fsrvp: add permissions checking for operations

Only grant fsrvp operation processing to users with:
- Built-in Administrators group membership, or
- Built-in Backup Operators group membership, or
- Backup Operator privileges

diff --git a/source3/rpc_server/fss/srv_fss_agent.c b/source3/rpc_server/fss/srv_fss_agent.c
index 22f454f9dc2a0f1d9b063ca0cb46d347c474f7ed..6328743ace8a13319ba6340cca9d96e4dc0af2c3 100644 (file)
--- a/source3/rpc_server/fss/srv_fss_agent.c
+++ b/source3/rpc_server/fss/srv_fss_agent.c
@@ -258,10 +258,33 @@ void srv_fssa_start(void)
         */
 }
 
+/*
+ * Determine whether to process an FSRVP operation from connected user @p.
+ * Windows checks for Administrators or Backup Operators group membership. We
+ * also allow for the SEC_PRIV_BACKUP privilege.
+ */
 static bool fss_permitted(struct pipes_struct *p)
 {
-       /* Windows checks for Administrators or Backup Operators membership */
-       return true;
+       if (nt_token_check_sid(&global_sid_Builtin_Administrators,
+                              p->session_info->security_token)) {
+               DEBUG(6, ("Granting FSRVP op, administrators group member\n"));
+               return true;
+       }
+       if (nt_token_check_sid(&global_sid_Builtin_Backup_Operators,
+                              p->session_info->security_token)) {
+               DEBUG(6, ("Granting FSRVP op, backup operators group member\n"));
+               return true;
+       }
+       if (security_token_has_privilege(p->session_info->security_token,
+                                        SEC_PRIV_BACKUP)) {
+               DEBUG(6, ("Granting FSRVP op, backup privilege present\n"));
+               return true;
+       }
+
+       DEBUG(2, ("FSRVP operation blocked due to lack of backup privilege "
+                 "or Administrators/Backup Operators group membership\n"));
+
+       return false;
 }
 
 uint32_t _fss_GetSupportedVersion(struct pipes_struct *p,