summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sid.ml134
-rw-r--r--sid.mli354
2 files changed, 471 insertions, 17 deletions
diff --git a/sid.ml b/sid.ml
index cbfe305..7051ee3 100644
--- a/sid.ml
+++ b/sid.ml
@@ -224,22 +224,138 @@ module PacketRep = struct (* [MS-DTYP] 2.4.22 *)
end (* [module PacketRep] *)
module WellKnown = struct
+ let cu = create_unsafe
+ let sa = U32.of_int
+ let ia = U64.of_int
+
(*
* see also
* https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids
*)
-
- let null = create_unsafe [| U32.zero |] U64.zero
- let everyone = create_unsafe [| U32.zero |] U64.one
+ let null = cu [| U32.zero |] U64.zero
+ let everyone = cu [| U32.zero |] U64.one
let world = everyone
- let local = create_unsafe [| U32.zero |] (U64.of_int 2)
- let creator_owner_id = create_unsafe [| U32.zero |] (U64.of_int 3)
- let creator_group_id = create_unsafe [| U32.one |] (U64.of_int 3)
- let elite = create_unsafe [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] U64.one
- module Prefix = struct
- type toplevel_auth = ?sa:sub_auths -> unit -> sid
+ (* 1-2-… *)
+ let local = cu [| U32.zero |] (U64.of_int 2)
+ let console_logon = cu [| U32.one |] (U64.of_int 2)
+
+ (* 1-3-… *)
+ let creator_owner_id = cu [| U32.zero |] (U64.of_int 3)
+ let creator_group_id = cu [| U32.one |] (U64.of_int 3)
+ let creator_owner_server = cu [| U32.of_int 2 |] (U64.of_int 3)
+ let creator_group_server = cu [| U32.of_int 3 |] (U64.of_int 3)
+ let owner_rights = cu [| U32.of_int 4 |] (U64.of_int 3)
+ let elite = cu [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] U64.one
+
+ (* 1-5-… *)
+ let nt_authority = cu [| |] (U64.of_int 5)
+ let dialup = cu [| U32.one |] (U64.of_int 5)
+ let network = cu [| U32.of_int 2 |] (U64.of_int 5)
+ let batch = cu [| U32.of_int 3 |] (U64.of_int 5)
+ let interactive = cu [| U32.of_int 4 |] (U64.of_int 5)
+ let logon_id = cu [| U32.of_int 5 |] (U64.of_int 5)
+ let service = cu [| U32.of_int 6 |] (U64.of_int 5)
+ let anonymous = cu [| U32.of_int 7 |] (U64.of_int 5)
+ let proxy = cu [| U32.of_int 8 |] (U64.of_int 5)
+ let enterprise_domain_controllers = cu [| U32.of_int 9 |] (U64.of_int 5)
+ let principal_self = cu [| U32.of_int 10 |] (U64.of_int 5)
+ let authenticated_users = cu [| U32.of_int 11 |] (U64.of_int 5)
+ let restricted_code = cu [| U32.of_int 12 |] (U64.of_int 5)
+ let terminal_server_user = cu [| U32.of_int 13 |] (U64.of_int 5)
+ let remote_interactive_logon = cu [| U32.of_int 14 |] (U64.of_int 5)
+ let this_organisation = cu [| U32.of_int 15 |] (U64.of_int 5)
+ let iusr = cu [| U32.of_int 17 |] (U64.of_int 5)
+ let local_system = cu [| U32.of_int 18 |] (U64.of_int 5)
+ let local_service = cu [| U32.of_int 19 |] (U64.of_int 5)
+ let network_service = cu [| U32.of_int 20 |] (U64.of_int 5)
+
+ let compounded_authentication = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 496 |] (ia 5)
+ let claims_valid = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 497 |] (ia 5)
+
