s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags

A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2012-12-01 15:10:38 +0100
committer: Michael Adam <obnox@samba.org> 2012-12-02 18:30:47 +0100
commit: 8ababf4367eb4faaeeda6cf66191aaf66a3a69da (patch)
tree: 8a835f38425a46f7b3d5fc594b682a56394b3992 /source4/dsdb/samdb/ldb_modules/descriptor.c
parent: 057c56ac2443abffbe169b06a72a93f41096fb67 (diff)
download: samba-8ababf4367eb4faaeeda6cf66191aaf66a3a69da.tar.gz
samba-8ababf4367eb4faaeeda6cf66191aaf66a3a69da.tar.bz2
samba-8ababf4367eb4faaeeda6cf66191aaf66a3a69da.zip
1 files changed, 44 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 18caa38103..95204b3c5c 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -323,6 +323,50 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 			SEC_DESC_SERVER_SECURITY);
 	}
 
+
+	if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
+		user_descriptor->owner_sid = NULL;
+
+		/*
+		 * We need the correct owner sid
+		 * when calculating the DACL or SACL
+		 */
+		if (old_descriptor) {
+			user_descriptor->owner_sid = old_descriptor->owner_sid;
+		}
+	}
+	if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
+		user_descriptor->group_sid = NULL;
+
+		/*
+		 * We need the correct group sid
+		 * when calculating the DACL or SACL
+		 */
+		if (old_descriptor) {
+			user_descriptor->group_sid = old_descriptor->group_sid;
+		}
+	}
+	if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
+		user_descriptor->dacl = NULL;
+
+		/*
+		 * We add SEC_DESC_DACL_PROTECTED so that
+		 * create_security_descriptor() skips
+		 * the unused inheritance calculation
+		 */
+		user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
+	}
+	if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
+		user_descriptor->sacl = NULL;
+
+		/*
+		 * We add SEC_DESC_SACL_PROTECTED so that
+		 * create_security_descriptor() skips
+		 * the unused inheritance calculation
+		 */
+		user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
+	}
+
 	default_owner = get_default_ag(mem_ctx, dn,
 				       session_info->security_token, ldb);
 	default_group = get_default_group(mem_ctx, ldb, default_owner);
author	Stefan Metzmacher <metze@samba.org>	2012-12-01 15:10:38 +0100
committer	Michael Adam <obnox@samba.org>	2012-12-02 18:30:47 +0100
commit	8ababf4367eb4faaeeda6cf66191aaf66a3a69da (patch)
tree	8a835f38425a46f7b3d5fc594b682a56394b3992 /source4/dsdb/samdb/ldb_modules/descriptor.c
parent	057c56ac2443abffbe169b06a72a93f41096fb67 (diff)
download	samba-8ababf4367eb4faaeeda6cf66191aaf66a3a69da.tar.gz samba-8ababf4367eb4faaeeda6cf66191aaf66a3a69da.tar.bz2 samba-8ababf4367eb4faaeeda6cf66191aaf66a3a69da.zip