[SCM] Samba Shared Repository - branch master updated

Nadezhda Ivanova nivanova at samba.org
Tue Jan 18 07:54:01 MST 2011 

The branch, master has been updated
       via  f6077f2 s4-tests: Added a test for correct inheritance of IO flagged ACEs.
       via  fed9250 s4-security: Fixed incorrect inheritance of IO flagged ACES
      from  757cfc2 release-scripts: add build-htmlman-nogit

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f6077f23b773d521938539fe142cd2675c3978b3
Author: Nadezhda Ivanova <nivanova at samba.org>
Date:   Tue Jan 18 15:58:18 2011 +0200

    s4-tests: Added a test for correct inheritance of IO flagged ACEs.
    
    Autobuild-User: Nadezhda Ivanova <nivanova at samba.org>
    Autobuild-Date: Tue Jan 18 15:53:46 CET 2011 on sn-devel-104

commit fed925079b988502674c48555e27e3ee9d214b4b
Author: Nadezhda Ivanova <nivanova at samba.org>
Date:   Tue Jan 18 15:56:19 2011 +0200

    s4-security: Fixed incorrect inheritance of IO flagged ACES
    
    They should be inherited without the IO flag unless they contain generic information.

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/create_descriptor.c         |    5 +++++
 source4/dsdb/tests/python/sec_descriptor.py |   18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index e5fa9b8..643c98d 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 
 			tmp_acl->aces[tmp_acl->num_aces] = *ace;
 			tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+			/* remove IO flag from the child's ace */
+			if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
+			    !desc_ace_has_generic(tmp_ctx, ace)) {
+				tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+			}
 
 			if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
 			    tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
index bab0476..de71dae 100755
--- a/source4/dsdb/tests/python/sec_descriptor.py
+++ b/source4/dsdb/tests/python/sec_descriptor.py
@@ -1637,6 +1637,24 @@ class DaclDescriptorTests(DescriptorTests):
         self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
         self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
 
+    def test_215(self):
+        """ Make sure IO flag is removed in child objects
+        """
+        ou_dn = "OU=test_inherit_ou_p," + self.base_dn
+        ou_dn1 = "OU=test_inherit_ou1," + ou_dn
+        ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
+        # Create inheritable-free OU
+        mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
+        tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+        self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+        mod = "D:(A;CIIO;WP;;;DU)"
+        tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+        self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
+        self.ldb_admin.create_ou(ou_dn5)
+        desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
+        self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
+        self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
+
     ########################################################################################
 
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list