If unpack_canon_ace() fails and returns false, file_ace_list and dir_ace_list
will be left at their initial NULL values, so we exit out at
if (!file_ace_list && !dir_ace_list) {
return NT_STATUS_OK;
}
instead of at the subsequent error checking code for acl_perms.
This subtle change was introduced by commit
81533e2d39cae11b7ea06f289a7c398ed3c51da9 and causes attempts to set an
non-canonical ACL by clients to return NT_STATUS_OK, instead of failing with
NT_STATUS_ACCESS_DENIED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16097
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jun 26 12:50:29 UTC 2026 on atb-devel-224
+++ /dev/null
-^samba3.smb2.acls.NON-CANONICAL-ORDER\(.*\)
acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
&file_grp_sid, &file_ace_list,
&dir_ace_list, security_info_sent, psd);
-
- /* Ignore W2K traverse DACL set. */
- if (!file_ace_list && !dir_ace_list) {
- return NT_STATUS_OK;
- }
-
if (!acl_perms) {
DEBUG(3,("set_nt_acl: cannot set permissions\n"));
free_canon_ace_list(file_ace_list);
return NT_STATUS_ACCESS_DENIED;
}
+ /* Ignore W2K traverse DACL set. */
+ if (!file_ace_list && !dir_ace_list) {
+ return NT_STATUS_OK;
+ }
+
/*
* Only change security if we got a DACL.
*/