+ let administrator machine = cu [| sa 21; machine; sa 500 |] (ia 5)
+ let guest machine = cu [| sa 21; machine; sa 501 |] (ia 5)
+ let krbtgt domain = cu [| sa 21; domain; sa 502 |] (ia 5)
+ let domain_admins domain = cu [| sa 21; domain; sa 512 |] (ia 5)
+ let domain_users domain = cu [| sa 21; domain; sa 513 |] (ia 5)
+ let domain_guests domain = cu [| sa 21; domain; sa 514 |] (ia 5)
+ let domain_computers domain = cu [| sa 21; domain; sa 515 |] (ia 5)
+ let domain_domain_controllers domain = cu [| sa 21; domain; sa 516 |] (ia 5)
+ let cert_publishers domain = cu [| sa 21; domain; sa 517 |] (ia 5)
+ let schema_administrators root_domain = cu [| sa 21; root_domain; sa 518 |] (ia 5)
+ let enterprise_admins root_domain = cu [| sa 21; root_domain; sa 519 |] (ia 5)
+ let group_policy_creator_owners domain = cu [| sa 21; domain; sa 520 |] (ia 5)
+ let readonly_domain_controllers domain = cu [| sa 21; domain; sa 521 |] (ia 5)
+ let cloneable_controllers domain = cu [| sa 21; domain; sa 522 |] (ia 5)
+ let protected_users domain = cu [| sa 21; domain; sa 525 |] (ia 5)
+ let key_admins domain = cu [| sa 21; domain; sa 526 |] (ia 5)
+ let enterprise_key_admins domain = cu [| sa 21; domain; sa 527 |] (ia 5)
+ let ras_servers domain = cu [| sa 21; domain; sa 553 |] (ia 5)
+ let allowed_rodc_password_replication_group domain = cu [| sa 21; domain; sa 571 |] (ia 5)
+ let denied_rodc_password_replication_group domain = cu [| sa 21; domain; sa 572 |] (ia 5)
+
+ let builtin_administrators = cu [| sa 32; sa 544 |] (ia 5)
+ let builtin_users = cu [| sa 32; sa 545 |] (ia 5)
+ let builtin_guests = cu [| sa 32; sa 546 |] (ia 5)
+ let power_users = cu [| sa 32; sa 547 |] (ia 5)
+ let account_operators = cu [| sa 32; sa 548 |] (ia 5)
+ let server_operators = cu [| sa 32; sa 549 |] (ia 5)
+ let printer_operators = cu [| sa 32; sa 550 |] (ia 5)
+ let backup_operators = cu [| sa 32; sa 551 |] (ia 5)
+ let replicator = cu [| sa 32; sa 552 |] (ia 5)
+ let alias_prew2kcompacc = cu [| sa 32; sa 554 |] (ia 5)
+ let remote_desktop = cu [| sa 32; sa 555 |] (ia 5)
+ let network_configuration_ops = cu [| sa 32; sa 556 |] (ia 5)
+ let incoming_forest_trust_builders = cu [| sa 32; sa 557 |] (ia 5)
+ let perfmon_users = cu [| sa 32; sa 558 |] (ia 5)
+ let perflog_users = cu [| sa 32; sa 559 |] (ia 5)
+ let windows_authorization_access_group = cu [| sa 32; sa 560 |] (ia 5)
+ let terminal_server_license_servers = cu [| sa 32; sa 561 |] (ia 5)
+ let distributed_com_users = cu [| sa 32; sa 562 |] (ia 5)
+ let iis_iusrs = cu [| sa 32; sa 568 |] (ia 5)
+ let cryptographic_operators = cu [| sa 32; sa 569 |] (ia 5)
+ let event_log_readers = cu [| sa 32; sa 573 |] (ia 5)
+ let certificate_service_dcom_access = cu [| sa 32; sa 574 |] (ia 5)
+ let rds_remote_access_servers = cu [| sa 32; sa 575 |] (ia 5)
+ let rds_endpoint_servers = cu [| sa 32; sa 576 |] (ia 5)
+ let rds_management_servers = cu [| sa 32; sa 577 |] (ia 5)
+ let hyper_v_admins = cu [| sa 32; sa 578 |] (ia 5)
