summaryrefslogtreecommitdiff
path: root/source4/libcli/security
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2008-10-28 17:10:51 +0100
committerStefan Metzmacher <metze@samba.org>2008-10-28 17:10:51 +0100
commit8160cd1595520719268d20f2a17fd25c72bed4c9 (patch)
treee612d24318e88c9ca4a7a6cd6cff1f99657007ff /source4/libcli/security
parent7a4d937fd9e80e27d58584bc1a4d3dddc88ba74d (diff)
downloadsamba-8160cd1595520719268d20f2a17fd25c72bed4c9.tar.gz
samba-8160cd1595520719268d20f2a17fd25c72bed4c9.tar.bz2
samba-8160cd1595520719268d20f2a17fd25c72bed4c9.zip
s4: libcli/security: a NULL DACL allows access
This fixes bug 4284. metze
Diffstat (limited to 'source4/libcli/security')
-rw-r--r--source4/libcli/security/access_check.c13
1 files changed, 2 insertions, 11 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index d5a0a13445..af6a3d6fb3 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -99,21 +99,12 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
}
}
- /* dacl not present allows access */
- if (!(sd->type & SEC_DESC_DACL_PRESENT)) {
+ /* a NULL dacl allows access */
+ if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
*access_granted = access_desired;
return NT_STATUS_OK;
}
-#if 0
- /* tridge: previously we had empty dacl denying access, but
- that can lead to undeletable directories, where
- nobody can change the ACL on a directory */
- if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
- return NT_STATUS_ACCESS_DENIED;
- }
-#endif
-
/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
security_token_has_sid(token, sd->owner_sid)) {