//+------------------------------------------------------------------------- // // Microsoft Windows // Copyright (C) Microsoft Corporation, 1992 - 1992. // // File: CAIROSEAPI.H // // Contents: This file contains the stuff to be merged with ntseapi.h // after Daytona ships. // // This file contains the CAIROSID structure to // be used by Cairo interchangebly with the NT SID structure. // Also included is the planned Cairo SID structure to // be used when the SID revision is changed. This change // will not occur until after Daytona ships because of the // extent of the kernel changes required. // The same is true of the ACE structure; there is a current // Cairo version, and, commented out, the planned Cairo // version when the ACL revision is changed. // // History: 7/94 davemont created // //-------------------------------------------------------------------------- #include #if !defined( __CAIROSEAPI_H__ ) #define __CAIROSEAPI_H__ //////////////////////////////////////////////////////////////////////// // // // Cairo Security Id (CAIROSID) // // // //////////////////////////////////////////////////////////////////////// // // // Pictorially the structure of an Cairo SID is as follows: // // 1 1 1 1 1 1 // 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------------------------------------------------------+ // | SubAuthorityCount = 10 |Reserved1 (SBZ)| Revision | // +---------------------------------------------------------------+ // | IdentifierAuthority[0,1] | // +---------------------------------------------------------------+ // | IdentifierAuthority[2,3] | // +---------------------------------------------------------------+ // | IdentifierAuthority[4,5] = 5 | // +---------------------------------------------------------------+ // | | // +- - SubAuthority[0] = SECURITY_NT2_NON_UNIQUE = 16 - - - - -+ // | | // +---------------------------------------------------------------+ // | | // +- - SubAuthority[1] = SECURITY_NT2_REVISION_RID = 0 - - - -+ // | | // +---------------------------------------------------------------+ // | | // +- - - - - - - - Domain ID - - - - - - - - - - -+ // | | // +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ // | | // +- - - - - - - - - - - - - - - - - - - - - -+ // | | // +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ // | | // +- - - - - - - - - - - - - - - - - - - - - -+ // | | // +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ // | | // +- - - - - - - - - - - - - - - - - - - - - -+ // | | // +---------------------------------------------------------------+ // | | // +- - - - - - - - Rid - - - - - - - - - - - - -+ // | | // +---------------------------------------------------------------+ // // // #define CAIROSID_SUBAUTHORITY_COUNT 7 #define SECURITY_NT2_NON_UNIQUE 16 #define SECURITY_NT2_REVISION_RID 0 typedef struct _CAIROSID { UCHAR Revision; UCHAR SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; ULONG ZerothSubAuthority; ULONG FirstSubAuthority; GUID sDomain; ULONG rid; } CAIROSID, *PICAIROSID; //////////////////////////////////////////////////////////////////////// // // // ACL and ACE // // // //////////////////////////////////////////////////////////////////////// // // // Define an ACL and the ACE format. The structure of an ACL header // followed by one or more ACEs. Pictorally the structure of an ACL header // is as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +-------------------------------+---------------+---------------+ // | AclSize | Sbz1 | AclRevision | // +-------------------------------+---------------+---------------+ // | Sbz2 | AceCount | // +-------------------------------+-------------------------------+ // // The current AclRevision is defined to be ACL_REVISION. // // AclSize is the size, in bytes, allocated for the ACL. This includes // the ACL header, ACES, and remaining free space in the buffer. // // AceCount