libcli/security: fix handling of deny type ACEs in access_check_max_allowed()

Deny ACEs must always be evaluated against explicitly granted rights from previous ACEs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 8d355dd9769e8990ce998b4c9f28977669b43616)
author: Ralph Boehme <slow@samba.org> 2019-03-01 18:57:23 +0100
committer: Karolin Seeger <kseeger@samba.org> 2019-03-11 07:55:38 +0000
commit: 5d0e2bf81901013f4052094bca180717a5213f16 (patch)
tree: 4ab0515da4078e0f77aa850fee9a7a0f220ab991 /libcli
parent: cc7629a20e93408f79a8522f2c482c7258afc18c (diff)
download: samba-5d0e2bf81901013f4052094bca180717a5213f16.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index d1d57eecef2..322f4fdb0c6 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -173,7 +173,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 			break;
 		case SEC_ACE_TYPE_ACCESS_DENIED:
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-			denied |= ace->access_mask;
+			denied |= ~granted & ace->access_mask;
 			break;
 		default:	/* Other ACE types not handled/supported */
 			break;
author	Ralph Boehme <slow@samba.org>	2019-03-01 18:57:23 +0100
committer	Karolin Seeger <kseeger@samba.org>	2019-03-11 07:55:38 +0000
commit	5d0e2bf81901013f4052094bca180717a5213f16 (patch)
tree	4ab0515da4078e0f77aa850fee9a7a0f220ab991 /libcli
parent	cc7629a20e93408f79a8522f2c482c7258afc18c (diff)
download	samba-5d0e2bf81901013f4052094bca180717a5213f16.tar.gz