Second part of fix for bug #8673 - NT ACL issue.

Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104

1 files changed, 4 insertions, 3 deletions

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64aeabe..1b02a866b1 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
 	uint32_t i;
 	uint32_t bits_remaining;
+	uint32_t explicitly_denied_bits = 0;
 
 	*access_granted = access_desired;
 	bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 			break;
 		case SEC_ACE_TYPE_ACCESS_DENIED:
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-			if (bits_remaining & ace->access_mask) {
-				return NT_STATUS_ACCESS_DENIED;
-			}
+			explicitly_denied_bits |= (bits_remaining & ace->access_mask);
 			break;
 		default:	/* Other ACE types not handled/supported */
 			break;
 		}
 	}
 
+	bits_remaining |= explicitly_denied_bits;
+
 done:
 	if (bits_remaining != 0) {
 		*access_granted = bits_remaining;