r4404: check for SEC_ACE_FLAG_INHERIT_ONLY in the "maximum allowed" logic
authorAndrew Tridgell <tridge@samba.org>
Thu, 30 Dec 2004 02:27:16 +0000 (02:27 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:07:43 +0000 (13:07 -0500)
(This used to be commit e4ee8b776ba164a89afca43de20c166ccbfddb99)

source4/libcli/security/access_check.c

index 4c8bb1bd1fef8084ff99cd8099c99ece2dc4b65a..c8a546682a8c74fd7f18b4aaaa73e896938753d3 100644 (file)
@@ -59,6 +59,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
        for (i = 0;i<sd->dacl->num_aces; i++) {
                struct security_ace *ace = &sd->dacl->aces[i];
 
+               if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+                       continue;
+               }
+
                if (!sid_active_in_token(&ace->trustee, token)) {
                        continue;
                }