root/source4/libcli/security/privilege.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. sec_privilege_name
  2. sec_privilege_display_name
  3. sec_privilege_id
  4. sec_privilege_mask
  5. security_token_has_privilege
  6. security_token_set_privilege
  7. security_token_debug_privileges

   1 /*
   2    Unix SMB/CIFS implementation.
   3 
   4    manipulate privileges
   5 
   6    Copyright (C) Andrew Tridgell 2004
   7 
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12 
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17 
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21 
  22 #include "includes.h"
  23 #include "librpc/gen_ndr/security.h" 
  24 #include "libcli/security/security.h" 
  25 
  26 
  27 static const struct {
  28         enum sec_privilege privilege;
  29         const char *name;
  30         const char *display_name;
  31 } privilege_names[] = {
  32         {SEC_PRIV_SECURITY,                   
  33          "SeSecurityPrivilege",
  34         "System security"},
  35 
  36         {SEC_PRIV_BACKUP,                     
  37          "SeBackupPrivilege",
  38          "Backup files and directories"},
  39 
  40         {SEC_PRIV_RESTORE,                    
  41          "SeRestorePrivilege",
  42         "Restore files and directories"},
  43 
  44         {SEC_PRIV_SYSTEMTIME,                 
  45          "SeSystemtimePrivilege",
  46         "Set the system clock"},
  47 
  48         {SEC_PRIV_SHUTDOWN,                   
  49          "SeShutdownPrivilege",
  50         "Shutdown the system"},
  51 
  52         {SEC_PRIV_REMOTE_SHUTDOWN,            
  53          "SeRemoteShutdownPrivilege",
  54         "Shutdown the system remotely"},
  55 
  56         {SEC_PRIV_TAKE_OWNERSHIP,             
  57          "SeTakeOwnershipPrivilege",
  58         "Take ownership of files and directories"},
  59 
  60         {SEC_PRIV_DEBUG,                      
  61          "SeDebugPrivilege",
  62         "Debug processes"},
  63 
  64         {SEC_PRIV_SYSTEM_ENVIRONMENT,         
  65          "SeSystemEnvironmentPrivilege",
  66         "Modify system environment"},
  67 
  68         {SEC_PRIV_SYSTEM_PROFILE,             
  69          "SeSystemProfilePrivilege",
  70         "Profile the system"},
  71 
  72         {SEC_PRIV_PROFILE_SINGLE_PROCESS,     
  73          "SeProfileSingleProcessPrivilege",
  74         "Profile one process"},
  75 
  76         {SEC_PRIV_INCREASE_BASE_PRIORITY,     
  77          "SeIncreaseBasePriorityPrivilege",
  78          "Increase base priority"},
  79 
  80         {SEC_PRIV_LOAD_DRIVER,
  81          "SeLoadDriverPrivilege",
  82         "Load drivers"},
  83 
  84         {SEC_PRIV_CREATE_PAGEFILE,            
  85          "SeCreatePagefilePrivilege",
  86         "Create page files"},
  87 
  88         {SEC_PRIV_INCREASE_QUOTA,
  89          "SeIncreaseQuotaPrivilege",
  90         "Increase quota"},
  91 
  92         {SEC_PRIV_CHANGE_NOTIFY,              
  93          "SeChangeNotifyPrivilege",
  94         "Register for change notify"},
  95 
  96         {SEC_PRIV_UNDOCK,                     
  97          "SeUndockPrivilege",
  98         "Undock devices"},
  99 
 100         {SEC_PRIV_MANAGE_VOLUME,              
 101          "SeManageVolumePrivilege",
 102         "Manage system volumes"},
 103 
 104         {SEC_PRIV_IMPERSONATE,                
 105          "SeImpersonatePrivilege",
 106         "Impersonate users"},
 107 
 108         {SEC_PRIV_CREATE_GLOBAL,              
 109          "SeCreateGlobalPrivilege",
 110         "Create global"},
 111 
 112         {SEC_PRIV_ENABLE_DELEGATION,          
 113          "SeEnableDelegationPrivilege",
 114         "Enable Delegation"},
 115 
 116         {SEC_PRIV_INTERACTIVE_LOGON,          
 117          "SeInteractiveLogonRight",
 118         "Interactive logon"},
 119 
 120         {SEC_PRIV_NETWORK_LOGON,
 121          "SeNetworkLogonRight",
 122         "Network logon"},
 123 
 124         {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,   
