s3-acl Merge source4-supported privileges into se_access_check

This will shortly be the common se_access_check function.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

1 files changed, 9 insertions, 5 deletions

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index af7ba24194..5fc450ec25 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -178,17 +178,13 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 			bits_remaining));
 	}
 
-#if 0
-	/* We need to support SeSecurityPrivilege for this. */
-
 	if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
-		if (user_has_privileges(token, &sec_security)) {
+		if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
 			bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
 		} else {
 			return NT_STATUS_PRIVILEGE_NOT_HELD;
 		}
 	}
-#endif
 
 	/* a NULL dacl allows access */
 	if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
@@ -205,6 +201,14 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 	    (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
 		bits_remaining &= ~SEC_STD_DELETE;
 	}
+	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
+	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+	}
+	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+	}
 
 	if (sd->dacl == NULL) {
 		goto done;