diff options
Diffstat (limited to 'libcli/security')
| -rw-r--r-- | libcli/security/secdesc.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c index a7e99005eb..8570334f36 100644 --- a/libcli/security/secdesc.c +++ b/libcli/security/secdesc.c @@ -614,6 +614,15 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, if (!container) { new_flags = 0; } else { + /* + * We need to remove SEC_ACE_FLAG_INHERITED_ACE here + * if present because it should only be set if the + * parent has the AUTO_INHERITED bit set in the + * type/control field. If we don't it will slip through + * and create DACLs with incorrectly ordered ACEs + * when there are CREATOR_OWNER or CREATOR_GROUP + * ACEs. + */ new_flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_INHERITED_ACE); |