         0x00010000
 150 #define STD_RIGHT_READ_CONTROL_ACCESS   0x00020000
 151 #define STD_RIGHT_WRITE_DAC_ACCESS      0x00040000
 152 #define STD_RIGHT_WRITE_OWNER_ACCESS    0x00080000
 153 #define STD_RIGHT_SYNCHRONIZE_ACCESS    0x00100000
 154
 155 #define STD_RIGHT_ALL_ACCESS            0x001F0000
 156
 157 /* Combinations of standard masks. */
 158 #define STANDARD_RIGHTS_ALL_ACCESS      STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
 159 #define STANDARD_RIGHTS_EXECUTE_ACCESS  STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 160 #define STANDARD_RIGHTS_READ_ACCESS     STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 161 #define STANDARD_RIGHTS_WRITE_ACCESS    STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 162 #define STANDARD_RIGHTS_REQUIRED_ACCESS \
 163                 (STD_RIGHT_DELETE_ACCESS        | \
 164                 STD_RIGHT_READ_CONTROL_ACCESS   | \
 165                 STD_RIGHT_WRITE_DAC_ACCESS      | \
 166                 STD_RIGHT_WRITE_OWNER_ACCESS)   /* 0x000f0000 */
 167
 168 /* File Object specific access rights */
 169
 170 #define SA_RIGHT_FILE_READ_DATA         0x00000001
 171 #define SA_RIGHT_FILE_WRITE_DATA        0x00000002
 172 #define SA_RIGHT_FILE_APPEND_DATA       0x00000004
 173 #define SA_RIGHT_FILE_READ_EA           0x00000008
 174 #define SA_RIGHT_FILE_WRITE_EA          0x00000010
 175 #define SA_RIGHT_FILE_EXECUTE           0x00000020
 176 #define SA_RIGHT_FILE_DELETE_CHILD      0x00000040
 177 #define SA_RIGHT_FILE_READ_ATTRIBUTES   0x00000080
 178 #define SA_RIGHT_FILE_WRITE_ATTRIBUTES  0x00000100
 179
 180 #define SA_RIGHT_FILE_ALL_ACCESS        0x000001FF
 181
 182 #define GENERIC_RIGHTS_FILE_ALL_ACCESS \
 183                 (STANDARD_RIGHTS_REQUIRED_ACCESS| \
 184                 STD_RIGHT_SYNCHRONIZE_ACCESS    | \
 185                 SA_RIGHT_FILE_ALL_ACCESS)
 186
 187 #define GENERIC_RIGHTS_FILE_READ        \
 188                 (STANDARD_RIGHTS_READ_ACCESS    | \
 189                 STD_RIGHT_SYNCHRONIZE_ACCESS    | \
 190                 SA_RIGHT_FILE_READ_DATA         | \
 191                 SA_RIGHT_FILE_READ_ATTRIBUTES   | \
 192                 SA_RIGHT_FILE_READ_EA)
 193
 194 #define GENERIC_RIGHTS_FILE_WRITE \
 195                 (STANDARD_RIGHTS_WRITE_ACCESS   | \
 196                 STD_RIGHT_SYNCHRONIZE_ACCESS    | \
 197                 SA_RIGHT_FILE_WRITE_DATA        | \
 198                 SA_RIGHT_FILE_WRITE_ATTRIBUTES  | \
 199                 SA_RIGHT_FILE_WRITE_EA          | \
 200                 SA_RIGHT_FILE_APPEND_DATA)
 201
 202 #define GENERIC_RIGHTS_FILE_EXECUTE \
 203                 (STANDARD_RIGHTS_EXECUTE_ACCESS | \
 204                 SA_RIGHT_FILE_READ_ATTRIBUTES   | \
 205                 SA_RIGHT_FILE_EXECUTE)
 206
 207
 208 /* directory specific access rights */
 209 #define SA_RIGHT_DIR_LIST              0x0001
 210 #define SA_RIGHT_DIR_ADD_FILE          0x0002
 211 #define SA_RIGHT_DIR_ADD_SUBDIRECTORY  0x0004
 212 #define SA_RIGHT_DIR_TRAVERSE          0x0020
 213 #define SA_RIGHT_DIR_DELETE_CHILD      0x0040
 214
 215
 216 /* SAM server specific access rights */
 217
 218 #define SA_RIGHT_SAM_CONNECT_SERVER     0x00000001
 219 #define SA_RIGHT_SAM_SHUTDOWN_SERVER    0x00000002
 220 #define SA_RIGHT_SAM_INITIALISE_SERVER  0x00000004
 221 #define SA_RIGHT_SAM_CREATE_DOMAIN      0x00000008
 222 #define SA_RIGHT_SAM_ENUM_DOMAINS       0x00000010
 223 #define SA_RIGHT_SAM_OPEN_DOMAIN        0x00000020
 224
 225 #define SA_RIGHT_SAM_ALL_ACCESS         0x0000003F
