Possible bug in libcli/security/access_check.c:se_access_check in master with DENY entries

[Richard Sharpe]

Hi folks,

I think I introduced this bug, but in se_access_check, it says, when
walking the ACL:

                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
                        explicitly_denied_bits |= (bits_remaining &
ace->access_mask);

However, this means that any bits that were granted earlier in the
scan would not be denied by a DENY entry.

I guess that this is why MS insists that DENY entries should appear
first in the ACL, but shouldn't that be:

                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
                        explicitly_denied_bits |= (access_desired &
ace->access_mask);

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)