libcli/security: add "Owner Rights" calculation to access_check_max_allowed()

This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 03a7dca4adf899d9e72c1d0c52645db32aa17989..5d49b718f0c8fce9bfe9e3cc6d7856c4b7b19c1b 100644 (file)
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -110,13 +110,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 {
        uint32_t denied = 0, granted = 0;
        unsigned i;
-
-       if (security_token_has_sid(token, sd->owner_sid)) {
-               granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
-       }
+       uint32_t owner_rights_allowed = 0;
+       uint32_t owner_rights_denied = 0;
+       bool owner_rights_default = true;
 
        if (sd->dacl == NULL) {
-               return granted & ~denied;
+               if (security_token_has_sid(token, sd->owner_sid)) {
+                       granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+               }
+               return granted;
        }
 
        for (i = 0;i<sd->dacl->num_aces; i++) {
@@ -126,6 +128,18 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
                        continue;
                }
 
+               if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
+                       if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
+                               owner_rights_allowed |= ace->access_mask;
+                               owner_rights_default = false;
+                       } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
+                               owner_rights_denied |= (owner_rights_allowed &
+                                                       ace->access_mask);
+                               owner_rights_default = false;
+                       }
+                       continue;
+               }
+
                if (!security_token_has_sid(token, &ace->trustee)) {
                        continue;
                }
@@ -143,6 +157,15 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
                }
        }
 
+       if (security_token_has_sid(token, sd->owner_sid)) {
+               if (owner_rights_default) {
+                       granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+               } else {
+                       granted |= owner_rights_allowed;
+                       granted &= ~owner_rights_denied;
+               }
+       }
+
        return granted & ~denied;
 }
 

diff --git a/selftest/knownfail.d/smb2.acls b/selftest/knownfail.d/smb2.acls
deleted file mode 100644 (file)
index 733a793..0000000
--- a/selftest/knownfail.d/smb2.acls
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.smb2.acls.OWNER-RIGHTS\(ad_dc\)
-^samba3.smb2.acls.OWNER-RIGHTS\(nt4_dc\)