s3:net rpc registry: make getsd succeed when key sd only gives access to SD not key...

You don't need the REG_KEY_READ permissions to access the SD of a key.
And for instance, the key HKLM\security ususally has no specific bits
set for builtin\administrators, but the READ_CONTROL_ACCESS.
I.e. builtin\administrators can get the sd but not enumerate the key.

diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c
index 168a654ac3dd04347eef27f6ff592de2313f9696..87063a18bf4e1c99b11a760648afa242a87b04b2 100644 (file)
--- a/source3/utils/net_rpc_registry.c
+++ b/source3/utils/net_rpc_registry.c
@@ -1146,10 +1146,10 @@ static NTSTATUS rpc_registry_getsd_internal(struct net_context *c,
        uint32_t sec_info;
        DATA_BLOB blob;
        struct security_descriptor sec_desc;
-       uint32_t access_mask = REG_KEY_READ |
-                              SEC_FLAG_MAXIMUM_ALLOWED |
+       uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED |
                               SEC_FLAG_SYSTEM_SECURITY;
 
+
        if (argc <1 || argc > 2 || c->display_usage) {
                d_printf("Usage:    net rpc registry getsd <path> <secinfo>\n");
                d_printf("Example:  net rpc registry getsd 'HKLM\\Software\\Samba'\n");