Add code to implement SeSecurityPrivilege in net rpc rights, and in the

open and get/set NT security descriptor code.

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Oct 21 00:15:57 UTC 2010 on sn-devel-104

1 files changed, 8 insertions, 21 deletions

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 01f0cd699a..f5de607713 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2506,8 +2506,9 @@ static NTSTATUS open_directory(connection_struct *conn,
 		return status;
 	}
 
-	/* We need to support SeSecurityPrivilege for this. */
-	if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+	if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
+			!security_token_has_privilege(get_current_nttok(conn),
+					SEC_PRIV_SECURITY)) {
 		DEBUG(10, ("open_directory: open on %s "
 			"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
 			smb_fname_str_dbg(smb_dname)));
@@ -3029,29 +3030,15 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
 		goto fail;
 	}
 
-#if 0
-	/* We need to support SeSecurityPrivilege for this. */
 	if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
-	    !user_has_privileges(current_user.nt_user_token,
-				 &se_security)) {
-		status = NT_STATUS_PRIVILEGE_NOT_HELD;
-		goto fail;
-	}
-#else
-	/* We need to support SeSecurityPrivilege for this. */
-	if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
-		status = NT_STATUS_PRIVILEGE_NOT_HELD;
-		goto fail;
-	}
-	/* Don't allow a SACL set from an NTtrans create until we
-	 * support SeSecurityPrivilege. */
-	if (!VALID_STAT(smb_fname->st) &&
-			lp_nt_acl_support(SNUM(conn)) &&
-			sd && (sd->sacl != NULL)) {
+			!security_token_has_privilege(get_current_nttok(conn),
+					SEC_PRIV_SECURITY)) {
+		DEBUG(10, ("create_file_unixpath: open on %s "
+			"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+			smb_fname_str_dbg(smb_fname)));
 		status = NT_STATUS_PRIVILEGE_NOT_HELD;
 		goto fail;
 	}
-#endif
 
 	if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
 	    && is_ntfs_stream_smb_fname(smb_fname)