libcli/security: fix handling of deny type ACEs in access_check_max_allowed()
authorRalph Boehme <slow@samba.org>
Fri, 1 Mar 2019 17:57:23 +0000 (18:57 +0100)
committerJeremy Allison <jra@samba.org>
Mon, 4 Mar 2019 18:11:16 +0000 (18:11 +0000)
Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
libcli/security/access_check.c
selftest/knownfail.d/smb2.acls [deleted file]

index d1d57ee..322f4fd 100644 (file)
@@ -173,7 +173,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
                        break;
                case SEC_ACE_TYPE_ACCESS_DENIED:
                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-                       denied |= ace->access_mask;
+                       denied |= ~granted & ace->access_mask;
                        break;
                default:        /* Other ACE types not handled/supported */
                        break;
diff --git a/selftest/knownfail.d/smb2.acls b/selftest/knownfail.d/smb2.acls
deleted file mode 100644 (file)
index b76a3c7..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(ad_dc\)
-^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(nt4_dc\)
-^samba3.smb2.acls.DENY1\(ad_dc\)
-^samba3.smb2.acls.DENY1\(nt4_dc\)