security IDL structures
*/
+import "misc.idl";
+
+/*
+ use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
+ just a dom sid, but with the sub_auths represented as a conformant
+ array. As with all in-structure conformant arrays, the array length
+ is placed before the start of the structure. That's what gives rise
+ to the extra num_auths elemenent. We don't want the Samba code to
+ have to bother with such esoteric NDR details, so its easier to just
+ define it as a dom_sid and use pidl magic to make it all work. It
+ just means you need to mark a sid as a "dom_sid2" in the IDL when you
+ know it is of the conformant array variety
+*/
+cpp_quote("#define dom_sid2 dom_sid")
+
+/* same struct as dom_sid but inside a 28 bytes fixed buffer in NDR */
+cpp_quote("#define dom_sid28 dom_sid")
+
+/* same struct as dom_sid but in a variable byte buffer, which is maybe empty in NDR */
+cpp_quote("#define dom_sid0 dom_sid")
+
[
pointer_default(unique)
]
common combinations of bits are prefixed with SEC_RIGHTS_
*/
- const int SEC_MASK_GENERIC = 0xF0000000;
- const int SEC_MASK_FLAGS = 0x0F000000;
- const int SEC_MASK_STANDARD = 0x00FF0000;
+ const int SEC_MASK_GENERIC = 0xF0000000;
+ const int SEC_MASK_FLAGS = 0x0F000000;
+ const int SEC_MASK_STANDARD = 0x00FF0000;
const int SEC_MASK_SPECIFIC = 0x0000FFFF;
/* generic bits */
const int SEC_REG_NOTIFY = 0x00000010;
const int SEC_REG_CREATE_LINK = 0x00000020;
+ /* ldap specific access bits */
+ const int SEC_ADS_CREATE_CHILD = 0x00000001;
+ const int SEC_ADS_DELETE_CHILD = 0x00000002;
+ const int SEC_ADS_LIST = 0x00000004;
+ const int SEC_ADS_SELF_WRITE = 0x00000008;
+ const int SEC_ADS_READ_PROP = 0x00000010;
+ const int SEC_ADS_WRITE_PROP = 0x00000020;
+ const int SEC_ADS_DELETE_TREE = 0x00000040;
+ const int SEC_ADS_LIST_OBJECT = 0x00000080;
+ const int SEC_ADS_CONTROL_ACCESS = 0x00000100;
+
+ /* invalid bits */
+ const int SEC_MASK_INVALID = 0x0ce0fe00;
+
/* generic->specific mappings for files */
const int SEC_RIGHTS_FILE_READ = SEC_STD_READ_CONTROL |
SEC_STD_SYNCHRONIZE |
const string SID_NULL = "S-1-0-0";
/* the world domain */
+ const string NAME_WORLD = "WORLD";
+
const string SID_WORLD_DOMAIN = "S-1-1";
const string SID_WORLD = "S-1-1-0";
const string SID_CREATOR_GROUP = "S-1-3-1";
/* SECURITY_NT_AUTHORITY */
+ const string NAME_NT_AUTHORITY = "NT AUTHORITY";
+
const string SID_NT_AUTHORITY = "S-1-5";
const string SID_NT_DIALUP = "S-1-5-1";
const string SID_NT_NETWORK = "S-1-5-2";
const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
/* SECURITY_BUILTIN_DOMAIN_RID */
+ const string NAME_BUILTIN = "BUILTIN";
+
const string SID_BUILTIN = "S-1-5-32";
const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
const string SID_BUILTIN_USERS = "S-1-5-32-545";
const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
+ const string SID_BUILTIN_RAS_SERVERS = "S-1-5-32-553";
+ const string SID_BUILTIN_PREW2K = "S-1-5-32-554";
+
+ /* well-known domain RIDs */
+ const int DOMAIN_RID_LOGON = 9;
+ const int DOMAIN_RID_ADMINISTRATOR = 500;
+ const int DOMAIN_RID_GUEST = 501;
+ const int DOMAIN_RID_ADMINS = 512;
+ const int DOMAIN_RID_USERS = 513;
+ const int DOMAIN_RID_DOMAIN_MEMBERS = 515;
+ const int DOMAIN_RID_DCS = 516;
+ const int DOMAIN_RID_CERT_ADMINS = 517;
+ const int DOMAIN_RID_SCHEMA_ADMINS = 518;
+ const int DOMAIN_RID_ENTERPRISE_ADMINS = 519;
/*
/* a domain SID. Note that unlike Samba3 this contains a pointer,
so you can't copy them using assignment */
- typedef [public,noprint] struct {
+ typedef [public,gensize,noprint,noejs,nosize] struct {
uint8 sid_rev_num; /**< SID revision number */
- [range(0,5)] int8 num_auths; /**< Number of sub-authorities */
+ [range(0,15)] int8 num_auths; /**< Number of sub-authorities */
uint8 id_auth[6]; /**< Identifier Authority */
uint32 sub_auths[num_auths];
} dom_sid;
SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 8
} security_ace_type;
- typedef [public] struct {
+ typedef [bitmap32bit] bitmap {
+ SEC_ACE_OBJECT_TYPE_PRESENT = 0x00000001,
+ SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002
+ } security_ace_object_flags;
+
+ typedef [nodiscriminant] union {
+ /* this is the 'schemaIDGUID' attribute of the attribute object in the schema naming context */
