From 53b100bb59dadbc7cfb727a4ad1566302ff6c831 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 21 Nov 2012 14:10:43 +0100
Subject: s4:dsdb/acl: calculate the correct access_mask when modifying
 nTSecurityDescriptor

The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'source4')

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index ca99c91d1e..50af3b2ed4 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1024,8 +1024,21 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 							 req->op.mod.message->elements[i].name);
 
 		if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
+			uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
+			uint32_t access_mask = 0;
+
+			if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+				access_mask |= SEC_STD_WRITE_OWNER;
+			}
+			if (sd_flags & SECINFO_DACL) {
+				access_mask |= SEC_STD_WRITE_DAC;
+			}
+			if (sd_flags & SECINFO_SACL) {
+				access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+			}
+
 			status = sec_access_check_ds(sd, acl_user_token(module),
-					     SEC_STD_WRITE_DAC,
+					     access_mask,
 					     &access_granted,
 					     NULL,
 					     sid);
-- 
cgit