From daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@symas.com>
Date: Tue, 15 Oct 2013 02:06:38 +0300
Subject: s4-dsacl: Fixed incorrect handling of privileges in
 sec_access_check_ds

Restore and backup privileges are not relevant to ldap
access checks, and the TakeOwnership privilege should
grant write_owner right

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/access_check.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

(limited to 'libcli')

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 2425e8a5aa..2be5928934 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -436,14 +436,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
 		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
 	}
 
-	/* TODO: remove this, as it is file server specific */
-	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
-	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
-	}
-	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
-	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+	/* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
+	if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
+	    security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+		bits_remaining &= ~(SEC_STD_WRITE_OWNER);
 	}
 
 	/* a NULL dacl allows access */
-- 
cgit