diff options
-rw-r--r-- | source4/libcli/security/access_check.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index e2ede05545..d5a0a13445 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -38,6 +38,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, granted |= SEC_STD_DELETE; } + if (sd->dacl == NULL) { + return granted & ~denied; + } + for (i = 0;i<sd->dacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -101,10 +105,14 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, return NT_STATUS_OK; } - /* empty dacl denies access */ +#if 0 + /* tridge: previously we had empty dacl denying access, but + that can lead to undeletable directories, where + nobody can change the ACL on a directory */ if (sd->dacl == NULL || sd->dacl->num_aces == 0) { return NT_STATUS_ACCESS_DENIED; } +#endif /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && @@ -116,6 +124,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, bits_remaining &= ~SEC_STD_DELETE; } + if (sd->dacl == NULL) { + goto done; + } + /* check each ace in turn. */ for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -143,6 +155,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, } } +done: if (bits_remaining != 0) { return NT_STATUS_ACCESS_DENIED; } |