r25607: Allow to set security descriptor type flags at creation time with

security_descriptor_create().

Guenther
(This used to be commit 7dd0d28d254f78891b0807492baafa188b42df16)

6 files changed, 28 insertions, 21 deletions

diff --git a/source4/lib/registry/tests/registry.c b/source4/lib/registry/tests/registry.c
index 9b1c6ff249..d2838e363f 100644
--- a/source4/lib/registry/tests/registry.c
+++ b/source4/lib/registry/tests/registry.c
@@ -400,6 +400,7 @@ static bool test_security(struct torture_context *tctx, const void *_data)
 		return false;
 
 	osd = security_descriptor_create(tctx,
+					 0,
 					 NULL, NULL,
 					 SID_NT_AUTHENTICATED_USERS,
 					 SEC_ACE_TYPE_ACCESS_ALLOWED,
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 1d8549a605..9723e8ccca 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -327,6 +327,7 @@ bool security_descriptor_mask_equal(const struct security_descriptor *sd1,
   a typical call would be:
 
     sd = security_descriptor_create(mem_ctx,
+                                    sd_type_flags,
                                     mysid,
 				    mygroup,
 				    SID_NT_AUTHENTICATED_USERS, 
@@ -379,6 +380,7 @@ struct security_descriptor *security_descriptor_append(struct security_descripto
 }
 
 struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
+						       uint16_t sd_type,
 						       const char *owner_sid,
 						       const char *group_sid,
 						       ...)
@@ -390,6 +392,8 @@ struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
 	sd = security_descriptor_initialise(mem_ctx);
 	if (sd == NULL) return NULL;
 
+	sd->type |= sd_type;
+
 	if (owner_sid) {
 		sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
 		if (sd->owner_sid == NULL) {
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index cd782066db..a6ca3551ce 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1737,6 +1737,7 @@ static void becomeDC_drsuapi1_add_entry_send(struct libnet_BecomeDC_state *s)
 		if (composite_nomem(domain_admins_sid_str, c)) return;
 
 		v = security_descriptor_create(vd,
+					       0,
 					       /* owner: domain admins */
 					       domain_admins_sid_str,
 					       /* owner group: domain admins */
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 2c3f4a52c6..0136056bdf 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -298,7 +298,7 @@ static bool test_creator_sid(struct torture_context *tctx,
 
 	printf("set a sec desc allowing no write by CREATOR_OWNER\n");
 	sd = security_descriptor_create(tctx,
-					NULL, NULL,
+					0, NULL, NULL,
 					SID_CREATOR_OWNER,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
@@ -335,7 +335,7 @@ static bool test_creator_sid(struct torture_context *tctx,
 
 	printf("set a sec desc allowing no write by owner\n");
 	sd = security_descriptor_create(tctx,
-					owner_sid, NULL,
+					0, owner_sid, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
@@ -390,7 +390,7 @@ static bool test_creator_sid(struct torture_context *tctx,
 
 	printf("set a sec desc allowing generic read by owner\n");
 	sd = security_descriptor_create(tctx,
-					NULL, NULL,
+					0, NULL, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_GENERIC_READ | SEC_STD_ALL,
@@ -403,7 +403,7 @@ static bool test_creator_sid(struct torture_context *tctx,
 
 	printf("check that generic read has been mapped correctly\n");
 	sd2 = security_descriptor_create(tctx,
-					 owner_sid, NULL,
+					 0, owner_sid, NULL,
 					 owner_sid,
 					 SEC_ACE_TYPE_ACCESS_ALLOWED,
 					 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
@@ -568,7 +568,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		printf("testing generic bits 0x%08x\n", 
 		       file_mappings[i].gen_bits);
 		sd = security_descriptor_create(tctx,
-						owner_sid, NULL,
+						0, owner_sid, NULL,
 						owner_sid,
 						SEC_ACE_TYPE_ACCESS_ALLOWED,
 						file_mappings[i].gen_bits,
@@ -584,7 +584,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		CHECK_STATUS(status, NT_STATUS_OK);
 
 		sd2 = security_descriptor_create(tctx,
-						 owner_sid, NULL,
+						 0, owner_sid, NULL,
 						 owner_sid,
 						 SEC_ACE_TYPE_ACCESS_ALLOWED,
 						 file_mappings[i].specific_bits,
@@ -616,7 +616,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		printf("testing generic bits 0x%08x (anonymous)\n", 
 		       file_mappings[i].gen_bits);
 		sd = security_descriptor_create(tctx,
-						SID_NT_ANONYMOUS, NULL,
+						0, SID_NT_ANONYMOUS, NULL,
 						owner_sid,
 						SEC_ACE_TYPE_ACCESS_ALLOWED,
 						file_mappings[i].gen_bits,
@@ -632,7 +632,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		CHECK_STATUS(status, NT_STATUS_OK);
 
 		sd2 = security_descriptor_create(tctx,
-						 SID_NT_ANONYMOUS, NULL,
+						 0, SID_NT_ANONYMOUS, NULL,
 						 owner_sid,
 						 SEC_ACE_TYPE_ACCESS_ALLOWED,
 						 file_mappings[i].specific_bits,
@@ -733,7 +733,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		printf("testing generic bits 0x%08x\n", 
 		       file_mappings[i].gen_bits);
 		sd = security_descriptor_create(tctx,
-						owner_sid, NULL,
+						0, owner_sid, NULL,
 						owner_sid,
 						SEC_ACE_TYPE_ACCESS_ALLOWED,
 						dir_mappings[i].gen_bits,
@@ -749,7 +749,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		CHECK_STATUS(status, NT_STATUS_OK);
 
