source: trunk/include/winsec.h @ 169

Last change on this file since 169 was 169, checked in by tim, 14 years ago

filled in additional, minimal documentation
  • Property svn:keywords set to Id
File size: 6.8 KB
Line 
1/*
2 * Copyright (C) 2005,2009-2010 Timothy D. Morgan
3 * Copyright (C) 1992-2005 Samba development team
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; version 3 of the License.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
17 *
18 * $Id: winsec.h 169 2010-03-03 19:24:58Z tim $
19 */
20
21/**
22 * @file
23 *
24 * A small library for interpreting Windows Security Descriptors.
25 * This library was originally based on Samba source from:
26 *   http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/
27 *
28 * The library has been heavily rewritten and improved based on information
29 * provided by Microsoft at:
30 *    http://msdn.microsoft.com/en-us/library/cc230366%28PROT.10%29.aspx
31 */
32
33#ifndef _WINSEC_H
34#define _WINSEC_H
35
36#include <stdlib.h>
37#include <stdbool.h>
38#include <stdint.h>
39#include <stdio.h>
40#include <string.h>
41#include <errno.h>
42#include <fcntl.h>
43#include <sys/stat.h>
44#include <sys/types.h>
45#include <unistd.h>
46
47#include "talloc.h"
48#include "byteorder.h"
49
50
51/* This is the maximum number of subauths in a SID, as defined here:
52 *   http://msdn.microsoft.com/en-us/library/cc230371(PROT.10).aspx
53 */
54#define WINSEC_MAX_SUBAUTHS 15
55
56#define WINSEC_DESC_HEADER_SIZE     (5 * sizeof(uint32_t))
57#define WINSEC_ACL_HEADER_SIZE      (2 * sizeof(uint32_t))
58#define WINSEC_ACE_MIN_SIZE         16
59
60/* XXX: Fill in definitions of other flags */
61/* This self relative flag means offsets contained in the descriptor are relative
62 * to the descriptor's offset.  This had better be true in the registry.
63 */
64#define WINSEC_DESC_SELF_RELATIVE   0x8000
65#define WINSEC_DESC_SACL_PRESENT    0x0010
66#define WINSEC_DESC_DACL_PRESENT    0x0004
67
68#define WINSEC_ACE_OBJECT_PRESENT              0x00000001
69#define WINSEC_ACE_OBJECT_INHERITED_PRESENT    0x00000002
70#define WINSEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT  0x5
71#define WINSEC_ACE_TYPE_ACCESS_DENIED_OBJECT   0x6
72#define WINSEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT    0x7
73#define WINSEC_ACE_TYPE_SYSTEM_ALARM_OBJECT    0x8
74
75
76/** XXX: document this. */
77typedef struct _winsec_uuid
78{
79  /** XXX: document this. */
80  uint32_t time_low;
81
82  /** XXX: document this. */
83  uint16_t time_mid;
84
85  /** XXX: document this. */
86  uint16_t time_hi_and_version;
87
88  /** XXX: document this. */
89  uint8_t  clock_seq[2];
90
91  /** XXX: document this. */
92  uint8_t  node[6];
93} WINSEC_UUID;
94
95
96/** XXX: document this. */
97typedef struct _winsec_sid
98{
99  /** SID revision number */
100  uint8_t  sid_rev_num;
101
102  /** Number of sub-authorities */
103  uint8_t  num_auths;
104
105  /** Identifier Authority */
106  uint8_t  id_auth[6];
107
108  /** Pointer to sub-authorities.
109   *
110   * @note The values in these uint32_t's are in *native* byteorder, not
111   * neccessarily little-endian...... JRA.
