r12139: - fixed up the ace object flags checking

- allow for arbitrary access masks in sddl_encode_ace()
(This used to be commit 5e2b1bd6afafe2eb96e98c4636e0a62235693183)

1 files changed, 8 insertions, 3 deletions

diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c
index a1b8346969..643cb7a82c 100644
--- a/source4/libcli/security/sddl.c
+++ b/source4/libcli/security/sddl.c
@@ -221,6 +221,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char
 		if (!NT_STATUS_IS_OK(status)) {
 			return False;
 		}
+		ace->object.object.flags |= SEC_ACE_OBJECT_TYPE_PRESENT;
 	}
 
 	/* inherit object */
@@ -230,6 +231,7 @@ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char
 		if (!NT_STATUS_IS_OK(status)) {
 			return False;
 		}
+		ace->object.object.flags |= SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
 	}
 
 	/* trustee */
@@ -460,18 +462,21 @@ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace
 	if (s_flags == NULL) goto failed;
 
 	s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True);
-	if (s_mask == NULL) goto failed;
+	if (s_mask == NULL) {
+		s_mask = talloc_asprintf(tmp_ctx, "0x%08x", ace->access_mask);
+		if (s_mask == NULL) goto failed;
+	}
 
 	if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
 	    ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
 	    ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
 	    ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
-		if (!GUID_all_zero(&ace->object.object.type.type)) {
+		if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 			s_object = GUID_string(tmp_ctx, &ace->object.object.type.type);
 			if (s_object == NULL) goto failed;
 		}
 
-		if (!GUID_all_zero(&ace->object.object.inherited_type.inherited_type)) {
+		if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
 			s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type);
 			if (s_iobject == NULL) goto failed;
 		}