source4/libcli/security/privilege.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    manipulate privileges
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "librpc/gen_ndr/security.h"
  24
  25
  26 static const struct {
  27         enum sec_privilege privilege;
  28         const char *name;
  29         const char *display_name;
  30 } privilege_names[] = {
  31         {SEC_PRIV_SECURITY,
  32          "SeSecurityPrivilege",
  33         "System security"},
  34
  35         {SEC_PRIV_BACKUP,
  36          "SeBackupPrivilege",
  37          "Backup files and directories"},
  38
  39         {SEC_PRIV_RESTORE,
  40          "SeRestorePrivilege",
  41         "Restore files and directories"},
  42
  43         {SEC_PRIV_SYSTEMTIME,
  44          "SeSystemtimePrivilege",
  45         "Set the system clock"},
  46
  47         {SEC_PRIV_SHUTDOWN,
  48          "SeShutdownPrivilege",
  49         "Shutdown the system"},
  50
  51         {SEC_PRIV_REMOTE_SHUTDOWN,
  52          "SeRemoteShutdownPrivilege",
  53         "Shutdown the system remotely"},
  54
  55         {SEC_PRIV_TAKE_OWNERSHIP,
  56          "SeTakeOwnershipPrivilege",
  57         "Take ownership of files and directories"},
  58
  59         {SEC_PRIV_DEBUG,
  60          "SeDebugPrivilege",
  61         "Debug processes"},
  62
  63         {SEC_PRIV_SYSTEM_ENVIRONMENT,
  64          "SeSystemEnvironmentPrivilege",
  65         "Modify system environment"},
  66
  67         {SEC_PRIV_SYSTEM_PROFILE,
  68          "SeSystemProfilePrivilege",
  69         "Profile the system"},
  70
  71         {SEC_PRIV_PROFILE_SINGLE_PROCESS,
  72          "SeProfileSingleProcessPrivilege",
  73         "Profile one process"},
  74
  75         {SEC_PRIV_INCREASE_BASE_PRIORITY,
  76          "SeIncreaseBasePriorityPrivilege",
  77          "Increase base priority"},
  78
  79         {SEC_PRIV_LOAD_DRIVER,
  80          "SeLoadDriverPrivilege",
  81         "Load drivers"},
  82
  83         {SEC_PRIV_CREATE_PAGEFILE,
  84          "SeCreatePagefilePrivilege",
  85         "Create page files"},
  86
  87         {SEC_PRIV_INCREASE_QUOTA,
  88          "SeIncreaseQuotaPrivilege",
  89         "Increase quota"},
  90
  91         {SEC_PRIV_CHANGE_NOTIFY,
  92          "SeChangeNotifyPrivilege",
  93         "Register for change notify"},
  94
  95         {SEC_PRIV_UNDOCK,
  96          "SeUndockPrivilege",
  97         "Undock devices"},
  98
  99         {SEC_PRIV_MANAGE_VOLUME,
 100          "SeManageVolumePrivilege",
 101         "Manage system volumes"},
 102
 103         {SEC_PRIV_IMPERSONATE,
 104          "SeImpersonatePrivilege",
 105         "Impersonate users"},
 106
 107         {SEC_PRIV_CREATE_GLOBAL,
 108          "SeCreateGlobalPrivilege",
 109         "Create global"},
 110
 111         {SEC_PRIV_ENABLE_DELEGATION,
 112          "SeEnableDelegationPrivilege",
 113         "Enable Delegation"},
 114
 115         {SEC_PRIV_INTERACTIVE_LOGON,
 116          "SeInteractiveLogonRight",
 117         "Interactive logon"},
 118
 119         {SEC_PRIV_NETWORK_LOGON,
 120          "SeNetworkLogonRight",
 121         "Network logon"},
 122
 123         {SEC_PRIV_REMOTE_INTERACTIVE_LOGON,
 124          "SeRemoteInteractiveLogonRight",
 125         "Remote Interactive logon"}
 126 };
 127
 128
 129 /*
 130   map a privilege id to the wire string constant
 131 */
 132 const char *sec_privilege_name(enum sec_privilege privilege)
 133 {
 134         int i;
 135         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 136                 if (privilege_names[i].privilege == privilege) {
 137                         return privilege_names[i].name;
 138                 }
 139         }
 140         return NULL;
 141 }
 142
 143 /*
 144   map a privilege id to a privilege display name. Return NULL if not found
 145
 146   TODO: this should use language mappings
 147 */
 148 const char *sec_privilege_display_name(enum sec_privilege privilege, uint16_t *language)
 149 {
 150         int i;
 151         if (privilege < 1 || privilege > 64) {
 152                 return NULL;
 153         }
 154         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 155                 if (privilege_names[i].privilege == privilege) {
 156                         return privilege_names[i].display_name;
 157                 }
 158         }
 159         return NULL;
 160 }
 161
 162 /*
 163   map a privilege name to a privilege id. Return -1 if not found
 164 */
 165 enum sec_privilege sec_privilege_id(const char *name)
 166 {
 167         int i;
 168         for (i=0;i<ARRAY_SIZE(privilege_names);i++) {
 169                 if (strcasecmp(privilege_names[i].name, name) == 0) {
 170                         return privilege_names[i].privilege;
 171                 }
 172         }
 173         return -1;
 174 }
 175
 176
 177 /*
 178   return a privilege mask given a privilege id
 179 */
 180 static uint64_t sec_privilege_mask(enum sec_privilege privilege)
 181 {
 182         uint64_t mask = 1;
 183
 184         if (privilege < 1 || privilege > 64) {
 185                 return 0;
 186         }
 187
 188         mask <<= (privilege-1);
 189         return mask;
 190 }
 191
 192
 193 /*
 194   return True if a security_token has a particular privilege bit set
 195 */
 196 BOOL security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege)
 197 {
 198         uint64_t mask;
 199
 200         if (privilege < 1 || privilege > 64) {
 201                 return False;
 202         }
 203
 204         mask = sec_privilege_mask(privilege);
 205         if (token->privilege_mask & mask) {
 206                 return True;
 207         }
 208         return False;
 209 }
 210
 211 /*
 212   set a bit in the privilege mask
 213 */
 214 void security_token_set_privilege(struct security_token *token, enum sec_privilege privilege)
 215 {
 216         if (privilege < 1 || privilege > 64) {
 217                 return;
 218         }
 219         token->privilege_mask |= sec_privilege_mask(privilege);
 220 }
 221
 222 void security_token_debug_privileges(int dbg_lev, const struct security_token *token)
 223 {
 224         DEBUGADD(dbg_lev, (" Privileges (0x%16llX):\n",
 225                             (unsigned long long) token->privilege_mask));
 226
 227         if (token->privilege_mask) {
 228                 int i = 0;
 229                 uint_t privilege;
 230
 231                 for (privilege = 1; privilege <= 64; privilege++) {
 232                         uint64_t mask = sec_privilege_mask(privilege);
 233
 234                         if (token->privilege_mask & mask) {
 235                                 DEBUGADD(dbg_lev, ("  Privilege[%3lu]: %s\n", (unsigned long)i++,
 236                                         sec_privilege_name(privilege)));
 237                         }
 238                 }
 239         }
 240 }