s3-acl Merge source4-supported privileges into se_access_check

This will shortly be the common se_access_check function.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index af7ba241948ee18c4ae0045d71e91b15e1d8392a..5fc450ec25446d9247ffc0acecb0637a3babf53d 100644 (file)
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -178,17 +178,13 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                        bits_remaining));
        }
 
-#if 0
-       /* We need to support SeSecurityPrivilege for this. */
-
        if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
-               if (user_has_privileges(token, &sec_security)) {
+               if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
                        bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
                } else {
                        return NT_STATUS_PRIVILEGE_NOT_HELD;
                }
        }
-#endif
 
        /* a NULL dacl allows access */
        if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
@@ -205,6 +201,14 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
            (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
                bits_remaining &= ~SEC_STD_DELETE;
        }
+       if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
+           security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+       }
+       if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+           security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+               bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+       }
 
        if (sd->dacl == NULL) {
                goto done;