Test: Create a file. Add an ACE for DOMAIN Users: Deny ALL Try to open the file for read: Denied. This is correct and the same as what W2K08 does. Try to open the file with READ CONTROL: Denied. This is not correct. W2K08 allows the owner READ CONTROL in the presence of DENY entries for the same. Thew problem is that in libcli/security/access_check.c we have this: /* the owner always gets owner rights as defined above */ if (security_token_has_sid(token, sd->owner_sid)) { if (owner_rights_default) /* * Just remove them, no need to check if they are * there. */ bits_remaining &= ~(SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL); else { bits_remaining &= ~owner_rights_allowed; bits_remaining |= (owner_rights_denied & access_desired); } } /* Explicitly denied bits always override */ bits_remaining |= (explicitly_denied_bits & access_desired); However, the manipulation of explicitly denied bits should happen before we do the OWNER RIGHTS check.
Created attachment 8579 [details] Proposed patch (for master). Richard, can you confirm this is the patch you need ? Cheers, Jeremy.
Comment on attachment 8579 [details] Proposed patch (for master). Yes, this is exactly what I tested today.
From master: git cherry-pick 3e5acc155bb7be5c531a4a35b16e040f71f628ac applies cleanly to 4.0.x. Jeremy.
I don't think this applies to 3.6.x, only 4.0.x. In that case, re-assigning to Karolin for inclusion in 4.0.next. Jeremy.
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!