summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/lib/policy/gp_ldap.c2
-rw-r--r--source4/libcli/security/access_check.c18
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c2
3 files changed, 18 insertions, 4 deletions
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index bbb2eec4e9..271188353c 100644
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -540,7 +540,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
/* If the account does not have read access, this GPO does not apply
* to this account */
- status = sec_access_check(gpo->security_descriptor,
+ status = se_access_check(gpo->security_descriptor,
token,
(SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP),
&access_granted);
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index e8b8ee8771..5ae318be43 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -84,9 +84,11 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace)
}
/*
- the main entry point for access checking.
+ The main entry point for access checking. If returning ACCESS_DENIED
+ this function returns the denied bits in the uint32_t pointed
+ to by the access_granted pointer.
*/
-NTSTATUS sec_access_check(const struct security_descriptor *sd,
+NTSTATUS se_access_check(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
uint32_t *access_granted)
@@ -99,10 +101,17 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ uint32_t orig_access_desired = access_desired;
+
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
*access_granted = access_desired;
bits_remaining = access_desired & ~SEC_STD_DELETE;
+
+ DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
+ orig_access_desired,
+ *access_granted,
+ bits_remaining));
}
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
@@ -124,6 +133,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
security_token_has_sid(token, sd->owner_sid)) {
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
}
+ if ((bits_remaining & SEC_STD_DELETE) &&
+ (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
+ bits_remaining &= ~SEC_STD_DELETE;
+ }
if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
@@ -166,6 +179,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
done:
if (bits_remaining != 0) {
+ *access_granted = bits_remaining;
return NT_STATUS_ACCESS_DENIED;
}
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 97c5341007..9fb2cdf87b 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -632,7 +632,7 @@ NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
}
/* check the acl against the required access mask */
- status = sec_access_check(sd, token, *access_mask, access_mask);
+ status = se_access_check(sd, token, *access_mask, access_mask);
if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
/* on SMB, this bit is always granted, even if not