Possible bug in libcli/security/access_check.c:se_access_check in master with DENY entries
realrichardsharpe at gmail.com
Sat Nov 3 08:38:54 MDT 2012
On Fri, Nov 2, 2012 at 11:40 PM, Matthieu Patou <mat at samba.org> wrote:
> On 11/02/2012 06:44 PM, Richard Sharpe wrote:
>> Hi folks,
>> I think I introduced this bug,
That bit is wrong. I started out thinking the problem was with OWNER
RIGHTS, but there was no problem with OWNER RIGHTS that I could see.
>> but in se_access_check, it says, when
>> walking the ACL:
>> case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
>> explicitly_denied_bits |= (bits_remaining &
>> However, this means that any bits that were granted earlier in the
>> scan would not be denied by a DENY entry.
> Well in my memory if you store a SD with deny bits not first then it's
> also not working on Windows.
> Could you check it ?
Well, I do know that the Windows ACL editor (called from explorer)
does not like it if DENY entries do not appear before ALLOW entries.
I will give it a try during next week.
More information about the samba-technical