From 8ababf4367eb4faaeeda6cf66191aaf66a3a69da Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 1 Dec 2012 15:10:38 +0100 Subject: s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/dsdb/samdb/ldb_modules/descriptor.c | 44 +++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 18caa38103..95204b3c5c 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -323,6 +323,50 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, SEC_DESC_SERVER_SECURITY); } + + if (!(sd_flags & SECINFO_OWNER) && user_descriptor) { + user_descriptor->owner_sid = NULL; + + /* + * We need the correct owner sid + * when calculating the DACL or SACL + */ + if (old_descriptor) { + user_descriptor->owner_sid = old_descriptor->owner_sid; + } + } + if (!(sd_flags & SECINFO_GROUP) && user_descriptor) { + user_descriptor->group_sid = NULL; + + /* + * We need the correct group sid + * when calculating the DACL or SACL + */ + if (old_descriptor) { + user_descriptor->group_sid = old_descriptor->group_sid; + } + } + if (!(sd_flags & SECINFO_DACL) && user_descriptor) { + user_descriptor->dacl = NULL; + + /* + * We add SEC_DESC_DACL_PROTECTED so that + * create_security_descriptor() skips + * the unused inheritance calculation + */ + user_descriptor->type |= SEC_DESC_DACL_PROTECTED; + } + if (!(sd_flags & SECINFO_SACL) && user_descriptor) { + user_descriptor->sacl = NULL; + + /* + * We add SEC_DESC_SACL_PROTECTED so that + * create_security_descriptor() skips + * the unused inheritance calculation + */ + user_descriptor->type |= SEC_DESC_SACL_PROTECTED; + } + default_owner = get_default_ag(mem_ctx, dn, session_info->security_token, ldb); default_group = get_default_group(mem_ctx, ldb, default_owner); -- cgit