s4-security: honor more of the privilege access bits
authorAndrew Tridgell <tridge@samba.org>
Fri, 16 Oct 2009 12:02:58 +0000 (23:02 +1100)
committerAndrew Tridgell <tridge@samba.org>
Sat, 17 Oct 2009 02:01:03 +0000 (13:01 +1100)
source4/libcli/security/access_check.c

index 543b0f74c5843f94dcee7ab3914ae1c7b1c6221d..4bede15def5302f3908b6b8ff3c81cbc06eaa2a8 100644 (file)
@@ -34,8 +34,12 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
        
        if (security_token_has_sid(token, sd->owner_sid)) {
                granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
-       } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-               granted |= SEC_STD_DELETE;
+       }
+       if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+               granted |= SEC_RIGHTS_PRIV_RESTORE;
+       }
+       if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+               granted |= SEC_RIGHTS_PRIV_BACKUP;
        }
 
        if (sd->dacl == NULL) {
@@ -125,9 +129,13 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
            security_token_has_sid(token, sd->owner_sid)) {
                bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
        }
-       if ((bits_remaining & SEC_STD_DELETE) &&
+       if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
            security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-               bits_remaining &= ~SEC_STD_DELETE;
+               bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+       }
+       if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+           security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+               bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
        }
 
        if (sd->dacl == NULL) {