is the number of ACES in the ACL. // // //#define CAIRO_ACL_REVISION (3) // // // The structure of an ACE is a common ace header followed by ace type // specific data. Pictorally the structure of the common ace header is // as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+-------+-------+---------------+---------------+ // | AceSize | AceFlags | AceType | // +---------------+-------+-------+---------------+---------------+ // // AceType denotes the type of the ace, there are some predefined ace // types // // AceSize is the size, in bytes, of ace. // // AceFlags are the Ace flags for audit and inheritance, defined shortly. // // // The following are the predefined ace types that go into the AceType // field of an Ace header. // // // #define ACCESS_ALLOWED_ACE_TYPE (0x0) // #define ACCESS_DENIED_ACE_TYPE (0x1) // #define SYSTEM_AUDIT_ACE_TYPE (0x2) // #define SYSTEM_ALARM_ACE_TYPE (0x3) // // The following are the inherit flags that go into the AceFlags field // of an Ace header. // // #define OBJECT_INHERIT_ACE (0x1) // #define CONTAINER_INHERIT_ACE (0x2) // #define NO_PROPAGATE_INHERIT_ACE (0x4) // #define INHERIT_ONLY_ACE (0x8) // #define END_OF_INHERITED_ACE (0x10) // #define VALID_INHERIT_FLAGS (0x1F) // CAIRO ACE FLAGS //#define SIMPLE_CAIRO_ACE (OX0) //#define IMPERSONATE_CAIRO_ACE (0x1) // The following are the currently defined ACE flags that go into the // AceFlags field of an ACE header. Each ACE type has its own set of // AceFlags. // // SUCCESSFUL_ACCESS_ACE_FLAG - used only with system audit and alarm ACE // types to indicate that a message is generated for successful accesses. // // FAILED_ACCESS_ACE_FLAG - used only with system audit and alarm ACE types // to indicate that a message is generated for failed accesses. // // // SYSTEM_AUDIT and SYSTEM_ALARM AceFlags // // These control the signaling of audit and alarms for success or failure. // // //#define SUCCESSFUL_ACCESS_ACE_FLAG (0x40) //#define FAILED_ACCESS_ACE_FLAG (0x80) // // // Following is a picture of the current Cairo ACE. Right now we use // the extra space in the ACE after the SID to save the name. As a fail // safe the length of the name is stored, it must be less than the remaining // length of the ACE. // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+-------+-------+---------------+---------------+ // | AceSize | AceFlags | AceType | // +---------------+-------+-------+---------------+---------------+ // | Mask | // +---------------------------------------------------------------+ // | | // | NT version of CairoSID | // | | // +---------------------------------------------------------------+ // | [optional] length of name | // +---------------------------------------------------------------+ // | [optional] name (null terminated) | // | | // | | // | | // | | // +---------------------------------------------------------------+ // typedef struct _CAIRO_ACE { ACE_HEADER Header; ACCESS_MASK Mask; CAIROSID CSid; ULONG cNameLength; WCHAR Name[ANYSIZE_ARRAY]; } CAIRO_ACE, *PCAIRO_ACE; //-------------------------------------------------------------------------- // // Following is the final version of the Cairo ACE. // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+-------+-------+---------------+---------------+ // | AceSize | AceFlags | AceType | // +---------------+-------+-------+---------------+---------------+ // | Mask | // +---------------------------------------------------------------+ // | AdvancedAceType | SidCount | // +---------------------------------------------------------------+ // | | // + + // | SID | // + or + // | CairoSID | // + + // | | // +---------------------------------------------------------------+ // | offset to ID name | // +---------------------------------------------------------------+ // | [optional] | // + + // | SID | // + or + // | CairoSID | // + + // | | // +---------------------------------------------------------------+ // | [optional] | // | offset to ID name | // +---------------------------------------------------------------+ // | | // | name (null terminated) | // | | // +---------------------------------------------------------------+ // | [optional] | // | name (null terminated) | // | | // +---------------------------------------------------------------+ // // // Mask is the access mask associated with the ACE. This is either the // access allowed, access denied, audit, or alarm mask. // // Sid is the Sid associated with the ACE. // // //typedef struct _ACCESS_ACE { // ACE_HEADER Header; // ACCESS_MASK Mask; // USHORT AdvancedAceType; // USHORT SidCount; // ULONG SidStart; //} ACCESS_ACE; //typedef ACCESS_ACE *PACCESS_ACE; // //-------------------------------------------------------------------------- // // Well-known identifiers // #if 0 // // The on disk format for identifiers is as follows: // // SID Format: // // S-1-4-x1-x2-x3-x4-y1-y2-y3-y4 // // Where the S-1-4 is a standard prefix for our identifiers // // x1-x4 are the GUID of the principal, mapped to consecutive ulongs // y1-y4 are the GUID of the principal's domain, mapped as above. // // // There are several well known "guids" which are used to represent either // artificial groups or domain-wide constants. These are listed below. To // use them, use the AllocateAndInitializeSid call. // // // This define is used to determine the needed size for the SID. // // You would use this as the second parameter to AllocateAndInitializeSid // #define SECURITY_SID_RID_COUNT 8 #define SECURITY_NT2_AUTHORITY {0, 0, 0, 0, 0, 4} // // A well known "guid" exists to represent the local domain, which really // means local machine. This domain is assigned only to local identifiers. // #define SECURITY_LOCAL_DOMAIN_1 0 #define SECURITY_LOCAL_DOMAIN_2 0 #define SECURITY_LOCAL_DOMAIN_3 0 #define SECURITY_LOCAL_DOMAIN_4 105 #define SECURITY_LOCAL_DOMAIN_GUID {0, 0, 0, {0, 0, 0, 0, 105, 0, 0, 0} } // // A well known "guid" exists to represent the PRIVATE group. This group is // actually the same as the NT admin alias // #define SECURITY_PRIVATE_GROUP_SID_COUNT 2 #define SECURITY_PRIVATE_GROUP_1 32 #define SECURITY_PRIVATE_GROUP_2 544 #define SECURITY_PRIVATE_GROUP_GUID {2, 32, 544, {0, 0, 0, 0, 0, 0, 0, 0}} // // A well known "guid" exists to represent the PUBLIC group. This group is // actually the same as the NT guest group. // #define SECURITY_PUBLIC_GROUP_SID_COUNT 2 #define SECURITY_PUBLIC_GROUP_1 32 #define SECURITY_PUBLIC_GROUP_2 545 #define SECURITY_PUBLIC_GROUP_GUID {2, 32, 545, {0, 0, 0, 0, 0, 0, 0, 0}} // // A well known "guid" exists to represent the GUEST user. This group is // actually the same as the NT guest user. // #define SECURITY_GUEST_USER_SID_COUNT 2 #define SECURITY_GUEST_USER_1 32 #define SECURITY_GUEST_USER_2 501 #define SECURITY_GUEST_USER_GUID {2, 32, 501, {0, 0, 0, 0, 0, 0, 0, 0}} #endif // // Next free rid is 0x256. Last free is 0x3e7 (999) // The local PRIVATE group. This is actually the same as the NT admin group #define DOMAIN_GROUP_RID_PRIVATE DOMAIN_ALIAS_RID_ADMINS // The local PUBLIC group. This is actually the same as the NT users group #define DOMAIN_GROUP_RID_PUBLIC DOMAIN_ALIAS_RID_USERS #define DOMAIN_GROUP_RID_BACKUP_OPS DOMAIN_ALIAS_RID_BACKUP_OPS #define DOMAIN_GROUP_RID_ACCOUNT_OPS DOMAIN_ALIAS_RID_ACCOUNT_OPS #define DOMAIN_GROUP_RID_PRINT_OPS DOMAIN_ALIAS_RID_PRINT_OPS #define DOMAIN_GROUP_RID_SERVER_OPS DOMAIN_ALIAS_RID_SYSTEM_OPS #define DOMAIN_SERVICE_RID_KDC 0x250 #define DOMAIN_SERVICE_RID_DFSM 0x251 #define DOMAIN_SERVICE_RID_DS_SERVER 0x252 #define DOMAIN_SERVICE_RID_NTLMSVC 0x253 #define DOMAIN_SERVICE_RID_PRIVSVR 0x254 #define DOMAIN_SERVICE_RID_ORASVC 0x255 // NULL Guid // #define SECURITY_NULL_GUID {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0} } #endif // __CAIROSEAPI_H__