vfs_fake_acls: deny give-ownership

Windows doesn't allow giving ownership away unless the user has
SEC_PRIV_RESTORE privilege.

This follows from MS-FSA 2.1.5.1, so it's a property of the filesystem
layer, not the SMB layer. By implementing this restriction here, we can
now have test for this restriction.

Other filesystems may want to deliberately allow this behaviour --
although I'm not aware of any that does -- therefor I'm putting in this
restriction in the implementation of the chmod VFS function and not into
the caller.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest/knownfail.d/samba3.blackbox.give_owner

@@ -1 +0,0 @@
-samba3.blackbox.give_owner.give owner without SeRestorePrivilege\(fileserver\)

source3/modules/vfs_fake_acls.c

@@ -413,6 +413,12 @@ static int fake_acls_chown(vfs_handle_struct *handle,
 	int ret;
 	uint8_t id_buf[4];
 	if (uid != -1) {
+		uid_t current_uid = get_current_uid(handle->conn);
+
+		if (current_uid != 0 && current_uid != uid) {
+			return EACCES;
+		}
+
 		SIVAL(id_buf, 0, uid);
 		ret = SMB_VFS_NEXT_SETXATTR(handle,
 				smb_fname,
@@ -447,6 +453,12 @@ static int fake_acls_lchown(vfs_handle_struct *handle,
 	int ret;
 	uint8_t id_buf[4];
 	if (uid != -1) {
+		uid_t current_uid = get_current_uid(handle->conn);
+
+		if (current_uid != 0 && current_uid != uid) {
+			return EACCES;
+		}
+
 		/* This isn't quite right (calling setxattr not
 		 * lsetxattr), but for the test purposes of this
 		 * module (fake NT ACLs from windows clients), it is
@@ -486,6 +498,12 @@ static int fake_acls_fchown(vfs_handle_struct *handle, files_struct *fsp, uid_t
 	int ret;
 	uint8_t id_buf[4];
 	if (uid != -1) {
+		uid_t current_uid = get_current_uid(handle->conn);
+
+		if (current_uid != 0 && current_uid != uid) {
+			return EACCES;
+		}
+
 		SIVAL(id_buf, 0, uid);
 		ret = SMB_VFS_NEXT_FSETXATTR(handle, fsp, FAKE_UID, id_buf, sizeof(id_buf), 0);
 		if (ret != 0) {