diff options
| author | Gerald Carter <jerry@samba.org> | 2005-01-28 16:55:09 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:55:12 -0500 |
| commit | 962a5c95528932fde64c8c8b70b0a81c382c2905 (patch) | |
| tree | f55bbdd1d293dc0a3c86c3571f434520c021ad60 /source3/rpc_server/srv_samr_nt.c | |
| parent | 6441450e9306b1b09ca2a085d47992867acdd4ec (diff) | |
| download | samba-962a5c95528932fde64c8c8b70b0a81c382c2905.tar.gz samba-962a5c95528932fde64c8c8b70b0a81c382c2905.tar.bz2 samba-962a5c95528932fde64c8c8b70b0a81c382c2905.zip | |
r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define
* make sure to apply the rights_mask and not just the saved
bits from the mask in access_check_samr_object()
* allow root to grant/revoke privileges (in addition to Domain
Admins) as suggested by Volker.
Tested machine joins from XP, 2K, and NT4 with and without
pre-existing machine trust accounts. Also tested basic file
operations using cmd.exe and explorer.exe after changing the
STANDARD_RIGHTS_WRITE_ACCESS bitmask.
(This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
Diffstat (limited to 'source3/rpc_server/srv_samr_nt.c')
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 43abfdaafa..4d8e2b51cc 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -270,8 +270,8 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; - DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n", - saved_mask)); + DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n", + rights_mask)); } @@ -296,9 +296,9 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, done: /* add in any bits saved during the privilege check (only - matters is syayus is ok) */ + matters is status is ok) */ - *acc_granted |= saved_mask; + *acc_granted |= rights_mask; DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", |