summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c18
1 files changed, 11 insertions, 7 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 375e38effc..612b96a3ea 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -496,15 +496,10 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
return NT_STATUS_ACCESS_DENIED;
}
- if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- max_bits |= SEC_RIGHTS_PRIV_RESTORE;
- }
- if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
- max_bits |= SEC_RIGHTS_PRIV_BACKUP;
- }
-
if (uid == name->st.st_uid) {
max_bits |= SEC_STD_ALL;
+ } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ max_bits |= SEC_STD_DELETE;
}
if ((name->st.st_mode & S_IWOTH) ||
@@ -530,6 +525,15 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
max_bits |= SEC_FLAG_SYSTEM_SECURITY;
}
+
+ if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_RESTORE) &&
+ security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ max_bits |= ~(SEC_RIGHTS_PRIV_RESTORE);
+ }
+ if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_BACKUP) &&
+ security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ max_bits |= ~(SEC_RIGHTS_PRIV_BACKUP);
+ }
if (*access_mask & ~max_bits) {
DEBUG(0,(__location__ " denied access to '%s' - wanted 0x%08x but got 0x%08x (missing 0x%08x)\n",