diff options
-rw-r--r-- | source4/ntvfs/posix/pvfs_acl.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 375e38effc..612b96a3ea 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -496,15 +496,10 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs, return NT_STATUS_ACCESS_DENIED; } - if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - max_bits |= SEC_RIGHTS_PRIV_RESTORE; - } - if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { - max_bits |= SEC_RIGHTS_PRIV_BACKUP; - } - if (uid == name->st.st_uid) { max_bits |= SEC_STD_ALL; + } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + max_bits |= SEC_STD_DELETE; } if ((name->st.st_mode & S_IWOTH) || @@ -530,6 +525,15 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs, security_token_has_privilege(token, SEC_PRIV_SECURITY)) { max_bits |= SEC_FLAG_SYSTEM_SECURITY; } + + if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_RESTORE) && + security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + max_bits |= ~(SEC_RIGHTS_PRIV_RESTORE); + } + if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_BACKUP) && + security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + max_bits |= ~(SEC_RIGHTS_PRIV_BACKUP); + } if (*access_mask & ~max_bits) { DEBUG(0,(__location__ " denied access to '%s' - wanted 0x%08x but got 0x%08x (missing 0x%08x)\n", |