Possible bug in libcli/security/access_check.c:se_access_check in master with DENY entries
Richard Sharpe
realrichardsharpe at gmail.com
Fri Nov 2 19:44:04 MDT 2012
Hi folks,
I think I introduced this bug, but in se_access_check, it says, when
walking the ACL:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
explicitly_denied_bits |= (bits_remaining &
ace->access_mask);
However, this means that any bits that were granted earlier in the
scan would not be denied by a DENY entry.
I guess that this is why MS insists that DENY entries should appear
first in the ACL, but shouldn't that be:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
explicitly_denied_bits |= (access_desired &
ace->access_mask);
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list