From 9da4af062b333750d9cbdf5ef9a47c5ac3723a81 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 16 Oct 2009 23:02:58 +1100
Subject: s4-security: honor more of the privilege access bits

---
 source4/libcli/security/access_check.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'source4/libcli/security')

diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 543b0f74c5..4bede15def 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -34,8 +34,12 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 	
 	if (security_token_has_sid(token, sd->owner_sid)) {
 		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
-	} else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		granted |= SEC_STD_DELETE;
+	}
+	if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+		granted |= SEC_RIGHTS_PRIV_RESTORE;
+	}
+	if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		granted |= SEC_RIGHTS_PRIV_BACKUP;
 	}
 
 	if (sd->dacl == NULL) {
@@ -125,9 +129,13 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
 	    security_token_has_sid(token, sd->owner_sid)) {
 		bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
 	}
-	if ((bits_remaining & SEC_STD_DELETE) &&
+	if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
 	    security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		bits_remaining &= ~SEC_STD_DELETE;
+		bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+	}
+	if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+	    security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+		bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
 	}
 
 	if (sd->dacl == NULL) {
-- 
cgit