git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d6c7e9b)
ntvfs: Fill in sd->type based on the new ACL being added
authorAndrew Bartlett <abartlet@samba.org>
Tue, 13 Nov 2012 05:45:03 +0000 (16:45 +1100)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 13 Nov 2012 21:48:19 +0000 (22:48 +0100)
Previously we would not change the type field, and just relied on what
was in the original ACL based on the default SD.

This is required to ensure the SEC_DESC_DACL_PROTECTED is set
which is in turn required for GPOs to be set correctly
to match what windows does.

Andrew Bartlett

Reviewed by: Jeremy Allison <jra@samba.org>

source4/ntvfs/posix/pvfs_acl.c patch | blob | history

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 1519631769dfd28e133465b434c12c6cd93b8461..4e9c1ac6b5a0cbd3c13226f923177915d082df7f 100644 (file)
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -330,6 +330,7 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
                }
                sd->owner_sid = new_sd->owner_sid;
        }
+
        if (secinfo_flags & SECINFO_GROUP) {
                if (!(access_mask & SEC_STD_WRITE_OWNER)) {
                        return NT_STATUS_ACCESS_DENIED;
@@ -349,19 +350,39 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
                }
                sd->group_sid = new_sd->group_sid;
        }
+
        if (secinfo_flags & SECINFO_DACL) {
                if (!(access_mask & SEC_STD_WRITE_DAC)) {
                        return NT_STATUS_ACCESS_DENIED;
                }
                sd->dacl = new_sd->dacl;
                pvfs_translate_generic_bits(sd->dacl);
+               sd->type |= SEC_DESC_DACL_PRESENT;
        }
+
        if (secinfo_flags & SECINFO_SACL) {
                if (!(access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
                        return NT_STATUS_ACCESS_DENIED;
                }
                sd->sacl = new_sd->sacl;
                pvfs_translate_generic_bits(sd->sacl);
+               sd->type |= SEC_DESC_SACL_PRESENT;
+       }
+
+       if (secinfo_flags & SECINFO_PROTECTED_DACL) {
+               if (new_sd->type & SEC_DESC_DACL_PROTECTED) {
+                       sd->type |= SEC_DESC_DACL_PROTECTED;
+               } else {
+                       sd->type &= ~SEC_DESC_DACL_PROTECTED;
+               }
+       }
+
+       if (secinfo_flags & SECINFO_PROTECTED_SACL) {
+               if (new_sd->type & SEC_DESC_SACL_PROTECTED) {
+                       sd->type |= SEC_DESC_SACL_PROTECTED;
+               } else {
+                       sd->type &= ~SEC_DESC_SACL_PROTECTED;
+               }
        }
 
        if (new_uid == old_uid) {
Work in progress branches