Commit 5cf0764b authored by Ralph Boehme's avatar Ralph Boehme Committed by David Disseldorp

libcli/security: add "Owner Rights" calculation to access_check_max_allowed()

This was missing in 44590c1b.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812Signed-off-by: default avatarRalph Boehme <slow@samba.org>
Reviewed-by: default avatarDavid Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
parent 3ca38d2c
......@@ -110,13 +110,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
{
uint32_t denied = 0, granted = 0;
unsigned i;
if (security_token_has_sid(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
}
uint32_t owner_rights_allowed = 0;
uint32_t owner_rights_denied = 0;
bool owner_rights_default = true;
if (sd->dacl == NULL) {
return granted & ~denied;
if (security_token_has_sid(token, sd->owner_sid)) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
}
return granted;
}
for (i = 0;i<sd->dacl->num_aces; i++) {
......@@ -126,6 +128,18 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
continue;
}
if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
owner_rights_allowed |= ace->access_mask;
owner_rights_default = false;
} else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
owner_rights_denied |= (owner_rights_allowed &
ace->access_mask);
owner_rights_default = false;
}
continue;
}
if (!security_token_has_sid(token, &ace->trustee)) {
continue;
}
......@@ -143,6 +157,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
}
}
if (security_token_has_sid(token, sd->owner_sid)) {
if (owner_rights_default) {
granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
} else {
granted |= owner_rights_allowed;
granted &= ~owner_rights_denied;
}
}
return granted & ~denied;
}
......
^samba3.smb2.acls.OWNER-RIGHTS\(ad_dc\)
^samba3.smb2.acls.OWNER-RIGHTS\(nt4_dc\)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment