summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libcli/security/access_check.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index e2ede05545..d5a0a13445 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -38,6 +38,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
granted |= SEC_STD_DELETE;
}
+ if (sd->dacl == NULL) {
+ return granted & ~denied;
+ }
+
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -101,10 +105,14 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
return NT_STATUS_OK;
}
- /* empty dacl denies access */
+#if 0
+ /* tridge: previously we had empty dacl denying access, but
+ that can lead to undeletable directories, where
+ nobody can change the ACL on a directory */
if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
return NT_STATUS_ACCESS_DENIED;
}
+#endif
/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
@@ -116,6 +124,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
bits_remaining &= ~SEC_STD_DELETE;
}
+ if (sd->dacl == NULL) {
+ goto done;
+ }
+
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
@@ -143,6 +155,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
}
}
+done:
if (bits_remaining != 0) {
return NT_STATUS_ACCESS_DENIED;
}