summaryrefslogtreecommitdiff
path: root/libcli
diff options
context:
space:
mode:
authorNadezhda Ivanova <nivanova@symas.com>2013-10-15 02:06:38 +0300
committerKarolin Seeger <kseeger@samba.org>2014-07-15 12:46:12 +0200
commit8bf3d4e21dbe4e81121399fcaba06ce115dd2987 (patch)
tree8a6f105f81ddff6eadb5341f753da4576e2cebbf /libcli
parentee2cf1d4d7353644a3e551f7b12390c1568e5df3 (diff)
downloadsamba-8bf3d4e21dbe4e81121399fcaba06ce115dd2987.tar.gz
s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds
Restore and backup privileges are not relevant to ldap access checks, and the TakeOwnership privilege should grant write_owner right Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit daefca2a1aaa9f4e0ca2f17ef4c9a71412c081ea)
Diffstat (limited to 'libcli')
-rw-r--r--libcli/security/access_check.c12
1 files changed, 4 insertions, 8 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 2425e8a5aa..2be5928934 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -436,14 +436,10 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
}
- /* TODO: remove this, as it is file server specific */
- if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
- security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
- }
- if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
- security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+ /* SEC_PRIV_TAKE_OWNERSHIP grants SEC_STD_WRITE_OWNER */
+ if ((bits_remaining & (SEC_STD_WRITE_OWNER)) &&
+ security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+ bits_remaining &= ~(SEC_STD_WRITE_OWNER);
}
/* a NULL dacl allows access */
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-22 23:33:49 +0000