s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor

We need to base the access mask on the given SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index bc75d3221bf02c0945b86a2deabd26e7d3acdd41..60b0d87d9523e299b6f066c3fce6b311c5735ab2 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -44,6 +44,7 @@ struct aclread_context {
        struct ldb_request *req;
        const char * const *attrs;
        const struct dsdb_schema *schema;
+       uint32_t sd_flags;
        bool sd;
        bool instance_type;
        bool object_sid;
@@ -149,7 +150,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                        }
                        /* nTSecurityDescriptor is a special case */
                        if (is_sd) {
-                               access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
+                               access_mask = 0;
+
+                               if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+                                       access_mask |= SEC_STD_READ_CONTROL;
+                               }
+                               if (ac->sd_flags & SECINFO_DACL) {
+                                       access_mask |= SEC_STD_READ_CONTROL;
+                               }
+                               if (ac->sd_flags & SECINFO_SACL) {
+                                       access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+                               }
                        } else {
                                access_mask = SEC_ADS_READ_PROP;
                        }
@@ -158,6 +169,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                                access_mask |= SEC_ADS_CONTROL_ACCESS;
                        }
 
+                       if (access_mask == 0) {
+                               aclread_mark_inaccesslible(&msg->elements[i]);
+                               continue;
+                       }
+
                        ret = acl_check_access_on_attribute(ac->module,
                                                            tmp_ctx,
                                                            sd,
@@ -332,6 +348,8 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
         * expensive so we'd better had the ntsecuritydescriptor to the list of
         * searched attribute and then remove it !
         */
+       ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
+
        ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
        if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
                if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {