Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104
{
uint32_t i;
uint32_t bits_remaining;
+ uint32_t explicitly_denied_bits = 0;
*access_granted = access_desired;
bits_remaining = access_desired;
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- if (bits_remaining & ace->access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ explicitly_denied_bits |= (bits_remaining & ace->access_mask);
break;
default: /* Other ACE types not handled/supported */
break;
}
}
+ bits_remaining |= explicitly_denied_bits;
+
done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;