s4-pvfs: don't auto-apply privilege bits in unix acl handling either

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 375e38effc12821cf98750e073686f6e83dc49a7..612b96a3eaeae44e1beaa09bacfb1eca5aa9fb01 100644 (file)
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -496,15 +496,10 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-               max_bits |= SEC_RIGHTS_PRIV_RESTORE;
-       }
-       if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-               max_bits |= SEC_RIGHTS_PRIV_BACKUP;
-       }
-
        if (uid == name->st.st_uid) {
                max_bits |= SEC_STD_ALL;
+       } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               max_bits |= SEC_STD_DELETE;
        }
 
        if ((name->st.st_mode & S_IWOTH) ||
@@ -530,6 +525,15 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
            security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
                max_bits |= SEC_FLAG_SYSTEM_SECURITY;
        }
+       
+       if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_RESTORE) &&
+           security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               max_bits |= ~(SEC_RIGHTS_PRIV_RESTORE);
+       }
+       if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_BACKUP) &&
+           security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+               max_bits |= ~(SEC_RIGHTS_PRIV_BACKUP);
+       }
 
        if (*access_mask & ~max_bits) {
                DEBUG(0,(__location__ " denied access to '%s' - wanted 0x%08x but got 0x%08x (missing 0x%08x)\n",