From 6b1ab9cd478dc63c1c7f1fef42b2e1b896907bed Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sat, 17 Oct 2009 09:09:42 +1100
Subject: s4-pvfs: don't auto-apply privilege bits in unix acl handling either

---
 source4/ntvfs/posix/pvfs_acl.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 375e38effc..612b96a3ea 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -496,15 +496,10 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		max_bits |= SEC_RIGHTS_PRIV_RESTORE;
-	}
-	if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-		max_bits |= SEC_RIGHTS_PRIV_BACKUP;
-	}
-
 	if (uid == name->st.st_uid) {
 		max_bits |= SEC_STD_ALL;
+	} else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		max_bits |= SEC_STD_DELETE;
 	}
 
 	if ((name->st.st_mode & S_IWOTH) ||
@@ -530,6 +525,15 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
 	    security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
 		max_bits |= SEC_FLAG_SYSTEM_SECURITY;
 	}
+	
+	if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_RESTORE) &&
+	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		max_bits |= ~(SEC_RIGHTS_PRIV_RESTORE);
+	}
+	if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_BACKUP) &&
+	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		max_bits |= ~(SEC_RIGHTS_PRIV_BACKUP);
+	}
 
 	if (*access_mask & ~max_bits) {
 		DEBUG(0,(__location__ " denied access to '%s' - wanted 0x%08x but got 0x%08x (missing 0x%08x)\n",
-- 
cgit