From e1e4bd1a04a935dbddba4727f811013d9430b5c9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 27 Aug 2010 11:56:37 +1000 Subject: [PATCH] libcli/security Merge privilege lists from source3 and source4 The LSA enumeration in source3 will not show the new privileges, but otherwise, they are now in common, and can be set by name. Andrew Bartlett Signed-off-by: Andrew Tridgell --- libcli/security/privileges.c | 295 +++++++++++++++-------------------- 1 file changed, 126 insertions(+), 169 deletions(-) diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c index bf623e0ad63..24a58e49e88 100644 --- a/libcli/security/privileges.c +++ b/libcli/security/privileges.c @@ -56,14 +56,7 @@ const uint64_t se_take_ownership = SE_TAKE_OWNERSHIP; #define NUM_SHORT_LIST_PRIVS 8 PRIVS privs[] = { -#if 0 /* usrmgr will display these twice if you include them. We don't - use them but we'll keep the bitmasks reserved in privileges.h anyways */ - - {0x0, SE_NETWORK_LOGON, "SeNetworkLogonRight", "Access this computer from network"}, - {0x0, SE_INTERACTIVE_LOGON, "SeInteractiveLogonRight", "Log on locally"}, - {0x0, SE_BATCH_LOGON, "SeBatchLogonRight", "Log on as a batch job"}, - {0x0, SE_SERVICE_LOGON, "SeServiceLogonRight", "Log on as a service"}, -#endif + {SEC_PRIV_MACHINE_ACCOUNT, SE_MACHINE_ACCOUNT, "SeMachineAccountPrivilege", "Add machines to domain"}, {SEC_PRIV_TAKE_OWNERSHIP, SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take ownership of files or other objects"}, {SEC_PRIV_BACKUP, SE_BACKUP, "SeBackupPrivilege", "Back up files and directories"}, @@ -74,6 +67,114 @@ PRIVS privs[] = { {SEC_PRIV_ADD_USERS, SE_ADD_USERS, "SeAddUsersPrivilege", "Add users and groups to the domain"}, {SEC_PRIV_DISK_OPERATOR, SE_DISK_OPERATOR, "SeDiskOperatorPrivilege", "Manage disk shares"}, + /* The list from here on was not displayed in the code from + * source3/ with the comment that usrmgr will display these + * next 2 twice if you include them. The source4/ code has + * always included them, but they do not appear in Windows + * 2008 R2. + + Finally, the parameter 'short_list' determines if the short + or full list (including many other privileges) is used */ + + {SEC_PRIV_SECURITY, + SE_SECURITY, + "SeSecurityPrivilege", + "System security"}, + + {SEC_PRIV_SYSTEMTIME, + SE_SYSTEMTIME, + "SeSystemtimePrivilege", + "Set the system clock"}, + + {SEC_PRIV_SHUTDOWN, + SE_SHUTDOWN, + "SeShutdownPrivilege", + "Shutdown the system"}, + + {SEC_PRIV_DEBUG, + SE_DEBUG, + "SeDebugPrivilege", + "Debug processes"}, + + {SEC_PRIV_SYSTEM_ENVIRONMENT, + SE_SYSTEM_ENVIRONMENT, + "SeSystemEnvironmentPrivilege", + "Modify system environment"}, + + {SEC_PRIV_SYSTEM_PROFILE, + SE_SYSTEM_PROFILE, + "SeSystemProfilePrivilege", + "Profile the system"}, + + {SEC_PRIV_PROFILE_SINGLE_PROCESS, + SE_PROFILE_SINGLE_PROCESS, + "SeProfileSingleProcessPrivilege", + "Profile one process"}, + + {SEC_PRIV_INCREASE_BASE_PRIORITY, + SE_INCREASE_BASE_PRIORITY, + "SeIncreaseBasePriorityPrivilege", + "Increase base priority"}, + + {SEC_PRIV_LOAD_DRIVER, + SE_LOAD_DRIVER, + "SeLoadDriverPrivilege", + "Load drivers"}, + + {SEC_PRIV_CREATE_PAGEFILE, + SE_CREATE_PAGEFILE, + "SeCreatePagefilePrivilege", + "Create page files"}, + + {SEC_PRIV_INCREASE_QUOTA, + SE_INCREASE_QUOTA, + "SeIncreaseQuotaPrivilege", + "Increase quota"}, + + {SEC_PRIV_CHANGE_NOTIFY, + SE_CHANGE_NOTIFY, + "SeChangeNotifyPrivilege", + "Register for change notify"}, + + {SEC_PRIV_UNDOCK, + SE_UNDOCK, + "SeUndockPrivilege", + "Undock devices"}, + + {SEC_PRIV_MANAGE_VOLUME, + SE_MANAGE_VOLUME, + "SeManageVolumePrivilege", + "Manage system volumes"}, + + {SEC_PRIV_IMPERSONATE, + SE_IMPERSONATE, + "SeImpersonatePrivilege", + "Impersonate users"}, + + {SEC_PRIV_CREATE_GLOBAL, + SE_CREATE_GLOBAL, + "SeCreateGlobalPrivilege", + "Create