From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 2 Mar 2022 04:14:42 +0000 (+1300)
Subject: s4:policy: Fix ACE type comparison
X-Git-Tag: tevent-0.12.0~420
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52afaa0ceb5f2a372c075f64c5ae445621263b36;p=thirdparty%2Fsamba.git

s4:policy: Fix ACE type comparison

SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the comment.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/lib/policy/gp_manage.c b/source4/lib/policy/gp_manage.c
index 80336edf700..769e6c02d2f 100644
--- a/source4/lib/policy/gp_manage.c
+++ b/source4/lib/policy/gp_manage.c
@@ -100,7 +100,8 @@ NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security
 		struct security_ace *ace;
 
 		/* Don't add the allow for SID_BUILTIN_PREW2K */
-		if (!(ds_sd->dacl->aces[i].type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) &&
+		if ((ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+		     ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED) &&
 				strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
 			talloc_free(trustee);
 			continue;