r4404: check for SEC_ACE_FLAG_INHERIT_ONLY in the "maximum allowed" logic
[samba.git] / source / libcli / security / access_check.c
index 4c8bb1bd1fef8084ff99cd8099c99ece2dc4b65a..c8a546682a8c74fd7f18b4aaaa73e896938753d3 100644 (file)
@@ -59,6 +59,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
        for (i = 0;i<sd->dacl->num_aces; i++) {
                struct security_ace *ace = &sd->dacl->aces[i];
 
+               if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+                       continue;
+               }
+
                if (!sid_active_in_token(&ace->trustee, token)) {
                        continue;
                }