From c3f6cc9993f7fd45cff63c6a5fefde084a6cc173 Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@samba.org>
Date: Thu, 10 Feb 2011 12:39:22 +0200
Subject: security: Fixed some handling of ACEs with INHERITED flag provided by
 the user

Some tests showed that these ACEs are not removed if the DACL_PROTECTED flag is provided at the same time.
This is not documented but tests prove it and it has been observerd in deployment.
---
 libcli/security/create_descriptor.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'libcli')

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 643c98d345..9e348a790e 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -210,7 +210,8 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
 					     bool is_container,
 					     struct dom_sid *owner,
 					     struct dom_sid *group,
-					     struct GUID *object_list)
+					     struct GUID *object_list,
+					     bool is_protected)
 {
 	uint32_t i;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -232,8 +233,16 @@ static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
 
 	for (i=0; i < acl->num_aces; i++){
 		struct security_ace *ace = &acl->aces[i];
-		if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
-			continue;
+		/* Remove ID flags from user-provided ACEs
+		 * if we break inheritance, ignore them otherwise */
+		if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
+			if (is_protected) {
+				ace->flags &= ~SEC_ACE_FLAG_INHERITED_ACE;
+			} else {
+				continue;
+			}
+		}
+
 		if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
 		    !(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT ||
 		      ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
@@ -358,13 +367,15 @@ static bool compute_acl(struct security_descriptor *parent_sd,
 					     is_container,
 					     new_sd->owner_sid,
 					     new_sd->group_sid,
-					     object_list);
+					     object_list,
+					     creator_sd->type & SEC_DESC_DACL_PROTECTED);
 		user_sacl = process_user_acl(new_sd,
 					     creator_sd->sacl,
 					     is_container,
 					     new_sd->owner_sid,
 					     new_sd->group_sid,
-					     object_list);
+					     object_list,
+					     creator_sd->type & SEC_DESC_SACL_PROTECTED);
 	}
 	cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
 	cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
-- 
cgit