s4-acl: SEC_FLAG_MAXIMUM_ALLOWED doesn't auto-apply privilege access masks

diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 4bede15def5302f3908b6b8ff3c81cbc06eaa2a8..954c54c38b86a4860f123cf50a5e0f06080e7155 100644 (file)
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -34,12 +34,8 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
        
        if (security_token_has_sid(token, sd->owner_sid)) {
                granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
-       }
-       if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-               granted |= SEC_RIGHTS_PRIV_RESTORE;
-       }
-       if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-               granted |= SEC_RIGHTS_PRIV_BACKUP;
+       } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               granted |= SEC_STD_DELETE;
        }
 
        if (sd->dacl == NULL) {