Second part of fix for bug #8673 - NT ACL issue.

Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 058bf3212014d70b3c3d3af10652055e2a7c1d37..9f8d3fad6a8424c5a03faef02413dc7cfd2eabb8 100644 (file)
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
        int i;
        uint32_t bits_remaining;
+       uint32_t explicitly_denied_bits = 0;
 
        *access_granted = access_desired;
        bits_remaining = access_desired;
@@ -223,15 +224,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
                        break;
                case SEC_ACE_TYPE_ACCESS_DENIED:
                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-                       if (bits_remaining & ace->access_mask) {
-                               return NT_STATUS_ACCESS_DENIED;
-                       }
+                       explicitly_denied_bits |= (bits_remaining & ace->access_mask);
                        break;
                default:        /* Other ACE types not handled/supported */
                        break;
                }
        }
 
+       bits_remaining |= explicitly_denied_bits;
+
 done:
        if (bits_remaining != 0) {
                *access_granted = bits_remaining;