1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #ifndef _SMBSRV_NTACCESS_H
27 #define _SMBSRV_NTACCESS_H
28
29 #pragma ident "%Z%%M% %I% %E% SMI"
30
31 /*
32 * This file defines the NT compatible access control masks and values.
33 * An access mask as a 32-bit value arranged as shown below.
34 *
35 * 31-28 Generic bits, interpreted per object type
36 * 27-26 Reserved, must-be-zero
37 * 25 Maximum allowed
38 * 24 System Security rights (SACL is SD)
39 * 23-16 Standard access rights, generic to all object types
40 * 15-0 Specific access rights, object specific
41 *
42 * 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
43 * 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
44 * +---------------+---------------+-------------------------------+
45 * |G|G|G|G|Res'd|A| StandardRights| SpecificRights |
46 * |R|W|E|A| |S| | |
47 * +-+-------------+---------------+-------------------------------+
48 */
49
50 #ifdef __cplusplus
51 extern "C" {
52 #endif
53
54 /*
55 * Specific rights for files, pipes and directories.
56 */
57 #define FILE_READ_DATA (0x0001) /* file & pipe */
58 #define FILE_LIST_DIRECTORY (0x0001) /* directory */
59 #define FILE_WRITE_DATA (0x0002) /* file & pipe */
60 #define FILE_ADD_FILE (0x0002) /* directory */
61 #define FILE_APPEND_DATA (0x0004) /* file */
62 #define FILE_ADD_SUBDIRECTORY (0x0004) /* directory */
63 #define FILE_CREATE_PIPE_INSTANCE (0x0004) /* named pipe */
64 #define FILE_READ_EA (0x0008) /* file & directory */
65 #define FILE_READ_PROPERTIES (0x0008) /* pipe */
66 #define FILE_WRITE_EA (0x0010) /* file & directory */
67 #define FILE_WRITE_PROPERTIES (0x0010) /* pipe */
68 #define FILE_EXECUTE (0x0020) /* file */
69 #define FILE_TRAVERSE (0x0020) /* directory */
70 #define FILE_DELETE_CHILD (0x0040) /* directory */
71 #define FILE_READ_ATTRIBUTES (0x0080) /* all */
72 #define FILE_WRITE_ATTRIBUTES (0x0100) /* all */
73 #define FILE_SPECIFIC_ALL (0x000001FFL)
74 #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
75
76
77 /*
78 * Standard rights:
79 *
80 * DELETE The right to delete the object.
81 *
82 * READ_CONTROL The right to read the information in the object's security
83 * descriptor, not including the information in the SACL.
84 *
85 * WRITE_DAC The right to modify the DACL in the object's security
86 * descriptor.
87 *
88 * WRITE_OWNER The right to change the owner in the object's security
89 * descriptor.
90 *
91 * SYNCHRONIZE The right to use the object for synchronization. This enables
92 * a thread to wait until the object is in the signaled state.
93 */
94 #define DELETE (0x00010000L)
95 #define READ_CONTROL (0x00020000L)
96 #define WRITE_DAC (0x00040000L)
97 #define WRITE_OWNER (0x00080000L) /* take ownership */
98 #define SYNCHRONIZE (0x00100000L)
99 #define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
100 #define STANDARD_RIGHTS_ALL (0x001F0000L)
101
102
103 #define STANDARD_RIGHTS_READ (READ_CONTROL)
104 #define STANDARD_RIGHTS_WRITE (READ_CONTROL)
105 #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
106
107 #define FILE_METADATA_ALL (FILE_READ_EA |\
108 FILE_READ_ATTRIBUTES |\
109 READ_CONTROL |\
110 FILE_WRITE_EA |\
111 FILE_WRITE_ATTRIBUTES |\
112 WRITE_DAC |\
113 WRITE_OWNER |\
114 SYNCHRONIZE)
115
116 #define FILE_DATA_ALL (FILE_READ_DATA |\
117 FILE_WRITE_DATA |\
118 FILE_APPEND_DATA |\
119 FILE_EXECUTE |\
120 DELETE)
121
122 #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
123
124
125 /*
126 * Miscellaneous bits: SACL access and maximum allowed access.
127 */
128 #define ACCESS_SYSTEM_SECURITY (0x01000000L)
129 #define MAXIMUM_ALLOWED (0x02000000L)
130
131
132 /*
133 * Generic rights. These are shorthands that are interpreted as
134 * appropriate for the type of secured object being accessed.