global"}, + + {SEC_PRIV_ENABLE_DELEGATION, + SE_ENABLE_DELEGATION, + "SeEnableDelegationPrivilege", + "Enable Delegation"}, + + {SEC_PRIV_INTERACTIVE_LOGON, + SE_INTERACTIVE_LOGON, + "SeInteractiveLogonRight", + "Interactive logon"}, + + {SEC_PRIV_NETWORK_LOGON, + SE_NETWORK_LOGON, + "SeNetworkLogonRight", + "Network logon"}, + + {SEC_PRIV_REMOTE_INTERACTIVE_LOGON, + SE_REMOTE_INTERACTIVE_LOGON, + "SeRemoteInteractiveLogonRight", + "Remote Interactive logon"} }; /*************************************************************************** @@ -450,159 +551,15 @@ bool privilege_set_to_se_priv( uint64_t *privilege_mask, struct lsa_PrivilegeSet return true; } -static const PRIVS privilege_names[] = { - {SEC_PRIV_SECURITY, - SE_SECURITY, - "SeSecurityPrivilege", - "System security"}, - - {SEC_PRIV_BACKUP, - SE_BACKUP, - "SeBackupPrivilege", - "Backup files and directories"}, - - {SEC_PRIV_RESTORE, - SE_RESTORE, - "SeRestorePrivilege", - "Restore files and directories"}, - - {SEC_PRIV_SYSTEMTIME, - SE_SYSTEMTIME, - "SeSystemtimePrivilege", - "Set the system clock"}, - - {SEC_PRIV_SHUTDOWN, - SE_SHUTDOWN, - "SeShutdownPrivilege", - "Shutdown the system"}, - - {SEC_PRIV_REMOTE_SHUTDOWN, - SE_REMOTE_SHUTDOWN, - "SeRemoteShutdownPrivilege", - "Shutdown the system remotely"}, - - {SEC_PRIV_TAKE_OWNERSHIP, - SE_TAKE_OWNERSHIP, - "SeTakeOwnershipPrivilege", - "Take ownership of files and directories"}, - - {SEC_PRIV_DEBUG, - SE_DEBUG, - "SeDebugPrivilege", - "Debug processes"}, - - {SEC_PRIV_SYSTEM_ENVIRONMENT, - SE_SYSTEM_ENVIRONMENT, - "SeSystemEnvironmentPrivilege", - "Modify system environment"}, - - {SEC_PRIV_SYSTEM_PROFILE, - SE_SYSTEM_PROFILE, - "SeSystemProfilePrivilege", - "Profile the system"}, - - {SEC_PRIV_PROFILE_SINGLE_PROCESS, - SE_PROFILE_SINGLE_PROCESS, - "SeProfileSingleProcessPrivilege", - "Profile one process"}, - - {SEC_PRIV_INCREASE_BASE_PRIORITY, - SE_INCREASE_BASE_PRIORITY, - "SeIncreaseBasePriorityPrivilege", - "Increase base priority"}, - - {SEC_PRIV_LOAD_DRIVER, - SE_LOAD_DRIVER, - "SeLoadDriverPrivilege", - "Load drivers"}, - - {SEC_PRIV_CREATE_PAGEFILE, - SE_CREATE_PAGEFILE, - "SeCreatePagefilePrivilege", - "Create page files"}, - - {SEC_PRIV_INCREASE_QUOTA, - SE_INCREASE_QUOTA, - "SeIncreaseQuotaPrivilege", - "Increase quota"}, - - {SEC_PRIV_CHANGE_NOTIFY, - SE_CHANGE_NOTIFY, - "SeChangeNotifyPrivilege", - "Register for change notify"}, - - {SEC_PRIV_UNDOCK, - SE_UNDOCK, - "SeUndockPrivilege", - "Undock devices"}, - - {SEC_PRIV_MANAGE_VOLUME, - SE_MANAGE_VOLUME, - "SeManageVolumePrivilege", - "Manage system volumes"}, - - {SEC_PRIV_IMPERSONATE, - SE_IMPERSONATE, - "SeImpersonatePrivilege", - "Impersonate users"}, - - {SEC_PRIV_CREATE_GLOBAL, - SE_CREATE_GLOBAL, - "SeCreateGlobalPrivilege", - "Create global"}, - - {SEC_PRIV_ENABLE_DELEGATION, - SE_ENABLE_DELEGATION, - "SeEnableDelegationPrivilege", - "Enable Delegation"}, - - {SEC_PRIV_INTERACTIVE_LOGON, - SE_INTERACTIVE_LOGON, - "SeInteractiveLogonRight", - "Interactive logon"}, - - {SEC_PRIV_NETWORK_LOGON, - SE_NETWORK_LOGON, - "SeNetworkLogonRight", - "Network logon"}, - - {SEC_PRIV_REMOTE_INTERACTIVE_LOGON, - SE_REMOTE_INTERACTIVE_LOGON, - "SeRemoteInteractiveLogonRight", - "Remote Interactive logon"}, - - {SEC_PRIV_MACHINE_ACCOUNT, - SE_MACHINE_ACCOUNT, - "SeMachineAccountPrivilege", - "Add workstations to domain"}, - - /* These last 3 are Samba only */ - {SEC_PRIV_PRINT_OPERATOR, - SE_PRINT_OPERATOR, - "SePrintOperatorPrivilege", - "Manage printers"}, - - {SEC_PRIV_ADD_USERS, - SE_ADD_USERS, - "SeAddUsersPrivilege", - "Add users and groups to the domain"}, - - {SEC_PRIV_DISK_OPERATOR, - SE_DISK_OPERATOR, - "SeDiskOperatorPrivilege", - "Manage disk shares"}, -}; - - /* map a privilege id to the wire string constant */ const char *sec_privilege_name(enum sec_privilege privilege) { int i; - for (i=0;i 64) { return NULL; } - for (i=0;i= 0 && idx= 0 && idx