diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-11-13 16:45:03 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-11-13 22:48:19 +0100 |
commit | 3e2584a86cc610c000f70105f39e7f3fa881aded (patch) | |
tree | a7cd7e9daa1ea5ac3131fbe7e0da457a91cf82db | |
parent | d6c7e9b1ed6f7befbb2239350bba4547ef781e58 (diff) | |
download | samba-3e2584a86cc610c000f70105f39e7f3fa881aded.tar.gz samba-3e2584a86cc610c000f70105f39e7f3fa881aded.tar.bz2 samba-3e2584a86cc610c000f70105f39e7f3fa881aded.zip |
ntvfs: Fill in sd->type based on the new ACL being added
Previously we would not change the type field, and just relied on what
was in the original ACL based on the default SD.
This is required to ensure the SEC_DESC_DACL_PROTECTED is set
which is in turn required for GPOs to be set correctly
to match what windows does.
Andrew Bartlett
Reviewed by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | source4/ntvfs/posix/pvfs_acl.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 1519631769..4e9c1ac6b5 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -330,6 +330,7 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, } sd->owner_sid = new_sd->owner_sid; } + if (secinfo_flags & SECINFO_GROUP) { if (!(access_mask & SEC_STD_WRITE_OWNER)) { return NT_STATUS_ACCESS_DENIED; @@ -349,19 +350,39 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, } sd->group_sid = new_sd->group_sid; } + if (secinfo_flags & SECINFO_DACL) { if (!(access_mask & SEC_STD_WRITE_DAC)) { return NT_STATUS_ACCESS_DENIED; } sd->dacl = new_sd->dacl; pvfs_translate_generic_bits(sd->dacl); + sd->type |= SEC_DESC_DACL_PRESENT; } + if (secinfo_flags & SECINFO_SACL) { if (!(access_mask & SEC_FLAG_SYSTEM_SECURITY)) { return NT_STATUS_ACCESS_DENIED; } sd->sacl = new_sd->sacl; pvfs_translate_generic_bits(sd->sacl); + sd->type |= SEC_DESC_SACL_PRESENT; + } + + if (secinfo_flags & SECINFO_PROTECTED_DACL) { + if (new_sd->type & SEC_DESC_DACL_PROTECTED) { + sd->type |= SEC_DESC_DACL_PROTECTED; + } else { + sd->type &= ~SEC_DESC_DACL_PROTECTED; + } + } + + if (secinfo_flags & SECINFO_PROTECTED_SACL) { + if (new_sd->type & SEC_DESC_SACL_PROTECTED) { + sd->type |= SEC_DESC_SACL_PROTECTED; + } else { + sd->type &= ~SEC_DESC_SACL_PROTECTED; + } } if (new_uid == old_uid) { |