summaryrefslogtreecommitdiff
path: root/libcli/security
diff options
context:
space:
mode:
authorNadezhda Ivanova <nivanova@samba.org>2011-01-18 15:56:19 +0200
committerNadezhda Ivanova <nivanova@samba.org>2011-01-18 15:08:17 +0100
commitfed925079b988502674c48555e27e3ee9d214b4b (patch)
tree0f0e387e7c3ec46b5b187c4a9369b59c1e57b1a4 /libcli/security
parent757cfc296a6dcf2810a1a2e554ebd586125a91d3 (diff)
downloadsamba-fed925079b988502674c48555e27e3ee9d214b4b.tar.gz
samba-fed925079b988502674c48555e27e3ee9d214b4b.tar.bz2
samba-fed925079b988502674c48555e27e3ee9d214b4b.zip
s4-security: Fixed incorrect inheritance of IO flagged ACES
They should be inherited without the IO flag unless they contain generic information.
Diffstat (limited to 'libcli/security')
-rw-r--r--libcli/security/create_descriptor.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index e5fa9b8cb5..643c98d345 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
tmp_acl->aces[tmp_acl->num_aces] = *ace;
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+ /* remove IO flag from the child's ace */
+ if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
+ !desc_ace_has_generic(tmp_ctx, ace)) {
+ tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+ }
if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;