From 3d34406c7bd70576b1705e98b4b3901ac75537c9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 29 Aug 2012 13:40:29 -0700 Subject: Windows does canonicalization of inheritance bits. Do the same. We need to filter out the SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set when an ACE is inherited. Otherwise we zero these bits out. See: http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531 for details. --- source3/smbd/nttrans.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'source3') diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 1e28482fc9..997f72161a 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -830,6 +830,39 @@ static void do_nt_transact_create_pipe(connection_struct *conn, return; } +/********************************************************************* + Windows seems to do canonicalization of inheritance bits. Do the + same. +*********************************************************************/ + +static void canonicalize_inheritance_bits(struct security_descriptor *psd) +{ + bool set_auto_inherited = false; + + /* + * We need to filter out the + * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ + * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED + * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set + * when an ACE is inherited. Otherwise we zero these bits out. + * See: + * + * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531 + * + * for details. + */ + + if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) + == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) { + set_auto_inherited = true; + } + + psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ); + if (set_auto_inherited) { + psd->type |= SEC_DESC_DACL_AUTO_INHERITED; + } +} + /**************************************************************************** Internal fn to set security descriptors. ****************************************************************************/ @@ -898,6 +931,8 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd, } } + canonicalize_inheritance_bits(psd); + if (DEBUGLEVEL >= 10) { DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp))); NDR_PRINT_DEBUG(security_descriptor, psd); -- cgit