Second part of fix for bug #8673 - NT ACL issue.

Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64aeabe5311ab8e10b4d31cc48a08d5f4b65c..1b02a866b1df5fab5e208294bcebf3ab71f4fc09 100644 (file)
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
        uint32_t i;
        uint32_t bits_remaining;
+       uint32_t explicitly_denied_bits = 0;
 
        *access_granted = access_desired;
        bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                        break;
                case SEC_ACE_TYPE_ACCESS_DENIED:
                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-                       if (bits_remaining & ace->access_mask) {
-                               return NT_STATUS_ACCESS_DENIED;
-                       }
+                       explicitly_denied_bits |= (bits_remaining & ace->access_mask);
                        break;
                default:        /* Other ACE types not handled/supported */
                        break;
                }
        }
 
+       bits_remaining |= explicitly_denied_bits;
+
 done:
        if (bits_remaining != 0) {
                *access_granted = bits_remaining;