diff options
author | Ralph Boehme <slow@samba.org> | 2019-03-01 18:57:23 +0100 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2019-03-04 18:11:16 +0000 |
commit | 8d355dd9769e8990ce998b4c9f28977669b43616 (patch) | |
tree | d719cd1d1d3b12fb1c300b7d67266fcb5c851387 /libcli | |
parent | b205d695d769e910a91bec87451dec189ec33740 (diff) | |
download | samba-8d355dd9769e8990ce998b4c9f28977669b43616.tar.gz |
libcli/security: fix handling of deny type ACEs in access_check_max_allowed()
Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/security/access_check.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index d1d57eecef2..322f4fdb0c6 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -173,7 +173,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, break; case SEC_ACE_TYPE_ACCESS_DENIED: case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - denied |= ace->access_mask; + denied |= ~granted & ace->access_mask; break; default: /* Other ACE types not handled/supported */ break; |