summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-01-22 15:38:07 +0100
committerAndrew Bartlett <abartlet@samba.org>2013-01-27 20:14:20 +1100
commit2413962d53c7923a453fc7579b24b90bc23173df (patch)
tree3b2404782040d09e6adc6b528c85d819dae02d34
parentb9f1c8887ed1c8c29259021d4f2b9a549caa4061 (diff)
downloadsamba-2413962d53c7923a453fc7579b24b90bc23173df.tar.gz
samba-2413962d53c7923a453fc7579b24b90bc23173df.tar.bz2
samba-2413962d53c7923a453fc7579b24b90bc23173df.zip
libcli/security: calculate INHERIT_ONLY correcty for AUDIT and ALARM aces (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--libcli/security/create_descriptor.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 42ca1a7ecc..23e7e9ba60 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -165,6 +165,8 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
struct security_ace *ace = &acl->aces[i];
if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ struct GUID inherited_object = GUID_zero();
+
tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces,
struct security_ace,
tmp_acl->num_aces+1);
@@ -184,10 +186,18 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
- ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
- struct GUID inherited_object = GUID_zero();
-
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+ break;
+
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
inherited_object = ace->object.object.inherited_type.inherited_type;
}
@@ -196,7 +206,9 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
}
+ break;
}
+
tmp_acl->num_aces++;
if (is_container) {
if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) &&