From 29984beafc91ef6f45884adc3a0bd4617acbc0a0 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 1 Mar 2019 18:57:23 +0100 Subject: libcli/security: fix handling of deny type ACEs in access_check_max_allowed() Deny ACEs must always be evaluated against explicitly granted rights from previous ACEs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 8d355dd9769e8990ce998b4c9f28977669b43616) Autobuild-User(v4-8-test): Karolin Seeger Autobuild-Date(v4-8-test): Mon Mar 11 13:04:13 UTC 2019 on sn-devel-144 --- libcli/security/access_check.c | 2 +- selftest/knownfail.d/smb2.acls | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 selftest/knownfail.d/smb2.acls diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index d1d57eecef2..322f4fdb0c6 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -173,7 +173,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, break; case SEC_ACE_TYPE_ACCESS_DENIED: case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - denied |= ace->access_mask; + denied |= ~granted & ace->access_mask; break; default: /* Other ACE types not handled/supported */ break; diff --git a/selftest/knownfail.d/smb2.acls b/selftest/knownfail.d/smb2.acls deleted file mode 100644 index b76a3c719ce..00000000000 --- a/selftest/knownfail.d/smb2.acls +++ /dev/null @@ -1,4 +0,0 @@ -^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(ad_dc\) -^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(nt4_dc\) -^samba3.smb2.acls.DENY1\(ad_dc\) -^samba3.smb2.acls.DENY1\(nt4_dc\) -- cgit v1.2.1