[PATCH] Follow-up patch for bug in dealing with "Owner Rights" ACEs when calculating maximum access

Jeremy Allison jra at samba.org
Fri Mar 1 16:41:16 UTC 2019

On Fri, Mar 01, 2019 at 01:02:16PM +0100, David Disseldorp via samba-technical wrote:
> On Thu, 28 Feb 2019 15:42:44 -0800, Jeremy Allison via samba-technical wrote:
> > > Wouldn't this now mean that an owner_rights_allowed ACE now takes
> > > precedence over an owner_rights_denied ACE if the former comes first?
> > > I'll need to take a closer look at the spec tomorrow for this.  
> > 
> > Yes, that's exactly the case. That's what the test shows.
> The reason why I'm struggling to get my head around this is that the
> behaviour is inconsistent with how regular ACEs are handled - we
> just do a simple (granted & ~denied), instead of giving special
> precendence to allow ACEs.

I know, but tests don't lie :-). It actually is consistent if
you think about it. A leading allow removes the bits from the
requested mask, a trailing deny for the same bits doesn't add
them back, they're already gone.

More information about the samba-technical mailing list