TODO breaks tests libcli/security: fix the CREATOR_OWNER order in calculate_inherited...

The inherited object/container specific CREATOR_OWNER ace should be inserted
before the generic CREATOR_OWNER ace.

This also matches the behavior of a Windows (2008R2) DC
for active directory SDs and also matches the logic for filesystem SDs,
see se_create_child_secdesc().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 23e7e9ba60b03917259e23eb18937941e6a57fd9..aab8fc5fcb92cdda982c89bf20fca6c16296440c 100644 (file)
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -223,10 +223,10 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
                                            }
                                            tmp_acl->aces[tmp_acl->num_aces] = *ace;
                                            desc_expand_generic(tmp_ctx,
-                                                               &tmp_acl->aces[tmp_acl->num_aces],
+                                                               &tmp_acl->aces[tmp_acl->num_aces-1],
                                                                owner,
                                                                group);
-                                           tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE;
+                                           tmp_acl->aces[tmp_acl->num_aces-1].flags = SEC_ACE_FLAG_INHERITED_ACE;
                                            tmp_acl->num_aces++;
                                }
                        }