diff options
| -rw-r--r-- | source4/lib/policy/gp_ldap.c | 2 | ||||
| -rw-r--r-- | source4/libcli/security/access_check.c | 18 | ||||
| -rw-r--r-- | source4/ntvfs/posix/pvfs_acl.c | 2 |
3 files changed, 18 insertions, 4 deletions
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c index bbb2eec4e9..271188353c 100644 --- a/source4/lib/policy/gp_ldap.c +++ b/source4/lib/policy/gp_ldap.c @@ -540,7 +540,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c /* If the account does not have read access, this GPO does not apply * to this account */ - status = sec_access_check(gpo->security_descriptor, + status = se_access_check(gpo->security_descriptor, token, (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP), &access_granted); diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index e8b8ee8771..5ae318be43 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -84,9 +84,11 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) } /* - the main entry point for access checking. + The main entry point for access checking. If returning ACCESS_DENIED + this function returns the denied bits in the uint32_t pointed + to by the access_granted pointer. */ -NTSTATUS sec_access_check(const struct security_descriptor *sd, +NTSTATUS se_access_check(const struct security_descriptor *sd, const struct security_token *token, uint32_t access_desired, uint32_t *access_granted) @@ -99,10 +101,17 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, /* handle the maximum allowed flag */ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + uint32_t orig_access_desired = access_desired; + access_desired |= access_check_max_allowed(sd, token); access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; *access_granted = access_desired; bits_remaining = access_desired & ~SEC_STD_DELETE; + + DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", + orig_access_desired, + *access_granted, + bits_remaining)); } if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { @@ -124,6 +133,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); } + if ((bits_remaining & SEC_STD_DELETE) && + (security_token_has_privilege(token, SEC_PRIV_RESTORE))) { + bits_remaining &= ~SEC_STD_DELETE; + } if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); @@ -166,6 +179,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, done: if (bits_remaining != 0) { + *access_granted = bits_remaining; return NT_STATUS_ACCESS_DENIED; } diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 97c5341007..9fb2cdf87b 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -632,7 +632,7 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs, } /* check the acl against the required access mask */ - status = sec_access_check(sd, token, *access_mask, access_mask); + status = se_access_check(sd, token, *access_mask, access_mask); if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) { /* on SMB, this bit is always granted, even if not |