diff options
author | Andrew Tridgell <tridge@samba.org> | 2004-12-04 12:42:40 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2004-12-04 12:42:40 +0000 |
commit | 42ef6fc57669537d7a0a1d75cc5caf8bf8ce0c46 (patch) | |
tree | 2161aa1b0c4492fdb2c908c8f25a8c1a33798922 /source/libcli/security | |
parent | d1b9da8f6da6992ca3b667d3937d01c1261025e2 (diff) | |
download | samba-42ef6fc57669537d7a0a1d75cc5caf8bf8ce0c46.tar.gz samba-42ef6fc57669537d7a0a1d75cc5caf8bf8ce0c46.tar.xz samba-42ef6fc57669537d7a0a1d75cc5caf8bf8ce0c46.zip |
r4062: the RAW-ACLS test now passes. The SEC_STD_DELETE bit is rather strange
though - I expect we'll need to tweak that some more.
Diffstat (limited to 'source/libcli/security')
-rw-r--r-- | source/libcli/security/access_check.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/source/libcli/security/access_check.c b/source/libcli/security/access_check.c index 7e70736d09e..425a5c2b6d1 100644 --- a/source/libcli/security/access_check.c +++ b/source/libcli/security/access_check.c @@ -49,8 +49,9 @@ static uint32_t access_check_max_allowed(struct security_descriptor *sd, unsigned i; if (sid_active_in_token(sd->owner_sid, token)) { - granted |= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL); + granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; } + granted |= SEC_STD_DELETE; for (i = 0;i<sd->dacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -84,15 +85,17 @@ NTSTATUS sec_access_check(struct security_descriptor *sd, int i; uint32_t bits_remaining; + *access_granted = access_desired; + bits_remaining = access_desired; + /* handle the maximum allowed flag */ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { access_desired |= access_check_max_allowed(sd, token); access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; + *access_granted = access_desired; + bits_remaining = access_desired & ~SEC_STD_DELETE; } - *access_granted = access_desired; - bits_remaining = access_desired; - #if 0 /* this is where we should check for the "system security" privilege, once we move to the full security_token and not just the nt_user_token */ |