From 1c2e6978b89551828b66c348be361ce9a2b8ddb4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 23 Sep 2008 11:17:43 -0700 Subject: [PATCH] fixed problem with ACLs with an empty DACL list --- source4/libcli/security/access_check.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c index e2ede05545d..d5a0a134453 100644 --- a/source4/libcli/security/access_check.c +++ b/source4/libcli/security/access_check.c @@ -38,6 +38,10 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, granted |= SEC_STD_DELETE; } + if (sd->dacl == NULL) { + return granted & ~denied; + } + for (i = 0;idacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -101,10 +105,14 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, return NT_STATUS_OK; } - /* empty dacl denies access */ +#if 0 + /* tridge: previously we had empty dacl denying access, but + that can lead to undeletable directories, where + nobody can change the ACL on a directory */ if (sd->dacl == NULL || sd->dacl->num_aces == 0) { return NT_STATUS_ACCESS_DENIED; } +#endif /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && @@ -116,6 +124,10 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, bits_remaining &= ~SEC_STD_DELETE; } + if (sd->dacl == NULL) { + goto done; + } + /* check each ace in turn. */ for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { struct security_ace *ace = &sd->dacl->aces[i]; @@ -143,6 +155,7 @@ NTSTATUS sec_access_check(const struct security_descriptor *sd, } } +done: if (bits_remaining != 0) { return NT_STATUS_ACCESS_DENIED; } -- 2.11.4.GIT