summaryrefslogtreecommitdiff
path: root/libcli
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2012-01-10 12:58:13 -0800
committerJeremy Allison <jra@samba.org>2012-01-11 19:24:53 +0100
commitf15cf9176df974c8a460db3ce74abf38d3f552ae (patch)
treed8016ca779733c7aaaa19ed443a95fdb6ec1b1df /libcli
parent6aafd8684b92eede3c83f1af49c23cef2deb7e03 (diff)
downloadsamba-f15cf9176df974c8a460db3ce74abf38d3f552ae.tar.gz
samba-f15cf9176df974c8a460db3ce74abf38d3f552ae.tar.bz2
samba-f15cf9176df974c8a460db3ce74abf38d3f552ae.zip
Second part of fix for bug #8673 - NT ACL issue.
Ensure we process the entire ACE list instead of returning ACCESS_DENIED and terminating the walk - ensure we only return the exact bits that cause the access to be denied. Some of the S3 fileserver needs to know if we are only denied DELETE access before overriding it by looking at the containing directory ACL. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104
Diffstat (limited to 'libcli')
-rw-r--r--libcli/security/access_check.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64aeabe..1b02a866b1 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
{
uint32_t i;
uint32_t bits_remaining;
+ uint32_t explicitly_denied_bits = 0;
*access_granted = access_desired;
bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- if (bits_remaining & ace->access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ explicitly_denied_bits |= (bits_remaining & ace->access_mask);
break;
default: /* Other ACE types not handled/supported */
break;
}
}
+ bits_remaining |= explicitly_denied_bits;
+
done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;