r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define

* make sure to apply the rights_mask and not just the saved
  bits from the mask in access_check_samr_object()
* allow root to grant/revoke privileges (in addition to Domain
  Admins) as suggested by Volker.

Tested machine joins from XP, 2K, and NT4 with and without
pre-existing machine trust accounts.  Also tested basic file
operations using cmd.exe and explorer.exe after changing the
STANDARD_RIGHTS_WRITE_ACCESS bitmask.
(This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)

2 files changed, 20 insertions, 10 deletions

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 13053d9877..da00d2d6c4 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1134,16 +1134,21 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
+	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	/* check to see if the pipe_user is a Domain Admin since 
+	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
-	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid() 
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	set = &q_u->set;
 
@@ -1170,16 +1175,21 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
+	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	/* check to see if the pipe_user is a Domain Admin since 
+	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
-	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	set = &q_u->set;
 
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 43abfdaafa..4d8e2b51cc 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -270,8 +270,8 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 		saved_mask = (des_access & rights_mask);
 		des_access &= ~saved_mask;
 		
-		DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n",
-			saved_mask));
+		DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+			rights_mask));
 	}
 		
 	
@@ -296,9 +296,9 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 	
 done:
 	/* add in any bits saved during the privilege check (only 
-	   matters is syayus is ok) */
+	   matters is status is ok) */
 	
-	*acc_granted |= saved_mask;
+	*acc_granted |= rights_mask;
 
 	DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", 
 		debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",