+ let access_control_assistance_ops = cu [| sa 32; sa 579 |] (ia 5)
+ let remote_management_users = cu [| sa 32; sa 580 |] (ia 5)
+
+ let write_restricted_code = cu [| sa 33 |] (ia 5)
+ let ntlm_authentication = cu [| sa 64; sa 10 |] (ia 5)
+ let schannel_authentication = cu [| sa 64; sa 14 |] (ia 5)
+ let digest_authentication = cu [| sa 64; sa 21 |] (ia 5)
+ let this_organization_certificate = cu [| sa 65; sa 1 |] (ia 5)
+ let nt_service = cu [| sa 80 |] (ia 5)
+ let user_mode_drivers = cu [| sa 84; U32.zero; U32.zero; U32.zero; U32.zero; U32.zero |] (ia 5)
+ let local_account = cu [| sa 113 |] (ia 5)
+ let local_account_and_member_of_administrators_group = cu [| sa 114 |] (ia 5)
+ let other_organization = cu [| sa 1000 |] (ia 5)
+
+ (* 1-15-… *)
+ let all_app_packages = cu [| sa 2; U32.one |] (ia 15)
+
+ (* 1-16-… *)
+ let ml_untrusted = cu [| U32.zero |] (ia 16)
+ let ml_low = cu [| sa 4096 |] (ia 16)
+ let ml_medium = cu [| sa 8192 |] (ia 16)
+ let ml_medium_plus = cu [| sa 8448 |] (ia 16)
+ let ml_high = cu [| sa 12288 |] (ia 16)
+ let ml_system = cu [| sa 16384 |] (ia 16)
+ let ml_protected_process = cu [| sa 20480 |] (ia 16)
+ let ml_secure_process = cu [| sa 28672 |] (ia 16)
+
+ (* 1-18-… *)
+ let authentication_authority_asserted_identity = cu [| U32.one |] (ia 18)
+ let service_asserted_identity = cu [| sa 2 |] (ia 18)
+ let fresh_public_key_identity = cu [| sa 3 |] (ia 18)
+ let key_trust_identity = cu [| sa 4 |] (ia 18)
+ let key_property_mfa = cu [| sa 5 |] (ia 18)
+ let key_property_attestation = cu [| sa 6 |] (ia 18)
+ module Prefix = struct
let security_null_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x00)
let security_world_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x01)
let security_local_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x02)
diff --git a/sid.mli b/sid.mli
index 9012df8..f8e34cb 100644
--- a/sid.mli
+++ b/sid.mli
@@ -53,26 +53,364 @@ module PacketRep :
module WellKnown :
sig
val null : t
+ (** The SID {e S-1-0-0}. *)
+
val everyone : t
+ (** The SID {e S-1-1-0}. *)
+
val world : t
+ (** Alias for [everyone]. *)
+
val local : t
+ (** The SID {e S-1-2-0}. *)
+
+ val console_logon : t
+ (** The SID {e S-1-2-1}. *)
+
val creator_owner_id : t
+ (** The SID {e S-1-3-0}. *)
+
val creator_group_id : t
+ (** The SID {e S-1-3-1}. *)
+
+ val creator_owner_server : t
+ (** The SID {e S-1-3-2}. *)
+
+ val creator_group_server : t
+ (** The SID {e S-1-3-3}. *)
+
+ val owner_rights : t
+ (** The SID {e S-1-3-4}. *)
+
val elite : t
+ val nt_authority : t
+ (** The SID {e S-1-5}. *)
+
+ val dialup : t
+ (** The SID {e S-1-5-1}. *)
+
+ val network : t
+ (** The SID {e S-1-5-2}. *)
+
+ val batch : t
+ (** The SID {e S-1-5-3}. *)
+
+ val interactive : t
+ (** The SID {e S-1-5-4}. *)
+
+ val logon_id : t
+ (** The SID {e S-1-5-5}. *)
+
+ val service : t
+ (** The SID {e S-1-5-6}. *)
+
+ val anonymous : t
+ (** The SID {e S-1-5-7}. *)
+
+ val proxy : t
+ (** The SID {e S-1-5-8}. *)
+
