Commit 43957ab9 authored by Ralph Boehme's avatar Ralph Boehme Committed by Karolin Seeger

libcli/security: fix handling of deny type ACEs in access_check_max_allowed()

Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812Signed-off-by: default avatarRalph Boehme <slow@samba.org>
Reviewed-by: default avatarJeremy Allison <jra@samba.org>
(cherry picked from commit 8d355dd9)

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Mar 11 12:25:05 UTC 2019 on sn-devel-144
parent 4fe9eff4
......@@ -173,7 +173,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
denied |= ace->access_mask;
denied |= ~granted & ace->access_mask;
break;
default: /* Other ACE types not handled/supported */
break;
......
^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(ad_dc\)
^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(nt4_dc\)
^samba3.smb2.acls.DENY1\(ad_dc\)
^samba3.smb2.acls.DENY1\(nt4_dc\)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment