s4-lsasrv: make sure only admins can alter privileges

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 0a5fc54d684e151514d68fa50dbcdc9c8d5576a9..0e6a55ec2f5df42d6c948179e58c1161a0ad0d5b 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1939,6 +1939,12 @@ static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_
        struct lsa_EnumAccountRights r2;
        char *dnstr;
 
+       if (security_session_user_level(dce_call->conn->auth_state.session_info) < 
+           SECURITY_ADMINISTRATOR) {
+               DEBUG(0,("lsa_AddRemoveAccount refused for supplied security token\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        msg = ldb_msg_new(mem_ctx);
        if (msg == NULL) {
                return NT_STATUS_NO_MEMORY;