mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
libcli/security: fix handling of deny type ACEs in access_check_max_allowed()
Deny ACEs must always be evaluated against explicitly granted rights from previous ACEs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
b205d695d7
commit
8d355dd976
@ -173,7 +173,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
|
||||
break;
|
||||
case SEC_ACE_TYPE_ACCESS_DENIED:
|
||||
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
|
||||
denied |= ace->access_mask;
|
||||
denied |= ~granted & ace->access_mask;
|
||||
break;
|
||||
default: /* Other ACE types not handled/supported */
|
||||
break;
|
||||
|
@ -1,4 +0,0 @@
|
||||
^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(ad_dc\)
|
||||
^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(nt4_dc\)
|
||||
^samba3.smb2.acls.DENY1\(ad_dc\)
|
||||
^samba3.smb2.acls.DENY1\(nt4_dc\)
|
Loading…
Reference in New Issue
Block a user