fdescr.owner_sid = ref.owner_sid
fdescr.group_sid = ref.group_sid
fdescr.type = ref.type
- fdescr.type |= security.SEC_DESC_DACL_AUTO_INHERITED
fdescr.revision = ref.revision
aces = ref.dacl.aces
for i in range(0, len(aces)):
ace = aces[i]
- if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED:
- pass
- elif ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED:
- pass
- else:
- continue
-
- if str(ace.trustee) == security.SID_BUILTIN_PREW2K:
- continue
-
- ace.flags |= security.SEC_ACE_FLAG_CONTAINER_INHERIT
- ace.flags |= security.SEC_ACE_FLAG_OBJECT_INHERIT
-
- ace.access_mask = ldapmask2filemask(ace.access_mask)
-
- fdescr.dacl_add(ace)
+ if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
+ # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
+ ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
+ if str(ace.trustee) == security.SID_CREATOR_OWNER:
+ # For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
+ ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
+ ace.access_mask = ldapmask2filemask(ace.access_mask)
+ fdescr.dacl_add(ace)
if not as_sddl:
return fdescr
return fdescr.as_sddl(sid)
-
-def fsacl_child_sd(parent_sddl, domain_sid, owner_sid, group_sid, container=True, as_sddl=True):
- """
-
- This function takes an the SDDL representation of a filesystem
- ACL and return the SDDL representation of this ACL adapted
- for child files/directories. It's used for Policy object provision
- """
- parent_sd = security.descriptor.from_sddl(parent_sddl, domain_sid)
- fdescr = security.descriptor()
- fdescr.owner_sid = owner_sid
- fdescr.group_sid = group_sid
- fdescr.type = parent_sd.type
- fdescr.type |= security.SEC_DESC_DACL_AUTO_INHERITED
- fdescr.revision = parent_sd.revision
- aces = parent_sd.dacl.aces
- for i in range(0, len(aces)):
- ace = aces[i]
- ace2 = None
-
- if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED:
- pass
- elif ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED:
- pass
- else:
- continue
-
- inherit_ace = False
- if not container:
- if ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT:
- inherit_ace = True
- else:
- if ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT:
- inherit_ace = True
- if ((ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT) and \
- not (ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)):
- inherit_ace = True
-
- if not inherit_ace:
- continue
-
- if not container:
- ace.flags = 0;
- else:
- ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
- if not (ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT):
- ace.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
- ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
- if ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT:
- ace.flags = 0;
-
- ace.flags |= security.SEC_ACE_FLAG_INHERITED_ACE
-
- if str(ace.trustee) == security.SID_CREATOR_OWNER:
- ace2 = ace
-
- ace = security.ace()
- ace.type = ace.type
- ace.flags = ace.flags
- ace.access_mask = ace.access_mask
- ace.trustee = owner_sid
-
- ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
-
- if str(ace.trustee) == security.SID_CREATOR_GROUP:
- ace2 = ace
-
- ace = security.ace()
- ace.type = ace.type
- ace.flags = ace.flags
- ace.access_mask = ace.access_mask
- ace.trustee = group_sid
-
- ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
-
- fdescr.dacl_add(ace)
- if container and ace2 is not None:
- fdescr.dacl_add(ace2)
-
- if not as_sddl:
- return fdescr
-
- return fdescr.as_sddl(domain_sid)