From dd67913a999323188f4d8c877ab761ce9d53883d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 24 Jan 2008 17:50:07 -0800
Subject: Correctly set flags in ACE's inherited from parent. Still one bug
 left to find then I'll back-port to 3.0.28. Jeremy. (This used to be commit
 3df2f7ca782e418703d82f7a1f3c035a365f9589)

---
 source3/smbd/posix_acls.c | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

(limited to 'source3')

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 12e611f9cb..347064362d 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3299,9 +3299,11 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 				/* Doesn't apply to a directory - ignore. */
 				DEBUG(10,("append_parent_acl: directory %s "
 					"ignoring non container "
-					"inherit flags %u from parent %s\n",
+					"inherit flags %u on ACE with sid %s "
+					"from parent %s\n",
 					fsp->fsp_name,
 					(unsigned int)se->flags,
+					sid_string_dbg(&se->trustee),
 					parent_name));
 				continue;
 			}
@@ -3310,9 +3312,11 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 				/* Doesn't apply to a file - ignore. */
 				DEBUG(10,("append_parent_acl: file %s "
 					"ignoring non object "
-					"inherit flags %u from parent %s\n",
+					"inherit flags %u on ACE with sid %s "
+					"from parent %s\n",
 					fsp->fsp_name,
 					(unsigned int)se->flags,
+					sid_string_dbg(&se->trustee),
 					parent_name));
 				continue;
 			}
@@ -3332,7 +3336,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 			if (k < psd->dacl->num_aces) {
 				/* SID matched. Ignore. */
 				DEBUG(10,("append_parent_acl: path %s "
-					"ignoring protected sid %s "
+					"ignoring ACE with protected sid %s "
 					"from parent %s\n",
 					fsp->fsp_name,
 					sid_string_dbg(&se->trustee),
@@ -3346,7 +3350,35 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 			new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
 		}
 		new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+
+		if (fsp->is_directory) {
+			/*
+			 * Strip off any inherit only. It's applied.
+			 */
+			new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY);
+			if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+				/* No further inheritance. */
+				new_ace[i].flags &=
+					~(SEC_ACE_FLAG_CONTAINER_INHERIT|
+					SEC_ACE_FLAG_OBJECT_INHERIT);
+			}
+		} else {
+			/*
+			 * Strip off any container or inherit
+			 * flags, they can't apply to objects.
+			 */
+			new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
+						SEC_ACE_FLAG_INHERIT_ONLY|
+						SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
+		}
 		i++;
+
+		DEBUG(10,("append_parent_acl: path %s "
+			"inheriting ACE with sid %s "
+			"from parent %s\n",
+			fsp->fsp_name,
+			sid_string_dbg(&se->trustee),
+			parent_name));
 	}
 
 	parent_sd->dacl->aces = new_ace;
-- 
cgit