summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2009-12-02 15:02:28 -0800
committerJeremy Allison <jra@samba.org>2009-12-02 15:02:28 -0800
commit365c6b4ce0bd84bfb1d9cec03bc835b92b1c5af7 (patch)
tree89510a69206825497e14a2af7eb1ae4787363dd9 /source3/lib
parent1d013fd03295433698f2b301dbf8324a3db528eb (diff)
downloadsamba-365c6b4ce0bd84bfb1d9cec03bc835b92b1c5af7.tar.gz
samba-365c6b4ce0bd84bfb1d9cec03bc835b92b1c5af7.tar.bz2
samba-365c6b4ce0bd84bfb1d9cec03bc835b92b1c5af7.zip
Restructure the ACL code some more, get the internal semantics
right. The previous bugs were due to the fact that get_nt_acl_internal() could return an NTSTATUS error if there was no stored ACL blob, but otherwise would return the underlying ACL from the filysystem. Fix this so it always returns a valid acl if it can, and if it does not its an error to be reported back to the client. This then changes the inherit acl code. Previously we were trying to match Windows by setting a minimal ACL on a new file that didn't inherit anything from a parent directory. This is silly - the returned ACL wouldn't match the underlying UNIX permissions. The current code will correctly inherit from a parent if a parent has any inheritable ACE entries that apply to the new object, but will return a mapping from the underlying UNIX permissions if the parent has no inheritable entries. This makes much more sense for new files/directories. Jeremy.
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/secdesc.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index 5e35181834..d45be00212 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -474,6 +474,26 @@ static bool is_inheritable_ace(const SEC_ACE *ace,
return false;
}
+/*
+ * Does a security descriptor have any inheritable components for
+ * the newly created type ?
+ */
+
+bool sd_has_inheritable_components(const SEC_DESC *parent_ctr, bool container)
+{
+ unsigned int i;
+ const SEC_ACL *the_acl = parent_ctr->dacl;
+
+ for (i = 0; i < the_acl->num_aces; i++) {
+ const SEC_ACE *ace = &the_acl->aces[i];
+
+ if (is_inheritable_ace(ace, container)) {
+ return true;
+ }
+ }
+ return false;
+}
+
/* Create a child security descriptor using another security descriptor as
the parent container. This child object can either be a container or
non-container object. */