/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- sec_privilege_name
- sec_privilege_display_name
- sec_privilege_id
- sec_privilege_mask
- security_token_has_privilege
- security_token_set_privilege
- security_token_debug_privileges
1 /*
2 Unix SMB/CIFS implementation.
3
4 manipulate privileges
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "librpc/gen_ndr/security.h"
24 #include "libcli/security/security.h"
25
26
27 static const struct {
28 enum sec_privilege privilege;
29 const char *name;
30 const char *display_name;
31 } privilege_names[] = {
32 {SEC_PRIV_SECURITY,
33 "SeSecurityPrivilege",
34 "System security"},
35
36 {SEC_PRIV_BACKUP,
37 "SeBackupPrivilege",
38 "Backup files and directories"},
39
40 {SEC_PRIV_RESTORE,
41 "SeRestorePrivilege",
42 "Restore files and directories"},
43
44 {SEC_PRIV_SYSTEMTIME,
45 "SeSystemtimePrivilege",
46 "Set the system clock"},
47
48 {SEC_PRIV_SHUTDOWN,
49 "SeShutdownPrivilege",
50 "Shutdown the system"},
51
52 {SEC_PRIV_REMOTE_SHUTDOWN,
53 "SeRemoteShutdownPrivilege",
54 "Shutdown the system remotely"},
55
56 {SEC_PRIV_TAKE_OWNERSHIP,
57 "SeTakeOwnershipPrivilege",
58 "Take ownership of files and directories"},
59
60 {SEC_PRIV_DEBUG,
61 "SeDebugPrivilege",
62 "Debug processes"},
63
64 {SEC_PRIV_SYSTEM_ENVIRONMENT,
65 "SeSystemEnvironmentPrivilege",
66 "Modify system environment"},
67
68 {SEC_PRIV_SYSTEM_PROFILE,
69 "SeSystemProfilePrivilege",
70 "Profile the system"},
71
72 {SEC_PRIV_PROFILE_SINGLE_PROCESS,
73 "SeProfileSingleProcessPrivilege",
74 "Profile one process"},
75
76 {SEC_PRIV_INCREASE_BASE_PRIORITY,
77 "SeIncreaseBasePriorityPrivilege",
78 "Increase base priority"},
79
80 {SEC_PRIV_LOAD_DRIVER,
81 "SeLoadDriverPrivilege",
82 "Load drivers"},
83
84 {SEC_PRIV_CREATE_PAGEFILE,
85 "SeCreatePagefilePrivilege",
86 "Create page files"},
87
88 {SEC_PRIV_INCREASE_QUOTA,
89 "SeIncreaseQuotaPrivilege",
90 "Increase quota"},
91
92 {SEC_PRIV_CHANGE_NOTIFY,
93 "SeChangeNotifyPrivilege",
94 "Register for change notify"},
95
96 {SEC_PRIV_UNDOCK,
97 "SeUndockPrivilege",
98 "Undock devices"},
99
100 {SEC_PRIV_MANAGE_VOLUME,
101 "SeManageVolumePrivilege",
102 "Manage system volumes"},
103
104 {SEC_PRIV_IMPERSONATE,
105 "SeImpersonatePrivilege",
106 "Impersonate users"},
107
108 {SEC_PRIV_CREATE_GLOBAL,
109 "SeCreateGlobalPrivilege",
110 "Create global"},
111
112 {SEC_PRIV_ENABLE_DELEGATION,
113 "SeEnableDelegationPrivilege",
114 "Enable Delegation"},
115
116 {SEC_PRIV_INTERACTIVE_LOGON,
117 "SeInteractiveLogonRight",
118 "Interactive logon"},
119
120 {SEC_PRIV_NETWORK_LOGON,
121 "SeNetworkLogonRight",
122 "Network logon"},
123
124 {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
125 "SeRemoteInteractiveLogonRight",
126 "Remote Interactive logon"}
127 };
128
129
130 /*
131 map a privilege id to the wire string constant
132 */
133 const char *sec_privilege_name(enum sec_privilege privilege)
/* [<][>][^][v][top][bottom][index][help] */
134 {
135 int i;
136 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
137 if (privilege_names[i].privilege == privilege) {
138 return privilege_names[i].name;
139 }
140 }
141 return NULL;
142 }
143
144 /*
145 map a privilege id to a privilege display name. Return NULL if not found
146
147 TODO: this should use language mappings
148 */
149 const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
/* [<][>][^][v][top][bottom][index][help] */
150 {
151 int i;
152 if (privilege < 1 || privilege > 64) {
153 return NULL;
154 }
155 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
156 if (privilege_names[i].privilege == privilege) {
157 return privilege_names[i].display_name;
158 }
159 }
160 return NULL;
161 }
162
163 /*
164 map a privilege name to a privilege id. Return -1 if not found
165 */
166 enum sec_privilege sec_privilege_id(const char *name)
/* [<][>][^][v][top][bottom][index][help] */
167 {
168 int i;
169 for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
170 if (strcasecmp(privilege_names[i].name, name) == 0) {
171 return privilege_names[i].privilege;
172 }
173 }
174 return -1;
175 }
176
177
178 /*
179 return a privilege mask given a privilege id
180 */
181 static uint64_t sec_privilege_mask(enum sec_privilege privilege)
/* [<][>][^][v][top][bottom][index][help] */
182 {
183 uint64_t mask = 1;
184
185 if (privilege < 1 || privilege > 64) {
186 return 0;
187 }
188
189 mask <<= (privilege-1);
190 return mask;
191 }
192
193
194 /*
195 return true if a security_token has a particular privilege bit set
196 */
197 bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
/* [<][>][^][v][top][bottom][index][help] */
198 {
199 uint64_t mask;
200
201 if (privilege < 1 || privilege > 64) {
202 return false;
203 }
204
205 mask = sec_privilege_mask(privilege);
206 if (token->privilege_mask & mask) {
207 return true;
208 }
209 return false;
210 }
211
212 /*
213 set a bit in the privilege mask
214 */
215 void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
/* [<][>][^][v][top][bottom][index][help] */
216 {
217 if (privilege < 1 || privilege > 64) {
218 return;
219 }
220 token->privilege_mask |= sec_privilege_mask(privilege);
221 }
222
223 void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
/* [<][>][^][v][top][bottom][index][help] */
224 {
225 DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
226 (unsigned long long) token->privilege_mask));
227
228 if (token->privilege_mask) {
229 int i = 0;
230 uint_t privilege;
231
232 for (privilege = 1; privilege <= 64; privilege++) {
233 uint64_t mask = sec_privilege_mask(privilege);
234
235 if (token->privilege_mask & mask) {
236 DEBUGADD(dbg_lev, (" Privilege[%3lu]: %s\n", (unsigned long)i++,
237 sec_privilege_name(privilege)));
238 }
239 }
240 }
241 }