summaryrefslogtreecommitdiff
path: root/source4/libcli/security
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2008-09-23 11:17:43 -0700
committerAndrew Tridgell <tridge@samba.org>2008-09-23 11:17:43 -0700
commit1c2e6978b89551828b66c348be361ce9a2b8ddb4 (patch)
tree51560139c054ae10debc67961c7595f5d0f2d504 /source4/libcli/security
parent66092ced5e1dc4d35923a3c90bcb3214a885b17d (diff)
downloadsamba-1c2e6978b89551828b66c348be361ce9a2b8ddb4.tar.gz
samba-1c2e6978b89551828b66c348be361ce9a2b8ddb4.tar.bz2
samba-1c2e6978b89551828b66c348be361ce9a2b8ddb4.zip
fixed problem with ACLs with an empty DACL list
Diffstat (limited to 'source4/libcli/security')
-rw-r--r--source4/libcli/security/access_check.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index e2ede05545..d5a0a13445 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -38,6 +38,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
granted |= SEC_STD_DELETE;
}
+ if (sd->dacl == NULL) {
+ return granted & ~denied;
+ }
+
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -101,10 +105,14 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
return NT_STATUS_OK;
}
- /* empty dacl denies access */
+#if 0
+ /* tridge: previously we had empty dacl denying access, but
+ that can lead to undeletable directories, where
+ nobody can change the ACL on a directory */
if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
return NT_STATUS_ACCESS_DENIED;
}
+#endif
/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
@@ -116,6 +124,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
bits_remaining &= ~SEC_STD_DELETE;
}
+ if (sd->dacl == NULL) {
+ goto done;
+ }
+
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -143,6 +155,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
}
}
+done:
if (bits_remaining != 0) {
return NT_STATUS_ACCESS_DENIED;
}