summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-10-16 23:02:58 +1100
committerAndrew Tridgell <tridge@samba.org>2009-10-17 13:01:03 +1100
commit9da4af062b333750d9cbdf5ef9a47c5ac3723a81 (patch)
tree94c4c1d1197b3f293488797a2fb8887be53735b8
parent7226ba73a0519f853b53adc3591d2358ff7429b2 (diff)
downloadsamba-9da4af062b333750d9cbdf5ef9a47c5ac3723a81.tar.gz
samba-9da4af062b333750d9cbdf5ef9a47c5ac3723a81.tar.bz2
samba-9da4af062b333750d9cbdf5ef9a47c5ac3723a81.zip
s4-security: honor more of the privilege access bits
-rw-r--r--source4/libcli/security/access_check.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 543b0f74c5..4bede15def 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -34,8 +34,12 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
if (security_token_has_sid(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
- } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- granted |= SEC_STD_DELETE;
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ granted |= SEC_RIGHTS_PRIV_RESTORE;
+ }
+ if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ granted |= SEC_RIGHTS_PRIV_BACKUP;
}
if (sd->dacl == NULL) {
@@ -125,9 +129,13 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
- if ((bits_remaining & SEC_STD_DELETE) &&
+ if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- bits_remaining &= ~SEC_STD_DELETE;
+ bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+ }
+ if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+ security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
}
if (sd->dacl == NULL) {