From 90222b8fa7d6c7967155d556aa9c73109fd7e03e Mon Sep 17 00:00:00 2001 From: Philipp Gesang Date: Wed, 31 Oct 2018 00:03:33 +0100 Subject: sid: predefine more well known constants Add the constants from MS-DTYP 2.4.2.4 to Sid.WellKnown. --- sid.ml | 134 ++++++++++++++++++++++-- sid.mli | 354 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 471 insertions(+), 17 deletions(-) diff --git a/sid.ml b/sid.ml index cbfe305..7051ee3 100644 --- a/sid.ml +++ b/sid.ml @@ -224,22 +224,138 @@ module PacketRep = struct (* [MS-DTYP] 2.4.22 *) end (* [module PacketRep] *) module WellKnown = struct + let cu = create_unsafe + let sa = U32.of_int + let ia = U64.of_int + (* * see also * https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids *) - - let null = create_unsafe [| U32.zero |] U64.zero - let everyone = create_unsafe [| U32.zero |] U64.one + let null = cu [| U32.zero |] U64.zero + let everyone = cu [| U32.zero |] U64.one let world = everyone - let local = create_unsafe [| U32.zero |] (U64.of_int 2) - let creator_owner_id = create_unsafe [| U32.zero |] (U64.of_int 3) - let creator_group_id = create_unsafe [| U32.one |] (U64.of_int 3) - let elite = create_unsafe [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] U64.one - module Prefix = struct - type toplevel_auth = ?sa:sub_auths -> unit -> sid + (* 1-2-… *) + let local = cu [| U32.zero |] (U64.of_int 2) + let console_logon = cu [| U32.one |] (U64.of_int 2) + + (* 1-3-… *) + let creator_owner_id = cu [| U32.zero |] (U64.of_int 3) + let creator_group_id = cu [| U32.one |] (U64.of_int 3) + let creator_owner_server = cu [| U32.of_int 2 |] (U64.of_int 3) + let creator_group_server = cu [| U32.of_int 3 |] (U64.of_int 3) + let owner_rights = cu [| U32.of_int 4 |] (U64.of_int 3) + let elite = cu [| U32.of_int 3 ; U32.of_int 3; U32.of_int 7 |] U64.one + + (* 1-5-… *) + let nt_authority = cu [| |] (U64.of_int 5) + let dialup = cu [| U32.one |] (U64.of_int 5) + let network = cu [| U32.of_int 2 |] (U64.of_int 5) + let batch = cu [| U32.of_int 3 |] (U64.of_int 5) + let interactive = cu [| U32.of_int 4 |] (U64.of_int 5) + let logon_id = cu [| U32.of_int 5 |] (U64.of_int 5) + let service = cu [| U32.of_int 6 |] (U64.of_int 5) + let anonymous = cu [| U32.of_int 7 |] (U64.of_int 5) + let proxy = cu [| U32.of_int 8 |] (U64.of_int 5) + let enterprise_domain_controllers = cu [| U32.of_int 9 |] (U64.of_int 5) + let principal_self = cu [| U32.of_int 10 |] (U64.of_int 5) + let authenticated_users = cu [| U32.of_int 11 |] (U64.of_int 5) + let restricted_code = cu [| U32.of_int 12 |] (U64.of_int 5) + let terminal_server_user = cu [| U32.of_int 13 |] (U64.of_int 5) + let remote_interactive_logon = cu [| U32.of_int 14 |] (U64.of_int 5) + let this_organisation = cu [| U32.of_int 15 |] (U64.of_int 5) + let iusr = cu [| U32.of_int 17 |] (U64.of_int 5) + let local_system = cu [| U32.of_int 18 |] (U64.of_int 5) + let local_service = cu [| U32.of_int 19 |] (U64.of_int 5) + let network_service = cu [| U32.of_int 20 |] (U64.of_int 5) + + let compounded_authentication = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 496 |] (ia 5) + let claims_valid = cu [| sa 21; U32.zero; U32.zero; U32.zero; sa 497 |] (ia 5) + + let administrator machine = cu [| sa 21; machine; sa 500 |] (ia 5) + let guest machine = cu [| sa 21; machine; sa 501 |] (ia 5) + let krbtgt domain = cu [| sa 21; domain; sa 502 |] (ia 5) + let domain_admins domain = cu [| sa 21; domain; sa 512 |] (ia 5) + let domain_users domain = cu [| sa 21; domain; sa 513 |] (ia 5) + let domain_guests domain = cu [| sa 21; domain; sa 514 |] (ia 5) + let domain_computers domain = cu [| sa 21; domain; sa 515 |] (ia 5) + let domain_domain_controllers domain = cu [| sa 21; domain; sa 516 |] (ia 5) + let cert_publishers domain = cu [| sa 21; domain; sa 517 |] (ia 5) + let schema_administrators root_domain = cu [| sa 21; root_domain; sa 518 |] (ia 5) + let enterprise_admins root_domain = cu [| sa 21; root_domain; sa 519 |] (ia 5) + let group_policy_creator_owners domain = cu [| sa 21; domain; sa 520 |] (ia 5) + let readonly_domain_controllers domain = cu [| sa 21; domain; sa 521 |] (ia 5) + let cloneable_controllers domain = cu [| sa 21; domain; sa 522 |] (ia 5) + let protected_users domain = cu [| sa 21; domain; sa 525 |] (ia 5) + let key_admins domain = cu [| sa 21; domain; sa 526 |] (ia 5) + let enterprise_key_admins domain = cu [| sa 21; domain; sa 527 |] (ia 5) + let ras_servers domain = cu [| sa 21; domain; sa 553 |] (ia 5) + let allowed_rodc_password_replication_group domain = cu [| sa 21; domain; sa 571 |] (ia 5) + let denied_rodc_password_replication_group domain = cu [| sa 21; domain; sa 572 |] (ia 5) + + let builtin_administrators = cu [| sa 32; sa 544 |] (ia 5) + let builtin_users = cu [| sa 32; sa 545 |] (ia 5) + let builtin_guests = cu [| sa 32; sa 546 |] (ia 5) + let power_users = cu [| sa 32; sa 547 |] (ia 5) + let account_operators = cu [| sa 32; sa 548 |] (ia 5) + let server_operators = cu [| sa 32; sa 549 |] (ia 5) + let printer_operators = cu [| sa 32; sa 550 |] (ia 5) + let backup_operators = cu [| sa 32; sa 551 |] (ia 5) + let replicator = cu [| sa 32; sa 552 |] (ia 5) + let alias_prew2kcompacc = cu [| sa 32; sa 554 |] (ia 5) + let remote_desktop = cu [| sa 32; sa 555 |] (ia 5) + let network_configuration_ops = cu [| sa 32; sa 556 |] (ia 5) + let incoming_forest_trust_builders = cu [| sa 32; sa 557 |] (ia 5) + let perfmon_users = cu [| sa 32; sa 558 |] (ia 5) + let perflog_users = cu [| sa 32; sa 559 |] (ia 5) + let windows_authorization_access_group = cu [| sa 32; sa 560 |] (ia 5) + let terminal_server_license_servers = cu [| sa 32; sa 561 |] (ia 5) + let distributed_com_users = cu [| sa 32; sa 562 |] (ia 5) + let iis_iusrs = cu [| sa 32; sa 568 |] (ia 5) + let cryptographic_operators = cu [| sa 32; sa 569 |] (ia 5) + let event_log_readers = cu [| sa 32; sa 573 |] (ia 5) + let certificate_service_dcom_access = cu [| sa 32; sa 574 |] (ia 5) + let rds_remote_access_servers = cu [| sa 32; sa 575 |] (ia 5) + let rds_endpoint_servers = cu [| sa 32; sa 576 |] (ia 5) + let rds_management_servers = cu [| sa 32; sa 577 |] (ia 5) + let hyper_v_admins = cu [| sa 32; sa 578 |] (ia 5) + let access_control_assistance_ops = cu [| sa 32; sa 579 |] (ia 5) + let remote_management_users = cu [| sa 32; sa 580 |] (ia 5) + + let write_restricted_code = cu [| sa 33 |] (ia 5) + let ntlm_authentication = cu [| sa 64; sa 10 |] (ia 5) + let schannel_authentication = cu [| sa 64; sa 14 |] (ia 5) + let digest_authentication = cu [| sa 64; sa 21 |] (ia 5) + let this_organization_certificate = cu [| sa 65; sa 1 |] (ia 5) + let nt_service = cu [| sa 80 |] (ia 5) + let user_mode_drivers = cu [| sa 84; U32.zero; U32.zero; U32.zero; U32.zero; U32.zero |] (ia 5) + let local_account = cu [| sa 113 |] (ia 5) + let local_account_and_member_of_administrators_group = cu [| sa 114 |] (ia 5) + let other_organization = cu [| sa 1000 |] (ia 5) + + (* 1-15-… *) + let all_app_packages = cu [| sa 2; U32.one |] (ia 15) + + (* 1-16-… *) + let ml_untrusted = cu [| U32.zero |] (ia 16) + let ml_low = cu [| sa 4096 |] (ia 16) + let ml_medium = cu [| sa 8192 |] (ia 16) + let ml_medium_plus = cu [| sa 8448 |] (ia 16) + let ml_high = cu [| sa 12288 |] (ia 16) + let ml_system = cu [| sa 16384 |] (ia 16) + let ml_protected_process = cu [| sa 20480 |] (ia 16) + let ml_secure_process = cu [| sa 28672 |] (ia 16) + + (* 1-18-… *) + let authentication_authority_asserted_identity = cu [| U32.one |] (ia 18) + let service_asserted_identity = cu [| sa 2 |] (ia 18) + let fresh_public_key_identity = cu [| sa 3 |] (ia 18) + let key_trust_identity = cu [| sa 4 |] (ia 18) + let key_property_mfa = cu [| sa 5 |] (ia 18) + let key_property_attestation = cu [| sa 6 |] (ia 18) + module Prefix = struct let security_null_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x00) let security_world_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x01) let security_local_sid_authority ?(sa=[||]) () = create_unsafe sa (U64.of_int 0x02) diff --git a/sid.mli b/sid.mli index 9012df8..f8e34cb 100644 --- a/sid.mli +++ b/sid.mli @@ -53,26 +53,364 @@ module PacketRep : module WellKnown : sig val null : t + (** The SID {e S-1-0-0}. *) + val everyone : t + (** The SID {e S-1-1-0}. *) + val world : t + (** Alias for [everyone]. *) + val local : t + (** The SID {e S-1-2-0}. *) + + val console_logon : t + (** The SID {e S-1-2-1}. *) + val creator_owner_id : t + (** The SID {e S-1-3-0}. *) + val creator_group_id : t + (** The SID {e S-1-3-1}. *) + + val creator_owner_server : t + (** The SID {e S-1-3-2}. *) + + val creator_group_server : t + (** The SID {e S-1-3-3}. *) + + val owner_rights : t + (** The SID {e S-1-3-4}. *) + val elite : t + val nt_authority : t + (** The SID {e S-1-5}. *) + + val dialup : t + (** The SID {e S-1-5-1}. *) + + val network : t + (** The SID {e S-1-5-2}. *) + + val batch : t + (** The SID {e S-1-5-3}. *) + + val interactive : t + (** The SID {e S-1-5-4}. *) + + val logon_id : t + (** The SID {e S-1-5-5}. *) + + val service : t + (** The SID {e S-1-5-6}. *) + + val anonymous : t + (** The SID {e S-1-5-7}. *) + + val proxy : t + (** The SID {e S-1-5-8}. *) + + val enterprise_domain_controllers : t + (** The SID {e S-1-5-9}. *) + + val principal_self : t + (** The SID {e S-1-5-10}. *) + + val authenticated_users : t + (** The SID {e S-1-5-11}. *) + + val restricted_code : t + (** The SID {e S-1-5-12}. *) + + val terminal_server_user : t + (** The SID {e S-1-5-13}. *) + + val remote_interactive_logon : t + (** The SID {e S-1-5-14}. *) + + val this_organisation : t + (** The SID {e S-1-5-15}. *) + + val iusr : t + (** The SID {e S-1-5-17}. *) + + val local_system : t + (** The SID {e S-1-5-18}. *) + + val local_service : t + (** The SID {e S-1-5-19}. *) + + val compounded_authentication : t + (** The SID {e S-1-5-21-0-0-0-496}. *) + + val claims_valid : t + (** The SID {e S-1-5-21-0-0-0-497}. *) + + val administrator : Stdint.Uint32.t -> t + (** [administrator machine] constructs a SID {e S-1-5-21-[machine]-500}. *) + + val guest : Stdint.Uint32.t -> t + (** [guest machine] constructs a SID {e S-1-5-21-[machine]-501}. *) + + val krbtgt : Stdint.Uint32.t -> t + (** [krbtgt domain] constructs a SID {e S-1-5-21-[domain]-502}. *) + + val domain_admins : Stdint.Uint32.t -> t + (** [domain_admins domain] constructs a SID {e S-1-5-21-[domain]-512}. *) + + val domain_users : Stdint.Uint32.t -> t + (** [domain_users domain] constructs a SID {e S-1-5-21-[domain]-513}. *) + + val domain_guests : Stdint.Uint32.t -> t + (** [domain_guests domain] constructs a SID {e S-1-5-21-[domain]-514}. *) + + val domain_computers : Stdint.Uint32.t -> t + (** [domain_computers domain] constructs a SID {e S-1-5-21-[domain]-515}. *) + + val domain_domain_controllers : Stdint.Uint32.t -> t + (** [domain_domain_controllers domain] constructs a SID + {e S-1-5-21-[domain]-516}. *) + + val