+ val enterprise_domain_controllers : t
+ (** The SID {e S-1-5-9}. *)
+
+ val principal_self : t
+ (** The SID {e S-1-5-10}. *)
+
+ val authenticated_users : t
+ (** The SID {e S-1-5-11}. *)
+
+ val restricted_code : t
+ (** The SID {e S-1-5-12}. *)
+
+ val terminal_server_user : t
+ (** The SID {e S-1-5-13}. *)
+
+ val remote_interactive_logon : t
+ (** The SID {e S-1-5-14}. *)
+
+ val this_organisation : t
+ (** The SID {e S-1-5-15}. *)
+
+ val iusr : t
+ (** The SID {e S-1-5-17}. *)
+
+ val local_system : t
+ (** The SID {e S-1-5-18}. *)
+
+ val local_service : t
+ (** The SID {e S-1-5-19}. *)
+
+ val compounded_authentication : t
+ (** The SID {e S-1-5-21-0-0-0-496}. *)
+
+ val claims_valid : t
+ (** The SID {e S-1-5-21-0-0-0-497}. *)
+
+ val administrator : Stdint.Uint32.t -> t
+ (** [administrator machine] constructs a SID {e S-1-5-21-[machine]-500}. *)
+
+ val guest : Stdint.Uint32.t -> t
+ (** [guest machine] constructs a SID {e S-1-5-21-[machine]-501}. *)
+
+ val krbtgt : Stdint.Uint32.t -> t
+ (** [krbtgt domain] constructs a SID {e S-1-5-21-[domain]-502}. *)
+
+ val domain_admins : Stdint.Uint32.t -> t
+ (** [domain_admins domain] constructs a SID {e S-1-5-21-[domain]-512}. *)
+
+ val domain_users : Stdint.Uint32.t -> t
+ (** [domain_users domain] constructs a SID {e S-1-5-21-[domain]-513}. *)
+
+ val domain_guests : Stdint.Uint32.t -> t
+ (** [domain_guests domain] constructs a SID {e S-1-5-21-[domain]-514}. *)
+
+ val domain_computers : Stdint.Uint32.t -> t
+ (** [domain_computers domain] constructs a SID {e S-1-5-21-[domain]-515}. *)
+
+ val domain_domain_controllers : Stdint.Uint32.t -> t
+ (** [domain_domain_controllers domain] constructs a SID
+ {e S-1-5-21-[domain]-516}. *)
+
+ val cert_publishers : Stdint.Uint32.t -> t
+ (** [cert_publishers domain] constructs a SID {e S-1-5-21-[domain]-517}. *)
+
+ val schema_administrators : Stdint.Uint32.t -> t
+ (** [schema_administrators root_domain] constructs a SID
+ {e S-1-5-21-[root_domain]-518}. *)
+
+ val enterprise_admins : Stdint.Uint32.t -> t
+ (** [enterprise_admins root_domain] constructs a SID
+ {e S-1-5-21-[root_domain]-519}. *)
+
+ val group_policy_creator_owners : Stdint.Uint32.t -> t
+ (** [group_policy_creator_owners domain] constructs a SID
+ {e S-1-5-21-[domain]-520}. *)
+
+ val readonly_domain_controllers : Stdint.Uint32.t -> t
+ (** [readonly_domain_controllers domain] constructs a SID
+ {e S-1-5-21-[domain]-521}. *)
+
+ val cloneable_controllers : Stdint.Uint32.t -> t
+ (** [cloneable_controllers domain] constructs a SID
+ {e S-1-5-21-[domain]-522}. *)
+
+ val protected_users : Stdint.Uint32.t -> t
+ (** [protected_users domain] constructs a SID {e S-1-5-21-[domain]-525}. *)
+
+ val key_admins : Stdint.Uint32.t -> t
+ (** [key_admins domain] constructs a SID {e S-1-5-21-[domain]-526}. *)
+
+ val enterprise_key_admins : Stdint.Uint32.t -> t
+ (** [enterprise_key_admins domain] constructs a SID {e S-1-5-21-[domain]-527}. *)
+
+ val ras_servers : Stdint.Uint32.t -> t
