r4062: the RAW-ACLS test now passes. The SEC_STD_DELETE bit is rather strange

though - I expect we'll need to tweak that some more.
(This used to be commit e3500811b90b8423ee7694609340f394957d1160)

1 files changed, 7 insertions, 4 deletions

diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 7e70736d09..425a5c2b6d 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -49,8 +49,9 @@ static uint32_t access_check_max_allowed(struct security_descriptor *sd,
 	unsigned i;
 	
 	if (sid_active_in_token(sd->owner_sid, token)) {
-		granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
 	}
+	granted |= SEC_STD_DELETE;
 
 	for (i = 0;i<sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];
@@ -84,15 +85,17 @@ NTSTATUS sec_access_check(struct security_descriptor *sd,
 	int i;
 	uint32_t bits_remaining;
 
+	*access_granted = access_desired;
+	bits_remaining = access_desired;
+
 	/* handle the maximum allowed flag */
 	if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
 		access_desired |= access_check_max_allowed(sd, token);
 		access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+		*access_granted = access_desired;
+		bits_remaining = access_desired & ~SEC_STD_DELETE;
 	}
 
-	*access_granted = access_desired;
-	bits_remaining = access_desired;
-
 #if 0
 	/* this is where we should check for the "system security" privilege, once we 
 	   move to the full security_token and not just the nt_user_token */