[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Tue Jan 18 07:54:01 MST 2011
The branch, master has been updated
via f6077f2 s4-tests: Added a test for correct inheritance of IO flagged ACEs.
via fed9250 s4-security: Fixed incorrect inheritance of IO flagged ACES
from 757cfc2 release-scripts: add build-htmlman-nogit
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f6077f23b773d521938539fe142cd2675c3978b3
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Tue Jan 18 15:58:18 2011 +0200
s4-tests: Added a test for correct inheritance of IO flagged ACEs.
Autobuild-User: Nadezhda Ivanova <nivanova at samba.org>
Autobuild-Date: Tue Jan 18 15:53:46 CET 2011 on sn-devel-104
commit fed925079b988502674c48555e27e3ee9d214b4b
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Tue Jan 18 15:56:19 2011 +0200
s4-security: Fixed incorrect inheritance of IO flagged ACES
They should be inherited without the IO flag unless they contain generic information.
-----------------------------------------------------------------------
Summary of changes:
libcli/security/create_descriptor.c | 5 +++++
source4/dsdb/tests/python/sec_descriptor.py | 18 ++++++++++++++++++
2 files changed, 23 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index e5fa9b8..643c98d 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
tmp_acl->aces[tmp_acl->num_aces] = *ace;
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+ /* remove IO flag from the child's ace */
+ if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
+ !desc_ace_has_generic(tmp_ctx, ace)) {
+ tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+ }
if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
index bab0476..de71dae 100755
--- a/source4/dsdb/tests/python/sec_descriptor.py
+++ b/source4/dsdb/tests/python/sec_descriptor.py
@@ -1637,6 +1637,24 @@ class DaclDescriptorTests(DescriptorTests):
self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
+ def test_215(self):
+ """ Make sure IO flag is removed in child objects
+ """
+ ou_dn = "OU=test_inherit_ou_p," + self.base_dn
+ ou_dn1 = "OU=test_inherit_ou1," + ou_dn
+ ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
+ # Create inheritable-free OU
+ mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ mod = "D:(A;CIIO;WP;;;DU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
+ self.ldb_admin.create_ou(ou_dn5)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
+ self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
+ self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
+
########################################################################################
--
Samba Shared Repository
More information about the samba-cvs
mailing list