summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libcli/security/access_check.c20
1 files changed, 12 insertions, 8 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 0a8d0a4052..3be322ef21 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -450,21 +450,22 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
}
+
if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
trustee = replace_sid;
- }
- else
- {
+ } else {
trustee = &ace->trustee;
}
+
if (!security_token_has_sid(token, trustee)) {
continue;
}
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED:
- if (tree)
+ if (tree) {
object_tree_modify_access(tree, ace->access_mask);
+ }
bits_remaining &= ~ace->access_mask;
break;
@@ -483,14 +484,17 @@ NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
*/
type = get_ace_object_type(ace);
- if (!tree)
+ if (!tree) {
continue;
+ }
- if (!type)
+ if (!type) {
node = tree;
- else
- if (!(node = get_object_tree_by_GUID(tree, type)))
+ } else {
+ if (!(node = get_object_tree_by_GUID(tree, type))) {
continue;
+ }
+ }
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
object_tree_modify_access(node, ace->access_mask);