From: Volker Lendecke <vl@samba.org>
Date: Fri, 29 Nov 2024 12:06:03 +0000 (+0100)
Subject: libcli: Make handling implicit_owner_rights bit easier to read
X-Git-Tag: tdb-1.4.13~319
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ddc88fa8b6e8c7facfc4b972d8316989b11eeade;p=thirdparty%2Fsamba.git

libcli: Make handling implicit_owner_rights bit easier to read

The first time I came across this I missed the "FALL_THROUGH" and had
to look closely at what happens. I had expected
IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS to grant two rights,
which to me is now more obvious. It was correct before, but to me this
is now more obvious. YMMV.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
---

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 3dc982332da..56050ca84c7 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -245,8 +245,9 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 		if (security_token_has_sid(token, sd->owner_sid)) {
 			switch (implicit_owner_rights) {
 			case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
-				granted |= SEC_STD_WRITE_DAC;
-				FALL_THROUGH;
+				granted |= (SEC_STD_READ_CONTROL |
+					    SEC_STD_WRITE_DAC);
+				break;
 			case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
 				granted |= SEC_STD_READ_CONTROL;
 				break;
@@ -282,8 +283,8 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 	if (am_owner && !have_owner_rights_ace) {
 		switch (implicit_owner_rights) {
 		case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
-			granted |= SEC_STD_WRITE_DAC;
-			FALL_THROUGH;
+			granted |= (SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC);
+			break;
 		case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
 			granted |= SEC_STD_READ_CONTROL;
 			break;
@@ -436,8 +437,9 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 	if (am_owner && !have_owner_rights_ace) {
 		switch (implicit_owner_rights) {
 		case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
-			bits_remaining &= ~SEC_STD_WRITE_DAC;
-			FALL_THROUGH;
+			bits_remaining &= ~(SEC_STD_WRITE_DAC |
+					    SEC_STD_READ_CONTROL);
+			break;
 		case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
 			bits_remaining &= ~SEC_STD_READ_CONTROL;
 			break;
@@ -751,8 +753,9 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd
 	    security_token_has_sid(token, sd->owner_sid)) {
 		switch (implicit_owner_rights) {
 		case IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS:
-			bits_remaining &= ~SEC_STD_WRITE_DAC;
-			FALL_THROUGH;
+			bits_remaining &= ~(SEC_STD_WRITE_DAC |
+					    SEC_STD_READ_CONTROL);
+			break;
 		case IMPLICIT_OWNER_READ_CONTROL_RIGHTS:
 			bits_remaining &= ~SEC_STD_READ_CONTROL;
 			break;