Possible bug in libcli/security/access_check.c:se_access_check in master with DENY entries

Richard Sharpe realrichardsharpe at gmail.com
Sat Nov 3 08:38:54 MDT 2012

On Fri, Nov 2, 2012 at 11:40 PM, Matthieu Patou <mat at samba.org> wrote:
> On 11/02/2012 06:44 PM, Richard Sharpe wrote:
>> Hi folks,
>> I think I introduced this bug,

That bit is wrong. I started out thinking the problem was with OWNER
RIGHTS, but there was no problem with OWNER RIGHTS that I could see.

>> but in se_access_check, it says, when
>> walking the ACL:
>>                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
>>                         explicitly_denied_bits |= (bits_remaining &
>> ace->access_mask);
>> However, this means that any bits that were granted earlier in the
>> scan would not be denied by a DENY entry.
> Well in my memory if you store a SD with deny bits not first then it's
> also not working on Windows.
> Could you check it ?

Well, I do know that the Windows ACL editor (called from explorer)
does not like it if DENY entries do not appear before ALLOW entries.

I will give it a try during next week.

Richard Sharpe

More information about the samba-technical mailing list