From fbcaef3bf662b4a46ce7e131ae6bd04c3b735433 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 16 Sep 2005 14:47:21 +0000
Subject: r10264: reverse order of 'root free pass' checks in service and
 registry access_checks() (This used to be commit
 35b338a4fc95c14629579336dcf3bd240fda92d3)

---
 source3/rpc_server/srv_reg_nt.c    | 15 +++++++--------
 source3/rpc_server/srv_svcctl_nt.c | 14 +++++---------
 2 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c
index 7a48b8dd22..9ffc77fce8 100644
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -45,16 +45,15 @@ NTSTATUS registry_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token,
 	NTSTATUS result;
 		
 	se_map_generic( &access_desired, &reg_generic_map );
-	se_access_check( sec_desc, token, access_desired, access_granted, &result );
 
-	if ( !NT_STATUS_IS_OK(result) ) {
-		if ( geteuid() == sec_initial_uid() ) {
-			DEBUG(5,("registry_access_check: access check bypassed for 'root'\n"));
-			*access_granted = access_desired;
-			return NT_STATUS_OK;
-		}
+	if ( geteuid() == sec_initial_uid() ) {
+		DEBUG(5,("registry_access_check: access check bypassed for 'root'\n"));
+		*access_granted = access_desired;
+		return NT_STATUS_OK;
 	}
-	
+
+	se_access_check( sec_desc, token, access_desired, access_granted, &result );
+
 	return result;
 }
 
diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c
index 16c3259840..538b97a2b1 100644
--- a/source3/rpc_server/srv_svcctl_nt.c
+++ b/source3/rpc_server/srv_svcctl_nt.c
@@ -60,18 +60,14 @@ static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token,
 {
 	NTSTATUS result;
 
-	/* maybe add privilege checks in here later */
+	if ( geteuid() == sec_initial_uid() ) {
+		DEBUG(5,("svcctl_access_check: access check bypassed for 'root'\n"));
+		*access_granted = access_desired;
+		return NT_STATUS_OK;
+	}
 	
 	se_access_check( sec_desc, token, access_desired, access_granted, &result );
 
-	if ( !NT_STATUS_IS_OK(result) ) {
-		if ( geteuid() == sec_initial_uid() ) {
-			DEBUG(5,("svcctl_access_check: access check bypassed for 'root'\n"));
-			*access_granted = access_desired;
-			return NT_STATUS_OK;
-		}
-	}
-	
 	return result;
 }
 
-- 
cgit