summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNadezhda Ivanova <nivanova@samba.org>2011-02-10 12:39:22 +0200
committerNadezhda Ivanova <nivanova@samba.org>2011-02-10 12:43:58 +0200
commitc3f6cc9993f7fd45cff63c6a5fefde084a6cc173 (patch)
tree2a56387858fc66e87d63857e7dec27cc0bb05788
parent14edbf71593f2d713050e77ee1d6daf8d8d2b37e (diff)
downloadsamba-c3f6cc9993f7fd45cff63c6a5fefde084a6cc173.tar.gz
samba-c3f6cc9993f7fd45cff63c6a5fefde084a6cc173.tar.bz2
samba-c3f6cc9993f7fd45cff63c6a5fefde084a6cc173.zip
security: Fixed some handling of ACEs with INHERITED flag provided by the user
Some tests showed that these ACEs are not removed if the DACL_PROTECTED flag is provided at the same time. This is not documented but tests prove it and it has been observerd in deployment.
-rw-r--r--libcli/security/create_descriptor.c21
1 files changed, 16 insertions, 5 deletions
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 643c98d345..9e348a790e 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -210,7 +210,8 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
bool is_container,
struct dom_sid *owner,
struct dom_sid *group,
- struct GUID *object_list)
+ struct GUID *object_list,
+ bool is_protected)
{
uint32_t i;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -232,8 +233,16 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
for (i=0; i < acl->num_aces; i++){
struct security_ace *ace = &acl->aces[i];
- if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
- continue;
+ /* Remove ID flags from user-provided ACEs
+ * if we break inheritance, ignore them otherwise */
+ if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
+ if (is_protected) {
+ ace->flags &= ~SEC_ACE_FLAG_INHERITED_ACE;
+ } else {
+ continue;
+ }
+ }
+
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT ||
ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
@@ -358,13 +367,15 @@ static bool compute_acl(struct security_descriptor *parent_sd,
is_container,
new_sd->owner_sid,
new_sd->group_sid,
- object_list);
+ object_list,
+ creator_sd->type & SEC_DESC_DACL_PROTECTED);
user_sacl = process_user_acl(new_sd,
creator_sd->sacl,
is_container,
new_sd->owner_sid,
new_sd->group_sid,
- object_list);
+ object_list,
+ creator_sd->type & SEC_DESC_SACL_PROTECTED);
}
cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);