summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-18 10:29:02 +1000
committerAndrew Tridgell <tridge@samba.org>2010-10-14 02:35:04 +0000
commita040466d0d6866f2ede22261fbd90018773b03de (patch)
tree3634577f22278185b9abff6c6ab0636b0d71fcb8
parent7c6105ec27612adc712d3afcd3a794b6b7d32d8d (diff)
downloadsamba-a040466d0d6866f2ede22261fbd90018773b03de.tar.gz
samba-a040466d0d6866f2ede22261fbd90018773b03de.tar.bz2
samba-a040466d0d6866f2ede22261fbd90018773b03de.zip
s3-acl Merge source4-supported privileges into se_access_check
This will shortly be the common se_access_check function. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source3/lib/util_seaccess.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index af7ba24194..5fc450ec25 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -178,17 +178,13 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
bits_remaining));
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
-
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
- if (user_has_privileges(token, &sec_security)) {
+ if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
-#endif
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
@@ -205,6 +201,14 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
(security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
bits_remaining &= ~SEC_STD_DELETE;
}
+ if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
+ security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+ }
+ if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+ security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+ }
if (sd->dacl == NULL) {
goto done;