Possible bug in libcli/security/access_check.c:se_access_check in master with DENY entries

Matthieu Patou mat at samba.org
Sat Nov 3 00:40:11 MDT 2012

On 11/02/2012 06:44 PM, Richard Sharpe wrote:
> Hi folks,
> I think I introduced this bug, but in se_access_check, it says, when
> walking the ACL:
>                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
>                         explicitly_denied_bits |= (bits_remaining &
> ace->access_mask);
> However, this means that any bits that were granted earlier in the
> scan would not be denied by a DENY entry.
Well in my memory if you store a SD with deny bits not first then it's
also not working on Windows.

Could you check it ?

Matthieu Patou
Samba Team

More information about the samba-technical mailing list