diff options
author | Nadezhda Ivanova <nivanova@samba.org> | 2011-02-10 12:39:22 +0200 |
---|---|---|
committer | Nadezhda Ivanova <nivanova@samba.org> | 2011-02-10 12:43:58 +0200 |
commit | c3f6cc9993f7fd45cff63c6a5fefde084a6cc173 (patch) | |
tree | 2a56387858fc66e87d63857e7dec27cc0bb05788 | |
parent | 14edbf71593f2d713050e77ee1d6daf8d8d2b37e (diff) | |
download | samba-c3f6cc9993f7fd45cff63c6a5fefde084a6cc173.tar.gz samba-c3f6cc9993f7fd45cff63c6a5fefde084a6cc173.tar.bz2 samba-c3f6cc9993f7fd45cff63c6a5fefde084a6cc173.zip |
security: Fixed some handling of ACEs with INHERITED flag provided by the user
Some tests showed that these ACEs are not removed if the DACL_PROTECTED flag is provided at the same time.
This is not documented but tests prove it and it has been observerd in deployment.
-rw-r--r-- | libcli/security/create_descriptor.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index 643c98d345..9e348a790e 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -210,7 +210,8 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx, bool is_container, struct dom_sid *owner, struct dom_sid *group, - struct GUID *object_list) + struct GUID *object_list, + bool is_protected) { uint32_t i; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -232,8 +233,16 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx, for (i=0; i < acl->num_aces; i++){ struct security_ace *ace = &acl->aces[i]; - if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) - continue; + /* Remove ID flags from user-provided ACEs + * if we break inheritance, ignore them otherwise */ + if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) { + if (is_protected) { + ace->flags &= ~SEC_ACE_FLAG_INHERITED_ACE; + } else { + continue; + } + } + if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && !(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT || ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) @@ -358,13 +367,15 @@ static bool compute_acl(struct security_descriptor *parent_sd, is_container, new_sd->owner_sid, new_sd->group_sid, - object_list); + object_list, + creator_sd->type & SEC_DESC_DACL_PROTECTED); user_sacl = process_user_acl(new_sd, creator_sd->sacl, is_container, new_sd->owner_sid, new_sd->group_sid, - object_list); + object_list, + creator_sd->type & SEC_DESC_SACL_PROTECTED); } cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level); cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level); |