granted |= SEC_STD_DELETE;
}
+ if (sd->dacl == NULL) {
+ return granted & ~denied;
+ }
+
for (i = 0;i<sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
return NT_STATUS_OK;
}
- /* empty dacl denies access */
+#if 0
+ /* tridge: previously we had empty dacl denying access, but
+ that can lead to undeletable directories, where
+ nobody can change the ACL on a directory */
if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
return NT_STATUS_ACCESS_DENIED;
}
+#endif
/* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
bits_remaining &= ~SEC_STD_DELETE;
}
+ if (sd->dacl == NULL) {
+ goto done;
+ }
+
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
}
}
+done:
if (bits_remaining != 0) {
return NT_STATUS_ACCESS_DENIED;
}