s3 onefs: Canonicalize the ACL in the correct order

diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c
index df4efd58dfa91e4c6b1aa3c980364235e8134d5b..2593012805462063b9657a45fc24602c6a2f2587 100644 (file)
--- a/source3/modules/onefs_acl.c
+++ b/source3/modules/onefs_acl.c
@@ -417,23 +417,27 @@ onefs_canon_acl(files_struct *fsp, struct ifs_security_descriptor *sd)
         * By walking down the list 3 separate times, we can avoid the need
         * to create multiple temp buffers and extra copies.
         */
-       for (cur = 0; cur < sd->dacl->num_aces; cur++)  {
-               if (sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE)
-                       new_aces[new_aces_count++] = sd->dacl->aces[cur];
-       }
 
+       /* Explict deny aces first */
        for (cur = 0; cur < sd->dacl->num_aces; cur++)  {
                if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) &&
                    (sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED))
                        new_aces[new_aces_count++] = sd->dacl->aces[cur];
        }
 
+       /* Explict allow aces second */
        for (cur = 0; cur < sd->dacl->num_aces; cur++)  {
                if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) &&
                    !(sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED))
                        new_aces[new_aces_count++] = sd->dacl->aces[cur];
        }
 
+       /* Inherited deny/allow aces third */
+       for (cur = 0; cur < sd->dacl->num_aces; cur++)  {
+               if ((sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE))
+                       new_aces[new_aces_count++] = sd->dacl->aces[cur];
+       }
+
        SMB_ASSERT(new_aces_count == sd->dacl->num_aces);
        DEBUG(10, ("Performed canonicalization of ACLs for file %s\n",
                   fsp_str_dbg(fsp)));