diff options
-rw-r--r-- | source3/include/proto.h | 3 | ||||
-rw-r--r-- | source3/lib/secdesc.c | 43 | ||||
-rw-r--r-- | source3/printing/nt_printing.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_spoolss_nt.c | 2 |
4 files changed, 46 insertions, 4 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index dabfa15257..2c5b7105a1 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -693,7 +693,8 @@ ssize_t drain_socket(int sockfd, size_t count); /* The following definitions come from lib/secdesc.c */ uint32_t get_sec_info(const SEC_DESC *sd); -SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb); +SEC_DESC *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC *new_sdb, SEC_DESC *old_sdb); +SEC_DESC_BUF *sec_desc_merge_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb); SEC_DESC *make_sec_desc(TALLOC_CTX *ctx, enum security_descriptor_revision revision, uint16 type, diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c index d45be00212..f5a0039ec7 100644 --- a/source3/lib/secdesc.c +++ b/source3/lib/secdesc.c @@ -63,7 +63,7 @@ uint32_t get_sec_info(const SEC_DESC *sd) security descriptor new_sec. ********************************************************************/ -SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb) +SEC_DESC_BUF *sec_desc_merge_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb) { DOM_SID *owner_sid, *group_sid; SEC_DESC_BUF *return_sdb; @@ -108,6 +108,47 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU return(return_sdb); } +SEC_DESC *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC *new_sdb, SEC_DESC *old_sdb) +{ + DOM_SID *owner_sid, *group_sid; + SEC_ACL *dacl, *sacl; + SEC_DESC *psd = NULL; + uint16 secdesc_type; + size_t secdesc_size; + + /* Copy over owner and group sids. There seems to be no flag for + this so just check the pointer values. */ + + owner_sid = new_sdb->owner_sid ? new_sdb->owner_sid : + old_sdb->owner_sid; + + group_sid = new_sdb->group_sid ? new_sdb->group_sid : + old_sdb->group_sid; + + secdesc_type = new_sdb->type; + + /* Ignore changes to the system ACL. This has the effect of making + changes through the security tab audit button not sticking. + Perhaps in future Samba could implement these settings somehow. */ + + sacl = NULL; + secdesc_type &= ~SEC_DESC_SACL_PRESENT; + + /* Copy across discretionary ACL */ + + if (secdesc_type & SEC_DESC_DACL_PRESENT) { + dacl = new_sdb->dacl; + } else { + dacl = old_sdb->dacl; + } + + /* Create new security descriptor from bits */ + psd = make_sec_desc(ctx, new_sdb->revision, secdesc_type, + owner_sid, group_sid, sacl, dacl, &secdesc_size); + + return psd; +} + /******************************************************************* Creates a SEC_DESC structure ********************************************************************/ diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index ba667c3251..9ac74d63fd 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -402,7 +402,7 @@ static int sec_desc_upg_fn( TDB_CONTEXT *the_tdb, TDB_DATA key, return 0; } - if ( !(sd_store = sec_desc_merge( ctx, sd_new, sd_orig )) ) { + if ( !(sd_store = sec_desc_merge_buf( ctx, sd_new, sd_orig )) ) { DEBUG(0,("sec_desc_upg_fn: Failed to update sec_desc for %s\n", key.dptr )); return 0; } diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index db6a6d784a..f96a147a27 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -5465,7 +5465,7 @@ static WERROR update_printer_sec(struct policy_handle *handle, } } - new_secdesc_ctr = sec_desc_merge(p->mem_ctx, secdesc_ctr, old_secdesc_ctr); + new_secdesc_ctr = sec_desc_merge_buf(p->mem_ctx, secdesc_ctr, old_secdesc_ctr); if (!new_secdesc_ctr) { result = WERR_NOMEM; goto done; |