From 3e2584a86cc610c000f70105f39e7f3fa881aded Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 13 Nov 2012 16:45:03 +1100 Subject: [PATCH] ntvfs: Fill in sd->type based on the new ACL being added Previously we would not change the type field, and just relied on what was in the original ACL based on the default SD. This is required to ensure the SEC_DESC_DACL_PROTECTED is set which is in turn required for GPOs to be set correctly to match what windows does. Andrew Bartlett Reviewed by: Jeremy Allison --- source4/ntvfs/posix/pvfs_acl.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 1519631769df..4e9c1ac6b5a0 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -330,6 +330,7 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, } sd->owner_sid = new_sd->owner_sid; } + if (secinfo_flags & SECINFO_GROUP) { if (!(access_mask & SEC_STD_WRITE_OWNER)) { return NT_STATUS_ACCESS_DENIED; @@ -349,19 +350,39 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, } sd->group_sid = new_sd->group_sid; } + if (secinfo_flags & SECINFO_DACL) { if (!(access_mask & SEC_STD_WRITE_DAC)) { return NT_STATUS_ACCESS_DENIED; } sd->dacl = new_sd->dacl; pvfs_translate_generic_bits(sd->dacl); + sd->type |= SEC_DESC_DACL_PRESENT; } + if (secinfo_flags & SECINFO_SACL) { if (!(access_mask & SEC_FLAG_SYSTEM_SECURITY)) { return NT_STATUS_ACCESS_DENIED; } sd->sacl = new_sd->sacl; pvfs_translate_generic_bits(sd->sacl); + sd->type |= SEC_DESC_SACL_PRESENT; + } + + if (secinfo_flags & SECINFO_PROTECTED_DACL) { + if (new_sd->type & SEC_DESC_DACL_PROTECTED) { + sd->type |= SEC_DESC_DACL_PROTECTED; + } else { + sd->type &= ~SEC_DESC_DACL_PROTECTED; + } + } + + if (secinfo_flags & SECINFO_PROTECTED_SACL) { + if (new_sd->type & SEC_DESC_SACL_PROTECTED) { + sd->type |= SEC_DESC_SACL_PROTECTED; + } else { + sd->type &= ~SEC_DESC_SACL_PROTECTED; + } } if (new_uid == old_uid) { -- 2.34.1