From faafade5dd948918a27284b82384340995d1bf55 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Apr 2012 18:17:25 -0700
Subject: [PATCH] Bugfix for #8857 - Setting traverse rights fails to enable
 directory traversal when acl_xattr in use.

We were incorrectly checking the parent directory ACL, instead
of the ACL of the directory we're trying to open.
---
 source3/modules/vfs_acl_common.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 84aa18f9dd7..097fd20dc04 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -813,13 +813,44 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
 static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
 			const char *fname, const char *mask, uint32 attr)
 {
-	NTSTATUS status = check_parent_acl_common(handle, fname,
-					SEC_DIR_LIST, NULL);
+	NTSTATUS status;
+	uint32_t access_granted = 0;
+	struct security_descriptor *sd = NULL;
+
+	status = get_nt_acl_internal(handle,
+				NULL,
+				fname,
+				(SECINFO_OWNER |
+				 SECINFO_GROUP |
+				 SECINFO_DACL  |
+				 SECINFO_SACL),
+				&sd);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("opendir_acl_common: "
+			"get_nt_acl_internal for dir %s "
+			"failed with error %s\n",
+			fname,
+			nt_errstr(status) ));
+		errno = map_errno_from_nt_status(status);
+		return NULL;
+	}
 
+	/* See if we can access it. */
+	status = smb1_file_se_access_check(handle->conn,
+				sd,
+				get_current_nttok(handle->conn),
+				SEC_DIR_LIST,
+				&access_granted);
 	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("opendir_acl_common: %s open "
+			"for access SEC_DIR_LIST "
+			"refused with error %s\n",
+			fname,
+			nt_errstr(status) ));
 		errno = map_errno_from_nt_status(status);
 		return NULL;
 	}
+
 	return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
 }
 
-- 
2.11.4.GIT