s4-security: Fixed incorrect inheritance of IO flagged ACES

They should be inherited without the IO flag unless they contain generic information.
author: Nadezhda Ivanova <nivanova@samba.org> 2011-01-18 15:56:19 +0200
committer: Nadezhda Ivanova <nivanova@samba.org> 2011-01-18 15:08:17 +0100
commit: fed925079b988502674c48555e27e3ee9d214b4b (patch)
tree: 0f0e387e7c3ec46b5b187c4a9369b59c1e57b1a4 /libcli/security
parent: 757cfc296a6dcf2810a1a2e554ebd586125a91d3 (diff)
download: samba-fed925079b988502674c48555e27e3ee9d214b4b.tar.gz
samba-fed925079b988502674c48555e27e3ee9d214b4b.tar.bz2
samba-fed925079b988502674c48555e27e3ee9d214b4b.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index e5fa9b8cb5..643c98d345 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 
 			tmp_acl->aces[tmp_acl->num_aces] = *ace;
 			tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+			/* remove IO flag from the child's ace */
+			if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
+			    !desc_ace_has_generic(tmp_ctx, ace)) {
+				tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+			}
 
 			if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
 			    tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
author	Nadezhda Ivanova <nivanova@samba.org>	2011-01-18 15:56:19 +0200
committer	Nadezhda Ivanova <nivanova@samba.org>	2011-01-18 15:08:17 +0100
commit	fed925079b988502674c48555e27e3ee9d214b4b (patch)
tree	0f0e387e7c3ec46b5b187c4a9369b59c1e57b1a4 /libcli/security
parent	757cfc296a6dcf2810a1a2e554ebd586125a91d3 (diff)
download	samba-fed925079b988502674c48555e27e3ee9d214b4b.tar.gz samba-fed925079b988502674c48555e27e3ee9d214b4b.tar.bz2 samba-fed925079b988502674c48555e27e3ee9d214b4b.zip