1 files changed, 12 insertions, 14 deletions

diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c
index 4b8de284882..17740f76366 100644
--- a/source4/ntvfs/posix/pvfs_open.c
+++ b/source4/ntvfs/posix/pvfs_open.c
@@ -862,14 +862,6 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs,
 	share_access   = io->generic.in.share_access;
 	access_mask    = io->generic.in.access_mask;
 
-	if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
-		if (name->exists && (name->dos.attrib & FILE_ATTRIBUTE_READONLY)) {
-			access_mask = SEC_RIGHTS_FILE_READ;
-		} else {
-			access_mask = SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_WRITE;
-		}
-	}
-
 	/* certain create options are not allowed */
 	if ((create_options & NTCREATEX_OPTIONS_DELETE_ON_CLOSE) &&
 	    !(access_mask & SEC_STD_DELETE)) {
@@ -914,12 +906,6 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) {
-		flags |= O_RDWR;
-	} else {
-		flags |= O_RDONLY;
-	}
-
 	if (io->generic.in.file_attr & FILE_ATTRIBUTE_DIRECTORY) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
@@ -949,6 +935,12 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs,
 		return NT_STATUS_CANNOT_DELETE;
 	}
 
+	/* check the security descriptor */
+	status = pvfs_access_check(pvfs, req, name, &access_mask);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
 	f = talloc_p(req, struct pvfs_file);
 	if (f == NULL) {
 		return NT_STATUS_NO_MEMORY;
@@ -1036,6 +1028,12 @@ NTSTATUS pvfs_open(struct ntvfs_module_context *ntvfs,
 
 	f->handle->have_opendb_entry = True;
 
+	if (access_mask & (SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA)) {
+		flags |= O_RDWR;
+	} else {
+		flags |= O_RDONLY;
+	}
+
 	/* do the actual open */
 	fd = open(f->handle->name->full_name, flags);
 	if (fd == -1) {