Only ask for specific permissions required when setting an ACL.

author Jeremy Allison <jra@samba.org>

Fri, 3 Feb 2012 00:28:39 +0000 (16:28 -0800)

committer Jeremy Allison <jra@samba.org>

Fri, 3 Feb 2012 02:07:32 +0000 (03:07 +0100)
author Jeremy Allison <jra@samba.org>
Fri, 3 Feb 2012 00:28:39 +0000 (16:28 -0800)
committer Jeremy Allison <jra@samba.org>
Fri, 3 Feb 2012 02:07:32 +0000 (03:07 +0100)
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c

index de68963750f80b0c92aae023fc029e2eedbc4f1d..714f47b6f9c3814a932706128b7adb83e0807060 100644 (file)
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -868,12 +868,21 @@ static bool set_secdesc(struct cli_state *cli, const char *filename,
         uint16_t fnum = (uint16_t)-1;
          bool result=true;
         NTSTATUS status;
+       uint32_t desired_access = 0;
  
-       /* The desired access below is the only one I could find that works
-          with NT4, W2KP and Samba */
+       /* Make the desired_access more specific. */
+       if (sd->dacl) {
+               desired_access |= WRITE_DAC_ACCESS;
+       }
+       if (sd->sacl) {
+               desired_access |= SEC_FLAG_SYSTEM_SECURITY;
+       }
+       if (sd->owner_sid || sd->group_sid) {
+               desired_access |= WRITE_OWNER_ACCESS;
+       }
  
         status = cli_ntcreate(cli, filename, 0,
-                             WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS,
+                             desired_access,
                               0, FILE_SHARE_READ|FILE_SHARE_WRITE,
                               FILE_OPEN, 0x0, 0x0, &fnum);
         if (!NT_STATUS_IS_OK(status)) {
author	Jeremy Allison <jra@samba.org>
	Fri, 3 Feb 2012 00:28:39 +0000 (16:28 -0800)
committer	Jeremy Allison <jra@samba.org>
	Fri, 3 Feb 2012 02:07:32 +0000 (03:07 +0100)