 125          "SeRemoteInteractiveLogonRight",
 126         "Remote Interactive logon"}
 127 };
 128 
 129 
 130 /*
 131   map a privilege id to the wire string constant
 132 */
 133 const char *sec_privilege_name(enum sec_privilege privilege)
     /* [<][>][^][v][top][bottom][index][help] */
 134 {
 135         int i;
 136         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 137                 if (privilege_names[i].privilege == privilege) {
 138                         return privilege_names[i].name;
 139                 }
 140         }
 141         return NULL;
 142 }
 143 
 144 /*
 145   map a privilege id to a privilege display name. Return NULL if not found
 146   
 147   TODO: this should use language mappings
 148 */
 149 const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
     /* [<][>][^][v][top][bottom][index][help] */
 150 {
 151         int i;
 152         if (privilege < 1 || privilege > 64) {
 153                 return NULL;
 154         }
 155         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 156                 if (privilege_names[i].privilege == privilege) {
 157                         return privilege_names[i].display_name;
 158                 }
 159         }
 160         return NULL;
 161 }
 162 
 163 /*
 164   map a privilege name to a privilege id. Return -1 if not found
 165 */
 166 enum sec_privilege sec_privilege_id(const char *name)
     /* [<][>][^][v][top][bottom][index][help] */
 167 {
 168         int i;
 169         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 170                 if (strcasecmp(privilege_names[i].name, name) == 0) {
 171                         return privilege_names[i].privilege;
 172                 }
 173         }
 174         return -1;
 175 }
 176 
 177 
 178 /*
 179   return a privilege mask given a privilege id
 180 */
 181 static uint64_t sec_privilege_mask(enum sec_privilege privilege)
     /* [<][>][^][v][top][bottom][index][help] */
 182 {
 183         uint64_t mask = 1;
 184 
 185         if (privilege < 1 || privilege > 64) {
 186                 return 0;
 187         }
 188 
 189         mask <<= (privilege-1);
 190         return mask;
 191 }
 192 
 193 
 194 /*
 195   return true if a security_token has a particular privilege bit set
 196 */
 197 bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
     /* [<][>][^][v][top][bottom][index][help] */
 198 {
 199         uint64_t mask;
 200 
 201         if (privilege < 1 || privilege > 64) {
 202                 return false;
 203         }
 204 
 205         mask = sec_privilege_mask(privilege);
 206         if (token->privilege_mask & mask) {
 207                 return true;
 208         }
 209         return false;
 210 }
 211 
 212 /*
 213   set a bit in the privilege mask
 214 */
 215 void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
     /* [<][>][^][v][top][bottom][index][help] */
 216 {
 217         if (privilege < 1 || privilege > 64) {
 218                 return;
 219         }
 220         token->privilege_mask |= sec_privilege_mask(privilege);
 221 }
 222 
 223 void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
     /* [<][>][^][v][top][bottom][index][help] */
 224 {
 225         DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
 226                             (unsigned long long) token->privilege_mask));
 227 
 228         if (token->privilege_mask) {
 229                 int i = 0;
 230                 uint_t privilege;
 231 
 232                 for (privilege = 1; privilege <= 64; privilege++) {
 233                         uint64_t mask = sec_privilege_mask(privilege);
 234 
 235                         if (token->privilege_mask & mask) {
 236                                 DEBUGADD(dbg_lev, ("  Privilege[%3lu]: %s\n", (unsigned long)i++, 
 237                                         sec_privilege_name(privilege)));
 238                         }
 239                 }
 240         }
 241 }

/* [<][>][^][v][top][bottom][index][help] */