r4150: - add fns for manipulating the privilege_mask in a security_token

- add the hooks in access_check that check the privilege bitmasks for
  SEC_STD_DELETE and SEC_FLAG_SYSTEM_SECURITY
(This used to be commit 0fa3764edcabffe8f7d5e40f0097f97d0c4519c4)

diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index c646ee693babfa1d4a1620685698fb32b4057a84..4c8bb1bd1fef8084ff99cd8099c99ece2dc4b65a 100644 (file)
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -50,7 +50,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
        unsigned i;
        
        if (sid_active_in_token(sd->owner_sid, token)) {
-               granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
+               granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+       }
+       if (sec_privilege_check(token, SEC_PRIV_RESTORE)) {
+               granted |= SEC_STD_DELETE;
        }
 
        for (i = 0;i<sd->dacl->num_aces; i++) {
@@ -96,17 +99,13 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
                bits_remaining = access_desired & ~SEC_STD_DELETE;
        }
 
-#if 0
-       /* this is where we should check for the "system security" privilege, once we 
-          move to the full security_token and not just the nt_user_token */
        if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
-               if (privilege_in_token(SE_PRIVILEGE_SYSTEM_SECURITY, token)) {
+               if (sec_privilege_check(token, SEC_PRIV_SECURITY)) {
                        bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
                } else {
                        return NT_STATUS_ACCESS_DENIED;
                }
        }
-#endif
 
        /* dacl not present allows access */
        if (!(sd->type & SEC_DESC_DACL_PRESENT)) {
@@ -124,6 +123,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
            sid_active_in_token(sd->owner_sid, token)) {
                bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
        }
+       if ((bits_remaining & SEC_STD_DELETE) &&
+           sec_privilege_check(token, SEC_PRIV_RESTORE)) {
+               bits_remaining &= ~SEC_STD_DELETE;
+       }
 
        /* check each ace in turn. */
        for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {

diff --git a/source4/libcli/security/privilege.c b/source4/libcli/security/privilege.c
index 1962aaa374c7a6cd74bf17b2d10dc7783c8f32e1..10a51c8b4294877173950a05638291fdbbda1de9 100644 (file)
--- a/source4/libcli/security/privilege.c
+++ b/source4/libcli/security/privilege.c
@@ -82,3 +82,27 @@ int sec_privilege_id(const char *name)
        }
        return -1;
 }
+
+
+/*
+  return True if a security_token has a particular privilege bit set
+*/
+BOOL sec_privilege_check(const struct security_token *token, unsigned int privilege)
+{
+       uint64_t mask = 1;
+       mask <<= (privilege-1);
+       if (token->privilege_mask & mask) {
+               return True;
+       }
+       return False;
+}
+
+/*
+  set a bit in the privilege mask
+*/
+void sec_privilege_set(struct security_token *token, unsigned int privilege)
+{
+       uint64_t mask = 1;
+       mask <<= (privilege-1);
+       token->privilege_mask |= mask;
+}