From fc0508922417e9ef9a4450067d29d15121b52902 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 24 Jan 2008 18:17:59 -0800
Subject: [PATCH] Back port : Correctly set flags in ACE's inherited from
 parent. Jeremy.

---
 source/smbd/posix_acls.c | 40 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 37 insertions(+), 3 deletions(-)

diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index ee7b05c3f00..21ad4222a15 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -3202,9 +3202,11 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 				/* Doesn't apply to a directory - ignore. */
 				DEBUG(10,("append_parent_acl: directory %s "
 					"ignoring non container "
-					"inherit flags %u from parent %s\n",
+					"inherit flags %u on ACE with sid %s "
+					"from parent %s\n",
 					fsp->fsp_name,
 					(unsigned int)se->flags,
+					sid_string_static(&se->trustee),
 					parent_name));
 				continue;
 			}
@@ -3213,9 +3215,11 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 				/* Doesn't apply to a file - ignore. */
 				DEBUG(10,("append_parent_acl: file %s "
 					"ignoring non object "
-					"inherit flags %u from parent %s\n",
+					"inherit flags %u on ACE with sid %s "
+					"from parent %s\n",
 					fsp->fsp_name,
 					(unsigned int)se->flags,
+					sid_string_static(&se->trustee),
 					parent_name));
 				continue;
 			}
@@ -3235,7 +3239,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 			if (k < psd->dacl->num_aces) {
 				/* SID matched. Ignore. */
 				DEBUG(10,("append_parent_acl: path %s "
-					"ignoring protected sid %s "
+					"ignoring ACE with protected sid %s "
 					"from parent %s\n",
 					fsp->fsp_name,
 					sid_string_static(&se->trustee),
@@ -3249,7 +3253,37 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 			new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
 		}
 		new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+
+		if (fsp->is_directory) {
+			/*
+			 * Strip off any inherit only. It's applied.
+			 */
+			new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY);
+			if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+				/* No further inheritance. */
+				new_ace[i].flags &=
+					~(SEC_ACE_FLAG_CONTAINER_INHERIT|
+					SEC_ACE_FLAG_OBJECT_INHERIT);
+			}
+		} else {
+			/*
+			 * Strip off any container or inherit
+			 * flags, they can't apply to objects.
+			 */
+			new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
+						SEC_ACE_FLAG_INHERIT_ONLY|
+						SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
+		}
+
 		i++;
+
+		DEBUG(10,("append_parent_acl: path %s "
+			"inheriting ACE with sid %s "
+			"from parent %s\n",
+			fsp->fsp_name,
+			sid_string_static(&se->trustee),
+			parent_name));
+
 	}
 
 	parent_sd->dacl->aces = new_ace;
-- 
2.34.1