summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h3
-rw-r--r--source3/lib/secdesc.c43
-rw-r--r--source3/printing/nt_printing.c2
-rw-r--r--source3/rpc_server/srv_spoolss_nt.c2
4 files changed, 46 insertions, 4 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index dabfa15257..2c5b7105a1 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -693,7 +693,8 @@ ssize_t drain_socket(int sockfd, size_t count);
/* The following definitions come from lib/secdesc.c */
uint32_t get_sec_info(const SEC_DESC *sd);
-SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb);
+SEC_DESC *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC *new_sdb, SEC_DESC *old_sdb);
+SEC_DESC_BUF *sec_desc_merge_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb);
SEC_DESC *make_sec_desc(TALLOC_CTX *ctx,
enum security_descriptor_revision revision,
uint16 type,
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index d45be00212..f5a0039ec7 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -63,7 +63,7 @@ uint32_t get_sec_info(const SEC_DESC *sd)
security descriptor new_sec.
********************************************************************/
-SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb)
+SEC_DESC_BUF *sec_desc_merge_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb)
{
DOM_SID *owner_sid, *group_sid;
SEC_DESC_BUF *return_sdb;
@@ -108,6 +108,47 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU
return(return_sdb);
}
+SEC_DESC *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC *new_sdb, SEC_DESC *old_sdb)
+{
+ DOM_SID *owner_sid, *group_sid;
+ SEC_ACL *dacl, *sacl;
+ SEC_DESC *psd = NULL;
+ uint16 secdesc_type;
+ size_t secdesc_size;
+
+ /* Copy over owner and group sids. There seems to be no flag for
+ this so just check the pointer values. */
+
+ owner_sid = new_sdb->owner_sid ? new_sdb->owner_sid :
+ old_sdb->owner_sid;
+
+ group_sid = new_sdb->group_sid ? new_sdb->group_sid :
+ old_sdb->group_sid;
+
+ secdesc_type = new_sdb->type;
+
+ /* Ignore changes to the system ACL. This has the effect of making
+ changes through the security tab audit button not sticking.
+ Perhaps in future Samba could implement these settings somehow. */
+
+ sacl = NULL;
+ secdesc_type &= ~SEC_DESC_SACL_PRESENT;
+
+ /* Copy across discretionary ACL */
+
+ if (secdesc_type & SEC_DESC_DACL_PRESENT) {
+ dacl = new_sdb->dacl;
+ } else {
+ dacl = old_sdb->dacl;
+ }
+
+ /* Create new security descriptor from bits */
+ psd = make_sec_desc(ctx, new_sdb->revision, secdesc_type,
+ owner_sid, group_sid, sacl, dacl, &secdesc_size);
+
+ return psd;
+}
+
/*******************************************************************
Creates a SEC_DESC structure
********************************************************************/
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index ba667c3251..9ac74d63fd 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -402,7 +402,7 @@ static int sec_desc_upg_fn( TDB_CONTEXT *the_tdb, TDB_DATA key,
return 0;
}
- if ( !(sd_store = sec_desc_merge( ctx, sd_new, sd_orig )) ) {
+ if ( !(sd_store = sec_desc_merge_buf( ctx, sd_new, sd_orig )) ) {
DEBUG(0,("sec_desc_upg_fn: Failed to update sec_desc for %s\n", key.dptr ));
return 0;
}
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index db6a6d784a..f96a147a27 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -5465,7 +5465,7 @@ static WERROR update_printer_sec(struct policy_handle *handle,
}
}
- new_secdesc_ctr = sec_desc_merge(p->mem_ctx, secdesc_ctr, old_secdesc_ctr);
+ new_secdesc_ctr = sec_desc_merge_buf(p->mem_ctx, secdesc_ctr, old_secdesc_ctr);
if (!new_secdesc_ctr) {
result = WERR_NOMEM;
goto done;