Possibly incorrect handling of SeBackupPrivilege and SeRestorePrivilege

[Richard Sharpe]

Hi,

I believe that the actual Windows semantics around SeBackupPrivilege
and SeRestorePrivilege is that if the requester opens a file with the
BACKUP INTENT (FILE_OPEN_FOR_BACKUP_INTENT) flag in CreateOptions and
they have those privileges and they have the correct access mode
specified then they get to open the file if the ACL does not give them
access.

In looking at se_access_check we do not take into account
FILE_OPEN_FOR_BACKUP_INTENT when checking those two privilege bits,
which is wrong, I believe.

The good news is that Samba works. The bad news is that Samba will
give access in cases where Windows would not.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)