Second part of fix for bug #8673 - NT ACL issue.

Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
(cherry picked from commit 28834ee4fcfc204fa9a88459700fed212a1e9fce)

1 files changed, 4 insertions, 3 deletions

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64aeabe5..1b02a866b1d 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
 	uint32_t i;
 	uint32_t bits_remaining;
+	uint32_t explicitly_denied_bits = 0;
 
 	*access_granted = access_desired;
 	bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 			break;
 		case SEC_ACE_TYPE_ACCESS_DENIED:
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-			if (bits_remaining & ace->access_mask) {
-				return NT_STATUS_ACCESS_DENIED;
-			}
+			explicitly_denied_bits |= (bits_remaining & ace->access_mask);
 			break;
 		default:	/* Other ACE types not handled/supported */
 			break;
 		}
 	}
 
+	bits_remaining |= explicitly_denied_bits;
+
 done:
 	if (bits_remaining != 0) {
 		*access_granted = bits_remaining;