+ (** [ras_servers domain] constructs a SID {e S-1-5-21-[domain]-553}. *)
+
+ val allowed_rodc_password_replication_group : Stdint.Uint32.t -> t
+ (** [allowed_rodc_password_replication_group domain] constructs a SID
+ {e S-1-5-21-[domain]-571}. *)
+
+ val denied_rodc_password_replication_group : Stdint.Uint32.t -> t
+ (** [denied_rodc_password_replication_group domain] constructs a SID
+ {e S-1-5-21-[domain]-572}. *)
+
+ val builtin_administrators : t
+ (** The SID {e S-1-5-32-544}. *)
+
+ val builtin_users : t
+ (** The SID {e S-1-5-32-545}. *)
+
+ val builtin_guests : t
+ (** The SID {e S-1-5-32-546}. *)
+
+ val power_users : t
+ (** The SID {e S-1-5-32-547}. *)
+
+ val account_operators : t
+ (** The SID {e S-1-5-32-548}. *)
+
+ val server_operators : t
+ (** The SID {e S-1-5-32-549}. *)
+
+ val printer_operators : t
+ (** The SID {e S-1-5-32-550}. *)
+
+ val backup_operators : t
+ (** The SID {e S-1-5-32-551}. *)
+
+ val replicator : t
+ (** The SID {e S-1-5-32-552}. *)
+
+ val alias_prew2kcompacc : t
+ (** The SID {e S-1-5-32-554}. *)
+
+ val remote_desktop : t
+ (** The SID {e S-1-5-32-555}. *)
+
+ val network_configuration_ops : t
+ (** The SID {e S-1-5-32-556}. *)
+
+ val incoming_forest_trust_builders : t
+ (** The SID {e S-1-5-32-557}. *)
+
+ val perfmon_users : t
+ (** The SID {e S-1-5-32-558}. *)
+
+ val perflog_users : t
+ (** The SID {e S-1-5-32-559}. *)
+
+ val windows_authorization_access_group : t
+ (** The SID {e S-1-5-32-560}. *)
+
+ val terminal_server_license_servers : t
+ (** The SID {e S-1-5-32-561}. *)
+
+ val distributed_com_users : t
+ (** The SID {e S-1-5-32-562}. *)
+
+ val iis_iusrs : t
+ (** The SID {e S-1-5-32-568}. *)
+
+ val cryptographic_operators : t
+ (** The SID {e S-1-5-32-569}. *)
+
+ val event_log_readers : t
+ (** The SID {e S-1-5-32-573}. *)
+
+ val certificate_service_dcom_access : t
+ (** The SID {e S-1-5-32-574}. *)
+
+ val rds_remote_access_servers : t
+ (** The SID {e S-1-5-32-575}. *)
+
+ val rds_endpoint_servers : t
+ (** The SID {e S-1-5-32-576}. *)
+
+ val rds_management_servers : t
+ (** The SID {e S-1-5-32-577}. *)
+
+ val hyper_v_admins : t
+ (** The SID {e S-1-5-32-578}. *)
+
+ val access_control_assistance_ops : t
+ (** The SID {e S-1-5-32-579}. *)
+
+ val remote_management_users : t
+ (** The SID {e S-1-5-32-580}. *)
+
+ val write_restricted_code : t
+ (** The SID {e S-1-5-33}. *)
+
+ val ntlm_authentication : t
+ (** The SID {e S-1-5-64-10}. *)
+
+ val schannel_authentication : t
+ (** The SID {e S-1-5-64-14}. *)
+
+ val digest_authentication : t
+ (** The SID {e S-1-5-64-21}. *)
+
+ val this_organization_certificate : t
+ (** The SID {e S-1-5-65-1}. *)
+
+ val nt_service : t
+ (** The SID {e S-1-5-80}. *)
+
+ val user_mode_drivers : t
+ (** The SID {e S-1-5-84-0-0-0-0-0}. *)
+
+ val local_account : t
+ (** The SID {e S-1-5-113}. *)
+
+ val local_account_and_member_of_administrators_group : t
+ (** The SID {e S-1-5-114}. *)
+
+ val other_organization : t