cert_publishers : Stdint.Uint32.t -> t + (** [cert_publishers domain] constructs a SID {e S-1-5-21-[domain]-517}. *) + + val schema_administrators : Stdint.Uint32.t -> t + (** [schema_administrators root_domain] constructs a SID + {e S-1-5-21-[root_domain]-518}. *) + + val enterprise_admins : Stdint.Uint32.t -> t + (** [enterprise_admins root_domain] constructs a SID + {e S-1-5-21-[root_domain]-519}. *) + + val group_policy_creator_owners : Stdint.Uint32.t -> t + (** [group_policy_creator_owners domain] constructs a SID + {e S-1-5-21-[domain]-520}. *) + + val readonly_domain_controllers : Stdint.Uint32.t -> t + (** [readonly_domain_controllers domain] constructs a SID + {e S-1-5-21-[domain]-521}. *) + + val cloneable_controllers : Stdint.Uint32.t -> t + (** [cloneable_controllers domain] constructs a SID + {e S-1-5-21-[domain]-522}. *) + + val protected_users : Stdint.Uint32.t -> t + (** [protected_users domain] constructs a SID {e S-1-5-21-[domain]-525}. *) + + val key_admins : Stdint.Uint32.t -> t + (** [key_admins domain] constructs a SID {e S-1-5-21-[domain]-526}. *) + + val enterprise_key_admins : Stdint.Uint32.t -> t + (** [enterprise_key_admins domain] constructs a SID {e S-1-5-21-[domain]-527}. *) + + val ras_servers : Stdint.Uint32.t -> t + (** [ras_servers domain] constructs a SID {e S-1-5-21-[domain]-553}. *) + + val allowed_rodc_password_replication_group : Stdint.Uint32.t -> t + (** [allowed_rodc_password_replication_group domain] constructs a SID + {e S-1-5-21-[domain]-571}. *) + + val denied_rodc_password_replication_group : Stdint.Uint32.t -> t + (** [denied_rodc_password_replication_group domain] constructs a SID + {e S-1-5-21-[domain]-572}. *) + + val builtin_administrators : t + (** The SID {e S-1-5-32-544}. *) + + val builtin_users : t + (** The SID {e S-1-5-32-545}. *) + + val builtin_guests : t + (** The SID {e S-1-5-32-546}. *) + + val power_users : t + (** The SID {e S-1-5-32-547}. *) + + val account_operators : t + (** The SID {e S-1-5-32-548}. *) + + val server_operators : t + (** The SID {e S-1-5-32-549}. *) + + val printer_operators : t + (** The SID {e S-1-5-32-550}. *) + + val backup_operators : t + (** The SID {e S-1-5-32-551}. *) + + val replicator : t + (** The SID {e S-1-5-32-552}. *) + + val alias_prew2kcompacc : t + (** The SID {e S-1-5-32-554}. *) + + val remote_desktop : t + (** The SID {e S-1-5-32-555}. *) + + val network_configuration_ops : t + (** The SID {e S-1-5-32-556}. *) + + val incoming_forest_trust_builders : t + (** The SID {e S-1-5-32-557}. *) + + val perfmon_users : t + (** The SID {e S-1-5-32-558}. *) + + val perflog_users : t + (** The SID {e S-1-5-32-559}. *) + + val windows_authorization_access_group : t + (** The SID {e S-1-5-32-560}. *) + + val terminal_server_license_servers : t + (** The SID {e S-1-5-32-561}. *) + + val distributed_com_users : t + (** The SID {e S-1-5-32-562}. *) + + val iis_iusrs : t + (** The SID {e S-1-5-32-568}. *) + + val cryptographic_operators : t + (** The SID {e S-1-5-32-569}. *) + + val event_log_readers : t + (** The SID {e S-1-5-32-573}. *) + + val certificate_service_dcom_access : t + (** The SID {e S-1-5-32-574}. *) + + val rds_remote_access_servers : t + (** The SID {e S-1-5-32-575}. *) + + val rds_endpoint_servers : t + (** The SID {e S-1-5-32-576}. *) + + val rds_management_servers : t + (** The SID {e S-1-5-32-577}. *) + + val hyper_v_admins : t + (** The SID {e S-1-5-32-578}. *) + + val access_control_assistance_ops : t + (** The SID {e S-1-5-32-579}. *) + + val remote_management_users : t + (** The SID {e S-1-5-32-580}. *) + + val write_restricted_code : t + (** The SID {e S-1-5-33}. *) + + val ntlm_authentication : t + (** The SID {e S-1-5-64-10}. *) + + val schannel_authentication : t + (** The SID {e S-1-5-64-14}. *) + + val digest_authentication : t + (** The SID {e S-1-5-64-21}. *) + + val this_organization_certificate : t + (** The SID {e S-1-5-65-1}. *) + + val nt_service : t + (** The SID {e S-1-5-80}. *) + + val user_mode_drivers : t + (** The SID {e S-1-5-84-0-0-0-0-0}. *) + + val local_account : t + (** The SID {e S-1-5-113}. *) + + val local_account_and_member_of_administrators_group : t + (** The SID {e S-1-5-114}. *) + + val other_organization : t + (** The SID {e S-1-5-1000}. *) + + val all_app_packages : t + (** The SID {e S-1-15-2-1}. *) + + val ml_untrusted : t + (** The SID {e S-1-16-0}. *) + + val ml_low : t + (** The SID {e S-1-16-4096}. *) + + val ml_medium : t + (** The SID {e S-1-16-8192}. *) + + val ml_medium_plus : t + (** The SID {e S-1-16-8448}. *) + + val ml_high : t + (** The SID {e S-1-16-12288}. *) + + val ml_system : t + (** The SID {e S-1-16-16384}. *) + + val ml_protected_process : t + (** The SID {e S-1-16-20480}. *) + + val ml_secure_process : t + (** The SID {e S-1-16-28672}. *) + + val authentication_authority_asserted_identity : t + (** The SID {e S-1-18-1}. *) + + val service_asserted_identity : t + (** The SID {e S-1-18-2}. *) + + val fresh_public_key_identity : t + (** The SID {e S-1-18-3}. *) + + val key_trust_identity : t + (** The SID {e S-1-18-4}. *) + + val key_property_mfa : t + (** The SID {e S-1-18-5}. *) + + val key_property_attestation : t + (** The SID {e S-1-18-6}. *) + module Prefix : sig - type toplevel_auth = ?sa:sub_auths -> unit -> t + val security_null_sid_authority : ?sa:sub_auths -> unit -> t + (** [security_null_sid_authority sub_auths ()] constructs a SID + {e S-1-0-[sub_auths]…}. *) + + val security_world_sid_authority : ?sa:sub_auths -> unit -> t + (** [security_world_sid_authority sub_auths ()] constructs a SID + {e S-1-1-[sub_auths]…}. *) + + val security_local_sid_authority : ?sa:sub_auths -> unit -> t + (** [security_local_sid_authority sub_auths ()] constructs a SID + {e S-1-2-[sub_auths]…}. *) - val security_null_sid_authority : toplevel_auth - val security_world_sid_authority : ?sa:sub_auths -> unit -> t - val security_local_sid_authority : ?sa:sub_auths -> unit -> t val security_creator_sid_authority : ?sa:sub_auths -> unit -> t - val security_nt_authority : ?sa:sub_auths -> unit -> t - val security_app_package_authority : ?sa:sub_auths -> unit -> t - val security_mandatory_label_authority : ?sa:sub_auths -> unit -> t + (** [security_creator_sid_authority sub_auths ()] constructs a SID + {e S-1-3-[sub_auths]…}. *) + + val security_nt_authority : ?sa:sub_auths -> unit -> t + (** [security_nt_authority sub_auths ()] constructs a SID + {e S-1-5-[sub_auths]…}. *) + + val security_app_package_authority : ?sa:sub_auths -> unit -> t + (** [security_app_package_authority sub_auths ()] constructs a SID + {e S-1-15-[sub_auths]…}. *) + + val security_mandatory_label_authority : ?sa:sub_auths -> unit -> t + (** [security_mandatory_label_authority sub_auths ()] constructs a SID + {e S-1-16-[sub_auths]…}. *) + val security_scoped_policy_id_authority : ?sa:sub_auths -> unit -> t - val security_authentication_authority : ?sa:sub_auths -> unit -> t + (** [security_scoped_policy_id_authority sub_auths ()] constructs a SID + {e S-1-17-[sub_auths]…}. *) + + val security_authentication_authority : ?sa:sub_auths -> unit -> t + (** [security_authentication_authority sub_auths ()] constructs a SID + {e S-1-18-[sub_auths]…}. *) end end -- cgit v1.2.3