From 813bf8b4f463199b7c2d3cddab7056b8a68a0b70 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sat, 8 Nov 2008 22:57:57 -0800
Subject: Fix a subtle logic bug in the adaption of se_create_child_secdesc(),
 pass RAW-ACL inheritance tests. Only access masks for SD get/set left to fix.
 Jeremy.

---
 source3/lib/secdesc.c           |  3 +++
 source3/modules/vfs_acl_xattr.c | 21 ++++++++++++++++++++-
 source4/torture/raw/acls.c      | 23 ++++++++++++++++++-----
 3 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index de547d815f..df85336603 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -546,6 +546,9 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
 			ptrustee = creator;
 			new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+		} else if (container &&
+				!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
+			ptrustee = &ace->trustee;
 		}
 
 		init_sec_ace(new_ace, ptrustee, ace->type,
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 209209d287..a5d93950f6 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -363,10 +363,18 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 	status = get_nt_acl_xattr_internal(handle,
 					NULL,
 					parent_name,
-					DACL_SECURITY_INFORMATION,
+					(OWNER_SECURITY_INFORMATION |
+					 GROUP_SECURITY_INFORMATION |
+					 DACL_SECURITY_INFORMATION),
 					&parent_desc);
         if (NT_STATUS_IS_OK(status)) {
 		/* Create an inherited descriptor from the parent. */
+
+		if (DEBUGLEVEL >= 10) {
+			DEBUG(10,("inherit_new_acl: parent acl is:\n"));
+			NDR_PRINT_DEBUG(security_descriptor, parent_desc);
+		}
+
 		status = se_create_child_secdesc(ctx,
 				&psd,
 				&size,
@@ -377,6 +385,12 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
+
+		if (DEBUGLEVEL >= 10) {
+			DEBUG(10,("inherit_new_acl: child acl is:\n"));
+			NDR_PRINT_DEBUG(security_descriptor, psd);
+		}
+
 	} else {
 		DEBUG(10,("inherit_new_acl: directory %s failed "
 			"to get acl %s\n",
@@ -401,6 +415,11 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 		if (!psd) {
 			return NT_STATUS_NO_MEMORY;
 		}
+
+		if (DEBUGLEVEL >= 10) {
+			DEBUG(10,("inherit_new_acl: default acl is:\n"));
+			NDR_PRINT_DEBUG(security_descriptor, psd);
+		}
 	}
 
 	status = create_acl_blob(psd, &blob);
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index d76454d1ff..f6c690bb56 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -1457,7 +1457,9 @@ static bool test_inheritance(struct torture_context *tctx,
 		    (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) ||
 		     (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) {
 			if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) {
-				printf("Expected default sd for dir at %d - got:\n", i);
+				printf("Expected default sd for dir at %d:\n", i);
+				NDR_PRINT_DEBUG(security_descriptor, sd_def);
+				printf("got:\n");
 				NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 			}
 			continue;
@@ -1471,7 +1473,7 @@ static bool test_inheritance(struct torture_context *tctx,
 			    !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
 					   sd_orig->owner_sid) ||
 			    q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) {
-				printf("Bad sd in child dir at %d (parent 0x%x)\n", 
+				printf("(CI & NP) Bad sd in child dir at %d (parent 0x%x)\n", 
 				       i, test_flags[i].parent_flags);
 				NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 				ret = false;
@@ -1489,7 +1491,7 @@ static bool test_inheritance(struct torture_context *tctx,
 			    q.query_secdesc.out.sd->dacl->aces[0].flags != 0 ||
 			    q.query_secdesc.out.sd->dacl->aces[1].flags != 
 			    (test_flags[i].dir_flags | SEC_ACE_FLAG_INHERIT_ONLY)) {
-				printf("Bad sd in child dir at %d (parent 0x%x)\n", 
+				printf("(CI) Bad sd in child dir at %d (parent 0x%x)\n", 
 				       i, test_flags[i].parent_flags);
 				NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 				ret = false;
@@ -1502,8 +1504,19 @@ static bool test_inheritance(struct torture_context *tctx,
 			    !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
 					   creator_owner) ||
 			    q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) {
-				printf("Bad sd in child dir at %d (parent 0x%x)\n", 
-				       i, test_flags[i].parent_flags);
+				printf("FAIL. t1 = %d, t2 = %d, t3 = %d, t4 = %d, t5 = %d\n",
+					q.query_secdesc.out.sd->dacl == NULL,
+					q.query_secdesc.out.sd->dacl->num_aces != 1,
+					q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA,
+					!dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
+						creator_owner),
+					q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags);
+
+				printf("(0) Bad sd in child dir at %d (parent 0x%x) flags = 0x%x dir_flags=0x%x\n", 
+					i,
+					test_flags[i].parent_flags,
+					q.query_secdesc.out.sd->dacl->aces[0].flags,
+					test_flags[i].dir_flags);
 				NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 				ret = false;
 				continue;
-- 
cgit