135 */
136 #define GENERIC_ALL (0x10000000UL)
137 #define GENERIC_EXECUTE (0x20000000UL)
138 #define GENERIC_WRITE (0x40000000UL)
139 #define GENERIC_READ (0x80000000UL)
140
141 #define FILE_GENERIC_READ (STANDARD_RIGHTS_READ | \
142 FILE_READ_DATA | \
143 FILE_READ_ATTRIBUTES | \
144 FILE_READ_EA | \
145 SYNCHRONIZE)
146
147 #define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE | \
148 FILE_WRITE_DATA | \
149 FILE_WRITE_ATTRIBUTES | \
150 FILE_WRITE_EA | \
151 FILE_APPEND_DATA | \
152 SYNCHRONIZE)
153
154 #define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE | \
155 FILE_READ_ATTRIBUTES | \
156 FILE_EXECUTE | \
157 SYNCHRONIZE)
158
159 #define FILE_GENERIC_ALL (FILE_GENERIC_READ | \
160 FILE_GENERIC_WRITE | \
161 FILE_GENERIC_EXECUTE)
162
163
164 /*
165 * LSA policy desired access masks.
166 */
167 #define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
168 #define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
169 #define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
170 #define POLICY_TRUST_ADMIN 0x00000008L
171 #define POLICY_CREATE_ACCOUNT 0x00000010L
172 #define POLICY_CREATE_SECRET 0x00000020L
173 #define POLICY_CREATE_PRIVILEGE 0x00000040L
174 #define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
175 #define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
176 #define POLICY_AUDIT_LOG_ADMIN 0x00000200L
177 #define POLICY_SERVER_ADMIN 0x00000400L
178 #define POLICY_LOOKUP_NAMES 0x00000800L
179
180
181 /*
182 * SAM specific rights desired access masks. These definitions are listed
183 * mostly as a convenience; they don't seem to be documented. Setting the
184 * desired access mask to GENERIC_EXECUTE and STANDARD_RIGHTS_EXECUTE
185 * seems to work when just looking up information.
186 */
187 #define SAM_LOOKUP_INFORMATION (GENERIC_EXECUTE \
188 | STANDARD_RIGHTS_EXECUTE)
189
190 #define SAM_ACCESS_USER_READ 0x0000031BL
191 #define SAM_ACCESS_USER_UPDATE 0x0000031FL
192 #define SAM_ACCESS_USER_SETPWD 0x0000037FL
193 #define SAM_CONNECT_CREATE_ACCOUNT 0x00000020L
194 #define SAM_ENUM_LOCAL_DOMAIN 0x00000030L
195 #define SAM_DOMAIN_CREATE_ACCOUNT 0x00000211L
196
197
198 /*
199 * File attributes
200 *
201 * Note: 0x00000008 is reserved for use for the old DOS VOLID (volume ID)
202 * and is therefore not considered valid in NT.
203 *
204 * Note: 0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag
205 * and is therefore not considered valid in NT. This flag has
206 * been disassociated with file attributes since the other flags are
207 * protected with READ_ and WRITE_ATTRIBUTES access to the file.
208 *
209 * Note: Note also that the order of these flags is set to allow both the
210 * FAT and the Pinball File Systems to directly set the attributes
211 * flags in attributes words without having to pick each flag out
212 * individually. The order of these flags should not be changed!
213 *
214 * The file attributes are defined in smbsrv/smb_vops.h
215 */
216
217 /* Filesystem Attributes */
218 #define FILE_CASE_SENSITIVE_SEARCH 0x00000001
219 #define FILE_CASE_PRESERVED_NAMES 0x00000002
220 #define FILE_UNICODE_ON_DISK 0x00000004
221 #define FILE_PERSISTENT_ACLS 0x00000008
222 #define FILE_FILE_COMPRESSION 0x00000010
223 #define FILE_VOLUME_QUOTAS 0x00000020
224 #define FILE_SUPPORTS_SPARSE_FILES 0x00000040
225 #define FILE_SUPPORTS_REPARSE_POINTS 0x00000080
226 #define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100
227 #define FILE_VOLUME_IS_COMPRESSED 0x00008000
228 #define FILE_SUPPORTS_OBJECT_IDS 0x00010000
229 #define FILE_SUPPORTS_ENCRYPTION 0x00020000
230 #define FILE_NAMED_STREAMS 0x00040000
231 #define FILE_READ_ONLY_VOLUME 0x00080000
232
233 #ifdef __cplusplus
234 }
235 #endif
236
237 #endif /* _SMBSRV_NTACCESS_H */