summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2006-05-21 12:56:49 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:08:17 -0500
commit0f2c93016d870adc4eb4e7072c05a8ef8273cb0c (patch)
tree55fd6c188c7f7774c9e989ee39b149dffa5e04ea
parent2e415d4e98530f4b95114a2d49850702ee214a6f (diff)
downloadsamba-0f2c93016d870adc4eb4e7072c05a8ef8273cb0c.tar.gz
samba-0f2c93016d870adc4eb4e7072c05a8ef8273cb0c.tar.bz2
samba-0f2c93016d870adc4eb4e7072c05a8ef8273cb0c.zip
r15774: take care of the SYSTEM_SECURITY flag
metze (This used to be commit 98f58d710a4fe1cd3581b1fb25c4f0c0236b5092)
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 3826b2f157..3d276431dc 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -350,7 +350,9 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
uint32_t max_bits = SEC_RIGHTS_FILE_READ | SEC_FILE_ALL;
/* owner and root get extra permissions */
- if (uid == 0 || uid == name->st.st_uid) {
+ if (uid == 0) {
+ max_bits |= SEC_STD_ALL | SEC_FLAG_SYSTEM_SECURITY;
+ } else if (uid == name->st.st_uid) {
max_bits |= SEC_STD_ALL;
}
@@ -359,6 +361,10 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
return NT_STATUS_OK;
}
+ if (uid != 0 && (*access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+ }
+
if (*access_mask & ~max_bits) {
return NT_STATUS_ACCESS_DENIED;
}