*/
}
+/*
+ * Determine whether to process an FSRVP operation from connected user @p.
+ * Windows checks for Administrators or Backup Operators group membership. We
+ * also allow for the SEC_PRIV_BACKUP privilege.
+ */
static bool fss_permitted(struct pipes_struct *p)
{
- /* Windows checks for Administrators or Backup Operators membership */
- return true;
+ if (nt_token_check_sid(&global_sid_Builtin_Administrators,
+ p->session_info->security_token)) {
+ DEBUG(6, ("Granting FSRVP op, administrators group member\n"));
+ return true;
+ }
+ if (nt_token_check_sid(&global_sid_Builtin_Backup_Operators,
+ p->session_info->security_token)) {
+ DEBUG(6, ("Granting FSRVP op, backup operators group member\n"));
+ return true;
+ }
+ if (security_token_has_privilege(p->session_info->security_token,
+ SEC_PRIV_BACKUP)) {
+ DEBUG(6, ("Granting FSRVP op, backup privilege present\n"));
+ return true;
+ }
+
+ DEBUG(2, ("FSRVP operation blocked due to lack of backup privilege "
+ "or Administrators/Backup Operators group membership\n"));
+
+ return false;
}
uint32_t _fss_GetSupportedVersion(struct pipes_struct *p,