+ (** The SID {e S-1-5-1000}. *)
+
+ val all_app_packages : t
+ (** The SID {e S-1-15-2-1}. *)
+
+ val ml_untrusted : t
+ (** The SID {e S-1-16-0}. *)
+
+ val ml_low : t
+ (** The SID {e S-1-16-4096}. *)
+
+ val ml_medium : t
+ (** The SID {e S-1-16-8192}. *)
+
+ val ml_medium_plus : t
+ (** The SID {e S-1-16-8448}. *)
+
+ val ml_high : t
+ (** The SID {e S-1-16-12288}. *)
+
+ val ml_system : t
+ (** The SID {e S-1-16-16384}. *)
+
+ val ml_protected_process : t
+ (** The SID {e S-1-16-20480}. *)
+
+ val ml_secure_process : t
+ (** The SID {e S-1-16-28672}. *)
+
+ val authentication_authority_asserted_identity : t
+ (** The SID {e S-1-18-1}. *)
+
+ val service_asserted_identity : t
+ (** The SID {e S-1-18-2}. *)
+
+ val fresh_public_key_identity : t
+ (** The SID {e S-1-18-3}. *)
+
+ val key_trust_identity : t
+ (** The SID {e S-1-18-4}. *)
+
+ val key_property_mfa : t
+ (** The SID {e S-1-18-5}. *)
+
+ val key_property_attestation : t
+ (** The SID {e S-1-18-6}. *)
+
module Prefix :
sig
- type toplevel_auth = ?sa:sub_auths -> unit -> t
+ val security_null_sid_authority : ?sa:sub_auths -> unit -> t
+ (** [security_null_sid_authority sub_auths ()] constructs a SID
+ {e S-1-0-[sub_auths]…}. *)
+
+ val security_world_sid_authority : ?sa:sub_auths -> unit -> t
+ (** [security_world_sid_authority sub_auths ()] constructs a SID
+ {e S-1-1-[sub_auths]…}. *)
+
+ val security_local_sid_authority : ?sa:sub_auths -> unit -> t
+ (** [security_local_sid_authority sub_auths ()] constructs a SID
+ {e S-1-2-[sub_auths]…}. *)
- val security_null_sid_authority : toplevel_auth
- val security_world_sid_authority : ?sa:sub_auths -> unit -> t
- val security_local_sid_authority : ?sa:sub_auths -> unit -> t
val security_creator_sid_authority : ?sa:sub_auths -> unit -> t
- val security_nt_authority : ?sa:sub_auths -> unit -> t
- val security_app_package_authority : ?sa:sub_auths -> unit -> t
- val security_mandatory_label_authority : ?sa:sub_auths -> unit -> t
+ (** [security_creator_sid_authority sub_auths ()] constructs a SID
+ {e S-1-3-[sub_auths]…}. *)
+
+ val security_nt_authority : ?sa:sub_auths -> unit -> t
+ (** [security_nt_authority sub_auths ()] constructs a SID
+ {e S-1-5-[sub_auths]…}. *)
+
+ val security_app_package_authority : ?sa:sub_auths -> unit -> t
+ (** [security_app_package_authority sub_auths ()] constructs a SID
+ {e S-1-15-[sub_auths]…}. *)
+
+ val security_mandatory_label_authority : ?sa:sub_auths -> unit -> t
+ (** [security_mandatory_label_authority sub_auths ()] constructs a SID
+ {e S-1-16-[sub_auths]…}. *)
+
val security_scoped_policy_id_authority : ?sa:sub_auths -> unit -> t
- val security_authentication_authority : ?sa:sub_auths -> unit -> t
+ (** [security_scoped_policy_id_authority sub_auths ()] constructs a SID
+ {e S-1-17-[sub_auths]…}. *)
+
+ val security_authentication_authority : ?sa:sub_auths -> unit -> t
+ (** [security_authentication_authority sub_auths ()] constructs a SID
+ {e S-1-18-[sub_auths]…}. *)
end
end