libcli/security/sddl: write RA octet strings the Windows way

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index b4b701383d9a221c3a82b770bfd26a49893e4806..cb18c05ec62a77803c70dc1c4ab38ef6b355de5d 100644 (file)
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -876,6 +876,22 @@ static bool sddl_write_octet_string(struct sddl_write_context *ctx,
        return ok;
 }
 
+/*
+ * For octet strings, the Resource attribute ACE SDDL differs from conditional
+ * ACE SDDL, lacking the leading '#'.
+ */
+static bool sddl_write_ra_octet_string(struct sddl_write_context *ctx,
+                                      const struct ace_condition_token *tok)
+{
+       bool ok;
+       char *hex  = hex_encode_talloc(ctx->mem_ctx,
+                                      tok->data.bytes.data,
+                                      tok->data.bytes.length);
+       ok = sddl_write(ctx, hex);
+       talloc_free(hex);
+       return ok;
+}
+
 
 static bool sddl_write_sid(struct sddl_write_context *ctx,
                           struct ace_condition_token *tok)
@@ -3286,7 +3302,7 @@ static bool write_resource_attr_from_token(struct sddl_write_context *ctx,
                return sddl_write(ctx, sid);
 
        case CONDITIONAL_ACE_TOKEN_OCTET_STRING:
-               return sddl_write_octet_string(ctx, tok);
+               return sddl_write_ra_octet_string(ctx, tok);
 
        case CONDITIONAL_ACE_TOKEN_COMPOSITE:
                /*

diff --git a/selftest/knownfail.d/ra-escapes b/selftest/knownfail.d/ra-escapes
deleted file mode 100644 (file)
index baf0c27..0000000
--- a/selftest/knownfail.d/ra-escapes
+++ /dev/null
@@ -1 +0,0 @@
-samba.unittests.sddl_conditional_ace.test_full_sddl_ra_encode