 226
 227 #define GENERIC_RIGHTS_SAM_ALL_ACCESS \
 228                 (STANDARD_RIGHTS_REQUIRED_ACCESS| \
 229                 SA_RIGHT_SAM_ALL_ACCESS)
 230
 231 #define GENERIC_RIGHTS_SAM_READ \
 232                 (STANDARD_RIGHTS_READ_ACCESS    | \
 233                 SA_RIGHT_SAM_ENUM_DOMAINS)
 234
 235 #define GENERIC_RIGHTS_SAM_WRITE \
 236                 (STANDARD_RIGHTS_WRITE_ACCESS   | \
 237                 SA_RIGHT_SAM_CREATE_DOMAIN      | \
 238                 SA_RIGHT_SAM_INITIALISE_SERVER  | \
 239                 SA_RIGHT_SAM_SHUTDOWN_SERVER)
 240
 241 #define GENERIC_RIGHTS_SAM_EXECUTE \
 242                 (STANDARD_RIGHTS_EXECUTE_ACCESS | \
 243                 SA_RIGHT_SAM_OPEN_DOMAIN        | \
 244                 SA_RIGHT_SAM_CONNECT_SERVER)
 245
 246
 247 /* Domain Object specific access rights */
 248
 249 #define SA_RIGHT_DOMAIN_LOOKUP_INFO_1           0x00000001
 250 #define SA_RIGHT_DOMAIN_SET_INFO_1              0x00000002
 251 #define SA_RIGHT_DOMAIN_LOOKUP_INFO_2           0x00000004
 252 #define SA_RIGHT_DOMAIN_SET_INFO_2              0x00000008
 253 #define SA_RIGHT_DOMAIN_CREATE_USER             0x00000010
 254 #define SA_RIGHT_DOMAIN_CREATE_GROUP            0x00000020
 255 #define SA_RIGHT_DOMAIN_CREATE_ALIAS            0x00000040
 256 #define SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM     0x00000080
 257 #define SA_RIGHT_DOMAIN_ENUM_ACCOUNTS           0x00000100
 258 #define SA_RIGHT_DOMAIN_OPEN_ACCOUNT            0x00000200
 259 #define SA_RIGHT_DOMAIN_SET_INFO_3              0x00000400
 260
 261 #define SA_RIGHT_DOMAIN_ALL_ACCESS              0x000007FF
 262
 263 #define GENERIC_RIGHTS_DOMAIN_ALL_ACCESS \
 264                 (STANDARD_RIGHTS_REQUIRED_ACCESS| \
 265                 SA_RIGHT_DOMAIN_ALL_ACCESS)
 266
 267 #define GENERIC_RIGHTS_DOMAIN_READ \
 268                 (STANDARD_RIGHTS_READ_ACCESS            | \
 269                 SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM     | \
 270                 SA_RIGHT_DOMAIN_LOOKUP_INFO_2)
 271
 272 #define GENERIC_RIGHTS_DOMAIN_WRITE \
 273                 (STANDARD_RIGHTS_WRITE_ACCESS   | \
 274                 SA_RIGHT_DOMAIN_SET_INFO_3      | \
 275                 SA_RIGHT_DOMAIN_CREATE_ALIAS    | \
 276                 SA_RIGHT_DOMAIN_CREATE_GROUP    | \
 277                 SA_RIGHT_DOMAIN_CREATE_USER     | \
 278                 SA_RIGHT_DOMAIN_SET_INFO_2      | \
 279                 SA_RIGHT_DOMAIN_SET_INFO_1)
 280
 281 #define GENERIC_RIGHTS_DOMAIN_EXECUTE \
 282                 (STANDARD_RIGHTS_EXECUTE_ACCESS | \
 283                 SA_RIGHT_DOMAIN_OPEN_ACCOUNT    | \
 284                 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS   | \
 285                 SA_RIGHT_DOMAIN_LOOKUP_INFO_1)
 286
 287
 288 /* User Object specific access rights */
 289
 290 #define SA_RIGHT_USER_GET_NAME_ETC      0x00000001
 291 #define SA_RIGHT_USER_GET_LOCALE        0x00000002
 292 #define SA_RIGHT_USER_SET_LOC_COM       0x00000004
 293 #define SA_RIGHT_USER_GET_LOGONINFO     0x00000008
 294 #define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY 0x00000010
 295 #define SA_RIGHT_USER_SET_ATTRIBUTES    0x00000020
 296 #define SA_RIGHT_USER_CHANGE_PASSWORD   0x00000040
 297 #define SA_RIGHT_USER_SET_PASSWORD      0x00000080
 298 #define SA_RIGHT_USER_GET_GROUPS        0x00000100
 299 #define SA_RIGHT_USER_READ_GROUP_MEM    0x00000200
 300 #define SA_RIGHT_USER_CHANGE_GROUP_MEM  0x00000400
 301
 302 #define SA_RIGHT_USER_ALL_ACCESS        0x000007FF
