Fix problem reported by Tom Lee <tlee2951@gmail.com> - when calculating

the share security mask, take priviliges into account for the connecting
user.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Feb 28 20:21:26 CET 2012 on sn-devel-104

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index b08811bab2a4c01ab16515b26636b68cea51e640..8436fbee91f9e4dd1d35768fa3298c09d5ec96b1 100644 (file)
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -522,6 +522,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
        return NT_STATUS_OK;
 }
 
+/****************************************************************************
+  Setup the share access mask for a connection.
+****************************************************************************/
+
+static void create_share_access_mask(connection_struct *conn, int snum)
+{
+       const struct security_token *token = conn->session_info->security_token;
+
+       share_access_check(token,
+                       lp_servicename(snum),
+                       MAXIMUM_ALLOWED_ACCESS,
+                       &conn->share_access);
+
+       if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+               conn->share_access |= SEC_FLAG_SYSTEM_SECURITY;
+       }
+       if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE);
+       }
+       if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+               conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP);
+       }
+       if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+               conn->share_access |= (SEC_STD_WRITE_OWNER);
+       }
+}
+
 /****************************************************************************
   Make a connection, given the snum to connect to, and the vuser of the
   connecting user if appropriate.
@@ -636,9 +663,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
         *
         */
 
-       share_access_check(conn->session_info->security_token,
-                          lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
-                          &conn->share_access);
+       create_share_access_mask(conn, snum);
 
        if ((conn->share_access & FILE_WRITE_DATA) == 0) {
                if ((conn->share_access & FILE_READ_DATA) == 0) {