According to the documentation, as well as other code paths that check
for -restricted, the -restricted option does not affect members of
system:administrators. Currently, though, AccessOK only bypasses the
-restricted check if the caller is SYSADMINID itself (i.e. localauth).
Fix AccessOK to only do the -restricted checks if the caller is not in
system:administrators, to match the documentation as well as other
ptserver operations.
Change-Id: I3074d4537845f1f4deb7f4b72cdb819391b617e3
Reviewed-on: https://gerrit.openafs.org/13373
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
return 1;
if (cid == SYSADMINID)
return 1; /* special case fileserver */
- if (restricted) {
+ if (restricted && !IsAMemberOf(ut, cid, SYSADMINID)) {
if (mem == PRP_ADD_MEM || mem == PRP_REMOVE_MEM) {
/* operation is for adding/removing members from a group */
return 0;