diff options
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/security/access_check.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index e8b8ee8771..5ae318be43 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -84,9 +84,11 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) } /* - the main entry point for access checking. + The main entry point for access checking. If returning ACCESS_DENIED + this function returns the denied bits in the uint32_t pointed + to by the access_granted pointer. */ -NTSTATUS sec_access_check(const struct security_descriptor *sd, +NTSTATUS se_access_check(const struct security_descriptor *sd, const struct security_token *token, uint32_t access_desired, uint32_t *access_granted) @@ -99,10 +101,17 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, /* handle the maximum allowed flag */ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { + uint32_t orig_access_desired = access_desired; + access_desired |= access_check_max_allowed(sd, token); access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; *access_granted = access_desired; bits_remaining = access_desired & ~SEC_STD_DELETE; + + DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", + orig_access_desired, + *access_granted, + bits_remaining)); } if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { @@ -124,6 +133,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, security_token_has_sid(token, sd->owner_sid)) { bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); } + if ((bits_remaining & SEC_STD_DELETE) && + (security_token_has_privilege(token, SEC_PRIV_RESTORE))) { + bits_remaining &= ~SEC_STD_DELETE; + } if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && security_token_has_privilege(token, SEC_PRIV_RESTORE)) { bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); @@ -166,6 +179,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, done: if (bits_remaining != 0) { + *access_granted = bits_remaining; return NT_STATUS_ACCESS_DENIED; } |