 303
 304 #define GENERIC_RIGHTS_USER_ALL_ACCESS \
 305                 (STANDARD_RIGHTS_REQUIRED_ACCESS| \
 306                 SA_RIGHT_USER_ALL_ACCESS)       /* 0x000f07ff */
 307
 308 #define GENERIC_RIGHTS_USER_READ \
 309                 (STANDARD_RIGHTS_READ_ACCESS    | \
 310                 SA_RIGHT_USER_READ_GROUP_MEM    | \
 311                 SA_RIGHT_USER_GET_GROUPS        | \
 312                 SA_RIGHT_USER_ACCT_FLAGS_EXPIRY | \
 313                 SA_RIGHT_USER_GET_LOGONINFO     | \
 314                 SA_RIGHT_USER_GET_LOCALE)       /* 0x0002031a */
 315
 316 #define GENERIC_RIGHTS_USER_WRITE \
 317                 (STANDARD_RIGHTS_WRITE_ACCESS   | \
 318                 SA_RIGHT_USER_CHANGE_PASSWORD   | \
 319                 SA_RIGHT_USER_SET_LOC_COM)      /* 0x00020044 */
 320
 321 #define GENERIC_RIGHTS_USER_EXECUTE \
 322                 (STANDARD_RIGHTS_EXECUTE_ACCESS | \
 323                 SA_RIGHT_USER_CHANGE_PASSWORD   | \
 324                 SA_RIGHT_USER_GET_NAME_ETC )    /* 0x00020041 */
 325
 326
 327 /* Group Object specific access rights */
 328
 329 #define SA_RIGHT_GROUP_LOOKUP_INFO      0x00000001
 330 #define SA_RIGHT_GROUP_SET_INFO         0x00000002
 331 #define SA_RIGHT_GROUP_ADD_MEMBER       0x00000004
 332 #define SA_RIGHT_GROUP_REMOVE_MEMBER    0x00000008
 333 #define SA_RIGHT_GROUP_GET_MEMBERS      0x00000010
 334
 335 #define SA_RIGHT_GROUP_ALL_ACCESS       0x0000001F
 336
 337 #define GENERIC_RIGHTS_GROUP_ALL_ACCESS \
 338                 (STANDARD_RIGHTS_REQUIRED_ACCESS| \
 339                 SA_RIGHT_GROUP_ALL_ACCESS)      /* 0x000f001f */
 340
 341 #define GENERIC_RIGHTS_GROUP_READ \
 342                 (STANDARD_RIGHTS_READ_ACCESS    | \
 343                 SA_RIGHT_GROUP_GET_MEMBERS)     /* 0x00020010 */
 344
 345 #define GENERIC_RIGHTS_GROUP_WRITE \
 346                 (STANDARD_RIGHTS_WRITE_ACCESS   | \
 347                 SA_RIGHT_GROUP_REMOVE_MEMBER    | \
 348                 SA_RIGHT_GROUP_ADD_MEMBER       | \
 349                 SA_RIGHT_GROUP_SET_INFO )       /* 0x0002000e */
 350
 351 #define GENERIC_RIGHTS_GROUP_EXECUTE \
 352                 (STANDARD_RIGHTS_EXECUTE_ACCESS | \
 353                 SA_RIGHT_GROUP_LOOKUP_INFO)     /* 0x00020001 */
 354
 355
 356 /* Alias Object specific access rights */
 357
 358 #define SA_RIGHT_ALIAS_ADD_MEMBER       0x00000001
 359 #define SA_RIGHT_ALIAS_REMOVE_MEMBER    0x00000002
 360 #define SA_RIGHT_ALIAS_GET_MEMBERS      0x00000004
 361 #define SA_RIGHT_ALIAS_LOOKUP_INFO      0x00000008
 362 #define SA_RIGHT_ALIAS_SET_INFO         0x00000010
 363
 364 #define SA_RIGHT_ALIAS_ALL_ACCESS       0x0000001F
 365
 366 #define GENERIC_RIGHTS_ALIAS_ALL_ACCESS \
 367                 (STANDARD_RIGHTS_REQUIRED_ACCESS| \
 368                 SA_RIGHT_ALIAS_ALL_ACCESS)      /* 0x000f001f */
 369
 370 #define GENERIC_RIGHTS_ALIAS_READ \
 371                 (STANDARD_RIGHTS_READ_ACCESS    | \
 372                 SA_RIGHT_ALIAS_GET_MEMBERS )    /* 0x00020004 */
 373
 374 #define GENERIC_RIGHTS_ALIAS_WRITE \
 375                 (STANDARD_RIGHTS_WRITE_ACCESS   | \
 376                 SA_RIGHT_ALIAS_REMOVE_MEMBER    | \
 377                 SA_RIGHT_ALIAS_ADD_MEMBER       | \
 378                 SA_RIGHT_ALIAS_SET_INFO )       /* 0x00020013 */
 379
 380 #define GENERIC_RIGHTS_ALIAS_EXECUTE \
 381                 (STANDARD_RIGHTS_EXECUTE_ACCESS | \
 382                 SA_RIGHT_ALIAS_LOOKUP_INFO )    /* 0x00020008 */
 383
 384 #endif /* _RPC_SECDES_H */