summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-12-04 12:42:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:21 -0500
commit4127edc1afd702ac3bcb77893ba864eb98729451 (patch)
tree60d1ecbe35dc7f2c7d596db3417baeb9195af5ed /source4/libcli
parent6a58011be5e00be57ce2280c08ed7e43ad44feb5 (diff)
downloadsamba-4127edc1afd702ac3bcb77893ba864eb98729451.tar.gz
samba-4127edc1afd702ac3bcb77893ba864eb98729451.tar.bz2
samba-4127edc1afd702ac3bcb77893ba864eb98729451.zip
r4062: the RAW-ACLS test now passes. The SEC_STD_DELETE bit is rather strange
though - I expect we'll need to tweak that some more. (This used to be commit e3500811b90b8423ee7694609340f394957d1160)
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/security/access_check.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index 7e70736d09..425a5c2b6d 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -49,8 +49,9 @@ static uint32_t access_check_max_allowed(struct security_descriptor *sd,
unsigned i;
if (sid_active_in_token(sd->owner_sid, token)) {
- granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
+ granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
}
+ granted |= SEC_STD_DELETE;
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -84,15 +85,17 @@ NTSTATUS sec_access_check(struct security_descriptor *sd,
int i;
uint32_t bits_remaining;
+ *access_granted = access_desired;
+ bits_remaining = access_desired;
+
/* handle the maximum allowed flag */
if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
access_desired |= access_check_max_allowed(sd, token);
access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+ *access_granted = access_desired;
+ bits_remaining = access_desired & ~SEC_STD_DELETE;
}
- *access_granted = access_desired;
- bits_remaining = access_desired;
-
#if 0
/* this is where we should check for the "system security" privilege, once we
move to the full security_token and not just the nt_user_token */