TODO breaks tests libcli/security: fix the CREATOR_OWNER order in calculate_inherited...

The inherited object/container specific CREATOR_OWNER ace should be inserted
before the generic CREATOR_OWNER ace.

This also matches the behavior of a Windows (2008R2) DC
for active directory SDs and also matches the logic for filesystem SDs,
see se_create_child_secdesc().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 03c0658485eb1356124a5fffc3d3e0f14ad3b9b4..037dd0a776ae703e84452d6f7b3a619d5582a5a2 100644 (file)
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -215,10 +215,10 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
                                                    return NULL;
                                            }
                                            tmp_acl->aces[tmp_acl->num_aces] = *ace;
-                                           desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
+                                           desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces-1],
                                                                owner,
                                                                group);
-                                           tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE;
+                                           tmp_acl->aces[tmp_acl->num_aces-1].flags = SEC_ACE_FLAG_INHERITED_ACE;
                                            tmp_acl->num_aces++;
                                }
                        }