 		sd2 = security_descriptor_create(tctx,
-						 owner_sid, NULL,
+						 0, owner_sid, NULL,
 						 owner_sid,
 						 SEC_ACE_TYPE_ACCESS_ALLOWED,
 						 dir_mappings[i].specific_bits,
@@ -781,7 +781,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		printf("testing generic bits 0x%08x (anonymous)\n", 
 		       file_mappings[i].gen_bits);
 		sd = security_descriptor_create(tctx,
-						SID_NT_ANONYMOUS, NULL,
+						0, SID_NT_ANONYMOUS, NULL,
 						owner_sid,
 						SEC_ACE_TYPE_ACCESS_ALLOWED,
 						file_mappings[i].gen_bits,
@@ -797,7 +797,7 @@ static bool test_generic_bits(struct torture_context *tctx,
 		CHECK_STATUS(status, NT_STATUS_OK);
 
 		sd2 = security_descriptor_create(tctx,
-						 SID_NT_ANONYMOUS, NULL,
+						 0, SID_NT_ANONYMOUS, NULL,
 						 owner_sid,
 						 SEC_ACE_TYPE_ACCESS_ALLOWED,
 						 file_mappings[i].specific_bits,
@@ -908,7 +908,7 @@ static bool test_owner_bits(struct torture_context *tctx,
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 
 	sd = security_descriptor_create(tctx,
-					NULL, NULL,
+					0, NULL, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_FILE_WRITE_DATA,
@@ -1115,7 +1115,7 @@ static bool test_inheritance(struct torture_context *tctx,
 	printf("owner_sid is %s\n", owner_sid);
 
 	sd_def = security_descriptor_create(tctx,
-					    owner_sid, NULL,
+					    0, owner_sid, NULL,
 					    owner_sid,
 					    SEC_ACE_TYPE_ACCESS_ALLOWED,
 					    SEC_RIGHTS_FILE_ALL,
@@ -1130,7 +1130,7 @@ static bool test_inheritance(struct torture_context *tctx,
 
 	for (i=0;i<ARRAY_SIZE(test_flags);i++) {
 		sd = security_descriptor_create(tctx,
-						NULL, NULL,
+						0, NULL, NULL,
 						SID_CREATOR_OWNER,
 						SEC_ACE_TYPE_ACCESS_ALLOWED,
 						SEC_FILE_WRITE_DATA,
@@ -1263,7 +1263,7 @@ static bool test_inheritance(struct torture_context *tctx,
 
 	printf("testing access checks on inherited create with %s\n", fname1);
 	sd = security_descriptor_create(tctx,
-					NULL, NULL,
+					0, NULL, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC,
@@ -1296,7 +1296,7 @@ static bool test_inheritance(struct torture_context *tctx,
 	smbcli_close(cli->tree, fnum2);
 
 	sd2 = security_descriptor_create(tctx,
-					 owner_sid, NULL,
+					 0, owner_sid, NULL,
 					 owner_sid,
 					 SEC_ACE_TYPE_ACCESS_ALLOWED,
 					 SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC,
@@ -1432,7 +1432,7 @@ static bool test_inheritance_dynamic(struct torture_context *tctx,
 	printf("owner_sid is %s\n", owner_sid);
 
 	sd = security_descriptor_create(tctx,
-					NULL, NULL,
+					0, NULL, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE,
@@ -1472,7 +1472,7 @@ static bool test_inheritance_dynamic(struct torture_context *tctx,
 
 	printf("update parent sd\n");
 	sd = security_descriptor_create(tctx,
-					NULL, NULL,
+					0, NULL, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE,
@@ -1587,7 +1587,7 @@ static bool test_sd_get_set(struct torture_context *tctx,
 
 	/* first create a file with full access for everyone */
 	sd = security_descriptor_create(tctx,
-					SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
+					0, SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
 					SID_WORLD,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_GENERIC_ALL,
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 8c52199e66..fe75fabad6 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -2004,7 +2004,7 @@ bool try_tcon(TALLOC_CTX *mem_ctx,
 	}
 
 	sd = security_descriptor_create(
-		tmp_ctx, "S-1-5-32-544",
+		tmp_ctx, 0, "S-1-5-32-544",
 		dom_sid_string(mem_ctx, dom_sid_add_rid(mem_ctx, domain_sid,
 							DOMAIN_RID_USERS)),
 		dom_sid_string(mem_ctx, user_sid),
diff --git a/source4/torture/rpc/winreg.c b/source4/torture/rpc/winreg.c
index 44df6dab74..8086986917 100644
--- a/source4/torture/rpc/winreg.c
+++ b/source4/torture/rpc/winreg.c
@@ -138,6 +138,7 @@ static bool test_CreateKey_sd(struct dcerpc_pipe *p,
 	struct winreg_SecBuf secbuf;
 
 	sd = security_descriptor_create(tctx,
+					0,
 					NULL, NULL,
 					SID_NT_AUTHENTICATED_USERS,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,