From 1c2e6978b89551828b66c348be361ce9a2b8ddb4 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Tue, 23 Sep 2008 11:17:43 -0700
Subject: fixed problem with ACLs with an empty DACL list

---
 source4/libcli/security/access_check.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
index e2ede05545..d5a0a13445 100644
--- a/source4/libcli/security/access_check.c
+++ b/source4/libcli/security/access_check.c
@@ -38,6 +38,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 		granted |= SEC_STD_DELETE;
 	}
 
+	if (sd->dacl == NULL) {
+		return granted & ~denied;
+	}
+	
 	for (i = 0;i<sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];
 
@@ -101,10 +105,14 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
 		return NT_STATUS_OK;
 	}
 
-	/* empty dacl denies access */
+#if 0
+	/* tridge: previously we had empty dacl denying access, but
+	   that can lead to undeletable directories, where
+	   nobody can change the ACL on a directory */
 	if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
+#endif
 
 	/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
 	if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
@@ -116,6 +124,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
 		bits_remaining &= ~SEC_STD_DELETE;
 	}
 
+	if (sd->dacl == NULL) {
+		goto done;
+	}
+
 	/* check each ace in turn. */
 	for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];
@@ -143,6 +155,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd,
 		}
 	}
 
+done:
 	if (bits_remaining != 0) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
-- 
cgit