diff options
author | Stefan Metzmacher <metze@samba.org> | 2008-10-28 17:10:51 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2008-10-28 17:10:51 +0100 |
commit | 8160cd1595520719268d20f2a17fd25c72bed4c9 (patch) | |
tree | e612d24318e88c9ca4a7a6cd6cff1f99657007ff /source4/libcli/security | |
parent | 7a4d937fd9e80e27d58584bc1a4d3dddc88ba74d (diff) | |
download | samba-8160cd1595520719268d20f2a17fd25c72bed4c9.tar.gz samba-8160cd1595520719268d20f2a17fd25c72bed4c9.tar.bz2 samba-8160cd1595520719268d20f2a17fd25c72bed4c9.zip |
s4: libcli/security: a NULL DACL allows access
This fixes bug 4284.
metze
Diffstat (limited to 'source4/libcli/security')
-rw-r--r-- | source4/libcli/security/access_check.c | 13 |
1 files changed, 2 insertions, 11 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index d5a0a13445..af6a3d6fb3 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -99,21 +99,12 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, } } - /* dacl not present allows access */ - if (!(sd->type & SEC_DESC_DACL_PRESENT)) { + /* a NULL dacl allows access */ + if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { *access_granted = access_desired; return NT_STATUS_OK; } -#if 0 - /* tridge: previously we had empty dacl denying access, but - that can lead to undeletable directories, where - nobody can change the ACL on a directory */ - if (sd->dacl == NULL || sd->dacl->num_aces == 0) { - return NT_STATUS_ACCESS_DENIED; - } -#endif - /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && security_token_has_sid(token, sd->owner_sid)) { |