git.samba.org / ira / wip.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Second part of fix for bug #8673 - NT ACL issue.
[ira/wip.git] / libcli / security / access_check.c
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64aeabe5311ab8e10b4d31cc48a08d5f4b65c..1b02a866b1df5fab5e208294bcebf3ab71f4fc09 100644 (file)
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
        uint32_t i;
        uint32_t bits_remaining;
+       uint32_t explicitly_denied_bits = 0;
 
        *access_granted = access_desired;
        bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                        break;
                case SEC_ACE_TYPE_ACCESS_DENIED:
                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-                       if (bits_remaining & ace->access_mask) {
-                               return NT_STATUS_ACCESS_DENIED;
-                       }
+                       explicitly_denied_bits |= (bits_remaining & ace->access_mask);
                        break;
                default:        /* Other ACE types not handled/supported */
                        break;
                }
        }
 
+       bits_remaining |= explicitly_denied_bits;
+
 done:
        if (bits_remaining != 0) {
                *access_granted = bits_remaining;
Unnamed repository; edit this file 'description' to name the repository.