From daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Tue, 15 Oct 2013 02:06:38 +0300 Subject: s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds Restore and backup privileges are not relevant to ldap access checks, and the TakeOwnership privilege should grant write_owner right Signed-off-by: Nadezhda Ivanova Reviewed-by: Andrew Bartlett --- libcli/security/access_check.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'libcli') diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index 2425e8a5aa..2be5928934 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -436,14 +436,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); } - /* TODO: remove this, as it is file server specific */ - if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && - security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); - } - if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && - security_token_has_privilege(token, SEC_PRIV_BACKUP)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); + /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */ + if ((bits_remaining & (SEC_STD_WRITE_OWNER)) && + security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + bits_remaining &= ~(SEC_STD_WRITE_OWNER); } /* a NULL dacl allows access */ -- cgit