From 2fd618413dbf3cb47391518b3bee180a2b76aada Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 27 Feb 2019 18:07:03 +0100
Subject: libcli/security: add "Owner Rights" calculation to
 access_check_max_allowed()

This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144

(cherry picked from commit 5cf0764bc4b65dbc59d8626760dbe946a2234833)
---
 libcli/security/access_check.c | 33 ++++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

(limited to 'libcli')

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 03a7dca4adf..5d49b718f0c 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -110,13 +110,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 {
 	uint32_t denied = 0, granted = 0;
 	unsigned i;
-
-	if (security_token_has_sid(token, sd->owner_sid)) {
-		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
-	}
+	uint32_t owner_rights_allowed = 0;
+	uint32_t owner_rights_denied = 0;
+	bool owner_rights_default = true;
 
 	if (sd->dacl == NULL) {
-		return granted & ~denied;
+		if (security_token_has_sid(token, sd->owner_sid)) {
+			granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+		}
+		return granted;
 	}
 
 	for (i = 0;i<sd->dacl->num_aces; i++) {
@@ -126,6 +128,18 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 			continue;
 		}
 
+		if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
+			if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
+				owner_rights_allowed |= ace->access_mask;
+				owner_rights_default = false;
+			} else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
+				owner_rights_denied |= (owner_rights_allowed &
+							ace->access_mask);
+				owner_rights_default = false;
+			}
+			continue;
+		}
+
 		if (!security_token_has_sid(token, &ace->trustee)) {
 			continue;
 		}
@@ -143,6 +157,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 		}
 	}
 
+	if (security_token_has_sid(token, sd->owner_sid)) {
+		if (owner_rights_default) {
+			granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+		} else {
+			granted |= owner_rights_allowed;
+			granted &= ~owner_rights_denied;
+		}
+	}
+
 	return granted & ~denied;
 }
 
-- 
cgit v1.2.1