112   */
113  uint32_t sub_auths[WINSEC_MAX_SUBAUTHS];   /* XXX: Make this dynamically allocated? */
114} WINSEC_DOM_SID;
115
116
117/** XXX: document this. */
118typedef struct _winsec_ace
119{
120  /** xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
121  uint8_t type;
122
123  /** xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
124  uint8_t flags;
125
126  /** XXX: finish documenting */
127  uint16_t size;
128
129  /** XXX: finish documenting */
130  uint32_t access_mask;
131 
132  /* This stuff may be present when type is XXXX_TYPE_XXXX_OBJECT */
133
134  /** xxxx_ACE_OBJECT_xxxx e.g present/inherited present etc */
135  uint32_t  obj_flags;
136
137  /** Object GUID */
138  WINSEC_UUID* obj_guid;
139
140  /** Inherited object GUID */
141  WINSEC_UUID* inh_guid;
142
143  /* eof object stuff */
144 
145  /** XXX: finish documenting */
146  WINSEC_DOM_SID* trustee;
147
148} WINSEC_ACE;
149
150
151/** XXX: document this. */
152typedef struct _winsec_acl
153{
154  /** 0x0003 */
155  uint16_t revision;
156
157  /** Size, in bytes, of the entire ACL structure */
158  uint16_t size;
159
160  /** Number of Access Control Entries */
161  uint32_t num_aces;
162 
163  /** XXX: document this. */
164  WINSEC_ACE** aces;
165
166} WINSEC_ACL;
167
168
169/** XXX: document this. */
170typedef struct _winsec_desc
171{
172  /** 0x01 */
173  uint8_t revision;
174
175  /** XXX: better explain this
176   *
177   * "If the Control field has the RM flag set, then this field contains the
178   *  resource manager (RM) control value. ... Otherwise, this field is reserved
179   *  and MUST be set to zero." -- Microsoft.
180   *  See:
181   *   http://msdn.microsoft.com/en-us/library/cc230371%28PROT.10%29.aspx
182   */
183  uint8_t sbz1;
184
185  /** WINSEC_DESC_* flags */
186  uint16_t control;
187 
188  /** Offset to owner sid */
189  uint32_t off_owner_sid;
190
191  /** Offset to group sid */
192  uint32_t off_grp_sid;
193
194  /** Offset to system list of permissions */
195  uint32_t off_sacl;
196
197  /** Offset to list of permissions */
198  uint32_t off_dacl;
199
200  /** XXX: document this */
201  WINSEC_DOM_SID* owner_sid; 
202
203  /** XXX: document this */
204  WINSEC_DOM_SID* grp_sid;
205
206  /** System ACL */
207  WINSEC_ACL* sacl;
208
209  /** User ACL */
210  WINSEC_ACL* dacl;
211
212} WINSEC_DESC;
213
214
215/**
216 *
217 * XXX: finish documenting
218 */
219WINSEC_DESC* winsec_parse_descriptor(const uint8_t* buf, uint32_t buf_len);
220
221
222/**
223 *
224 * XXX: finish documenting
225 */
226void winsec_free_descriptor(WINSEC_DESC* desc);
227
228/**
229 *
230 * XXX: finish documenting
231 */
232WINSEC_DESC* winsec_parse_desc(void* talloc_ctx,
233                               const uint8_t* buf, uint32_t buf_len);
234
235/**
236 *
237 * XXX: finish documenting
238 */
239WINSEC_ACL* winsec_parse_acl(void* talloc_ctx, 
240                             const uint8_t* buf, uint32_t buf_len);
241
242/**
243 *
244 * XXX: finish documenting
245 */
246WINSEC_ACE* winsec_parse_ace(void* talloc_ctx, 
247                             const uint8_t* buf, uint32_t buf_len);
248
249/**
250 *
251 * XXX: finish documenting
252 */
253WINSEC_DOM_SID* winsec_parse_dom_sid(void* talloc_ctx, 
254                                     const uint8_t* buf, uint32_t buf_len);
255
256/**
257 *
258 * XXX: finish documenting
259 */
260WINSEC_UUID* winsec_parse_uuid(void* talloc_ctx, 
261                               const uint8_t* buf, uint32_t buf_len);
262
263
264/**
265 *
266 * XXX: finish documenting
267 */
268size_t winsec_sid_size(const WINSEC_DOM_SID* sid);
269
270/**
271 *
272 * XXX: finish documenting
273 */
274int winsec_sid_compare_auth(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2);
275
276/**
277 *
278 * XXX: finish documenting
279 */
280int winsec_sid_compare(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2);
281
282/**
283 *
284 * XXX: finish documenting
285 */
286bool winsec_sid_equal(const WINSEC_DOM_SID* sid1, const WINSEC_DOM_SID* sid2);
287
288/**
289 *
290 * XXX: finish documenting
291 */
292bool winsec_desc_equal(WINSEC_DESC* s1, WINSEC_DESC* s2);
293
294/**
295 *
296 * XXX: finish documenting
297 */
298bool winsec_acl_equal(WINSEC_ACL* s1, WINSEC_ACL* s2);
299
300/**
301 *
302 * XXX: finish documenting
303 */
304bool winsec_ace_equal(WINSEC_ACE* s1, WINSEC_ACE* s2);
305
306/**
307 *
308 * XXX: finish documenting
309 */
310bool winsec_ace_object(uint8_t type);
311
312#endif /* _WINSEC_H */
Note: See TracBrowser for help on using the repository browser.