Windows does canonicalization of inheritance bits. Do the same.

author Jeremy Allison <jra@samba.org>

Wed, 29 Aug 2012 20:40:29 +0000 (13:40 -0700)

committer Karolin Seeger <kseeger@samba.org>

Fri, 31 Aug 2012 06:46:18 +0000 (08:46 +0200)
author Jeremy Allison <jra@samba.org>
Wed, 29 Aug 2012 20:40:29 +0000 (13:40 -0700)
committer Karolin Seeger <kseeger@samba.org>
Fri, 31 Aug 2012 06:46:18 +0000 (08:46 +0200)
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c

index f66285d4a1cc2e1d10c2f837928668d30f9ceb6e..ea9d417e7438b355eca627dc12305b4708c43754 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -826,6 +826,39 @@ static void do_nt_transact_create_pipe(connection_struct *conn,
         return;
  }
  
+/*********************************************************************
+ Windows seems to do canonicalization of inheritance bits. Do the
+ same.
+*********************************************************************/
+
+static void canonicalize_inheritance_bits(struct security_descriptor *psd)
+{
+       bool set_auto_inherited = false;
+
+       /*
+        * We need to filter out the
+        * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
+        * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
+        * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
+        * when an ACE is inherited. Otherwise we zero these bits out.
+        * See:
+        *
+        * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
+        *
+        * for details.
+        */
+
+       if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
+                       == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
+               set_auto_inherited = true;
+       }
+
+       psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
+       if (set_auto_inherited) {
+               psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
+       }
+}
+
  /****************************************************************************
   Internal fn to set security descriptors.
  ****************************************************************************/
@@ -894,6 +927,8 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
                 }
         }
  
+       canonicalize_inheritance_bits(psd);
+
         if (DEBUGLEVEL >= 10) {
                 DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
                 NDR_PRINT_DEBUG(security_descriptor, psd);
author	Jeremy Allison <jra@samba.org>
	Wed, 29 Aug 2012 20:40:29 +0000 (13:40 -0700)
committer	Karolin Seeger <kseeger@samba.org>
	Fri, 31 Aug 2012 06:46:18 +0000 (08:46 +0200)