diff options
| author | Stefan Metzmacher <metze@samba.org> | 2012-11-22 15:53:14 +0100 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2012-11-30 17:17:20 +0100 |
| commit | 7a3e4d04c7e06379eddacb4f025a3c48a0a754a4 (patch) | |
| tree | 4eaaa457354caf4680878c74dc3b224199641cf1 /source4/dsdb/samdb/ldb_modules | |
| parent | c2c715f9c9e0d465857ad118d632493131a5f9c5 (diff) | |
| download | samba-7a3e4d04c7e06379eddacb4f025a3c48a0a754a4.tar.gz samba-7a3e4d04c7e06379eddacb4f025a3c48a0a754a4.tar.bz2 samba-7a3e4d04c7e06379eddacb4f025a3c48a0a754a4.zip | |
s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index fd08d49cdf..73acc2f7a7 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -236,6 +236,11 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, char *sddl_sd; struct dom_sid *default_owner; struct dom_sid *default_group; + struct security_descriptor *default_descriptor = NULL; + + if (objectclass != NULL) { + default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); + } if (object) { user_descriptor = talloc(mem_ctx, struct security_descriptor); @@ -251,7 +256,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, return NULL; } } else { - user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); + user_descriptor = default_descriptor; } if (old_sd) { @@ -284,6 +289,28 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, } } + if (user_descriptor && default_descriptor && + (user_descriptor->dacl == NULL)) + { + user_descriptor->dacl = default_descriptor->dacl; + user_descriptor->type |= default_descriptor->type & ( + SEC_DESC_DACL_PRESENT | + SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ | + SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED | + SEC_DESC_DACL_TRUSTED); + } + + if (user_descriptor && default_descriptor && + (user_descriptor->sacl == NULL)) + { + user_descriptor->sacl = default_descriptor->sacl; + user_descriptor->type |= default_descriptor->type & ( + SEC_DESC_SACL_PRESENT | + SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ | + SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED | + SEC_DESC_SERVER_SECURITY); + } + default_owner = get_default_ag(mem_ctx, dn, session_info->security_token, ldb); default_group = get_default_group(mem_ctx, ldb, default_owner); |