+ [case(SEC_ACE_OBJECT_TYPE_PRESENT)] GUID type;
+ [default];
+ } security_ace_object_type;
+
+ typedef [nodiscriminant] union {
+ /* this is the 'schemaIDGUID' attribute of the objectclass object in the schema naming context
+ * (of the parent container)
+ */
+ [case(SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] GUID inherited_type;
+ [default];
+ } security_ace_object_inherited_type;
+
+ typedef struct {
+ security_ace_object_flags flags;
+ [switch_is(flags & SEC_ACE_OBJECT_TYPE_PRESENT)] security_ace_object_type type;
+ [switch_is(flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)] security_ace_object_inherited_type inherited_type;
+ } security_ace_object;
+
+ typedef [nodiscriminant] union {
+ [case(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT)] security_ace_object object;
+ [case(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT)] security_ace_object object;
+ [case(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT)] security_ace_object object;
+ [case(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)] security_ace_object object;
+ [default];
+ } security_ace_object_ctr;
+
+ typedef [public,gensize,nosize] struct {
security_ace_type type; /* SEC_ACE_TYPE_* */
security_ace_flags flags; /* SEC_ACE_FLAG_* */
- [value(ndr_size_security_ace(r))] uint16 size;
+ [value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
uint32 access_mask;
-
-#if 0
- /* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
- struct {
- uint32 flags;
- GUID object_guid;
- GUID inherit_guid;
- } *obj;
-#endif
-
+ [switch_is(type)] security_ace_object_ctr object;
dom_sid trustee;
} security_ace;
typedef enum {
- NT4_ACL_REVISION = 2
+ SECURITY_ACL_REVISION_NT4 = 2,
+ SECURITY_ACL_REVISION_ADS = 4
} security_acl_revision;
- typedef [public] struct {
+ const uint NT4_ACL_REVISION = SECURITY_ACL_REVISION_NT4;
+
+ typedef [public,gensize,nosize] struct {
security_acl_revision revision;
- [value(ndr_size_security_acl(r))] uint16 size;
+ [value(ndr_size_security_acl(r,ndr->flags))] uint16 size;
[range(0,1000)] uint32 num_aces;
security_ace aces[num_aces];
} security_acl;
/* default revision for new ACLs */
typedef [enum8bit] enum {
- SEC_DESC_REVISION_1 = 1
+ SECURITY_DESCRIPTOR_REVISION_1 = 1
} security_descriptor_revision;
- const int SD_REVISION = SEC_DESC_REVISION_1;
+ const int SD_REVISION = SECURITY_DESCRIPTOR_REVISION_1;
/* security_descriptor->type bits */
typedef [bitmap16bit] bitmap {
SEC_DESC_SELF_RELATIVE = 0x8000
} security_descriptor_type;
- /* bits that determine which parts of a security descriptor
- are being queried/set */
- const int SECINFO_OWNER = 0x00000001;
- const int SECINFO_GROUP = 0x00000002;
- const int SECINFO_DACL = 0x00000004;
- const int SECINFO_SACL = 0x00000008;
-
-
- typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
+ typedef [gensize,nosize,public,flag(NDR_LITTLE_ENDIAN)] struct {
security_descriptor_revision revision;
security_descriptor_type type; /* SEC_DESC_xxxx flags */
[relative] dom_sid *owner_sid;
} security_descriptor;
typedef [public] struct {
- [range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
+ [range(0,0x40000),value(ndr_size_security_descriptor(sd,ndr->flags))] uint32 sd_size;
[subcontext(4)] security_descriptor *sd;
} sec_desc_buf;
+
+ typedef [public] struct {
+ dom_sid *user_sid;
+ dom_sid *group_sid;
+ uint32 num_sids;
+ [size_is(num_sids)] dom_sid *sids[*];
+ udlong privilege_mask;
+ } security_token;
+
+ /* bits that determine which parts of a security descriptor
+ are being queried/set */
+ typedef [public,bitmap32bit] bitmap {
+ SECINFO_OWNER = 0x00000001,
+ SECINFO_GROUP = 0x00000002,
+ SECINFO_DACL = 0x00000004,
+ SECINFO_SACL = 0x00000008,
+ SECINFO_UNPROTECTED_SACL = 0x10000000,
+ SECINFO_UNPROTECTED_DACL = 0x20000000,
+ SECINFO_PROTECTED_SACL = 0x40000000,
+ SECINFO_PROTECTED_DACL = 0x80000000
+ } security_secinfo;
+
+ typedef [public,bitmap32bit] bitmap {
+ KERB_ENCTYPE_DES_CBC_CRC = 0x00000001,
+ KERB_ENCTYPE_DES_CBC_MD5 = 0x00000002,
+ KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
+ KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
+ KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
+ } kerb_EncTypes;
}