diff options
| author | Andrew Tridgell <tridge@samba.org> | 2009-10-16 23:02:58 +1100 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2009-10-17 13:01:03 +1100 |
| commit | 9da4af062b333750d9cbdf5ef9a47c5ac3723a81 (patch) | |
| tree | 94c4c1d1197b3f293488797a2fb8887be53735b8 | |
| parent | 7226ba73a0519f853b53adc3591d2358ff7429b2 (diff) | |
| download | samba-9da4af062b333750d9cbdf5ef9a47c5ac3723a81.tar.gz samba-9da4af062b333750d9cbdf5ef9a47c5ac3723a81.tar.bz2 samba-9da4af062b333750d9cbdf5ef9a47c5ac3723a81.zip | |
s4-security: honor more of the privilege access bits
| -rw-r--r-- | source4/libcli/security/access_check.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index 543b0f74c5..4bede15def 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -34,8 +34,12 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, if (security_token_has_sid(token, sd->owner_sid)) { granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE; - } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - granted |= SEC_STD_DELETE; + } + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + granted |= SEC_RIGHTS_PRIV_RESTORE; + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + granted |= SEC_RIGHTS_PRIV_BACKUP; } if (sd->dacl == NULL) { @@ -125,9 +129,13 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); } - if ((bits_remaining & SEC_STD_DELETE) && + if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining &= ~SEC_STD_DELETE; + bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); + } + if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && + security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); } if (sd->dacl == NULL) { |