Better empty DACL approach

Matt Zinkevicius mattzink at
Tue Jun 26 11:01:03 GMT 2001

> > This is not the correct way to handle this. You don't have to waste
> > you should just check that the security descriptor's type contains the
> Well it isn't really wasted as it's only one byte, and the talloc
> pool is destroyed immediately after the access check takes place.

Hah. You're right about 1 byte. I thought it said talloc(sizeof(SEC_ACE) *
(ace_cnt+1)) which wastes several bytes.

> OK this looks like a better way to do it.  There may be some
> checks in some other code that check the value of the dacl
> pointer instead of checking for the DACL_PRESENT bit.

Yeah there is :-) I had to fix all those places as well.

Also somewhat related: Don't forget that the SEC_DESC->dacl pointer itself
should be NULL if DACL_PRESENT isn't present. Exceptions being the weird
interactions with the DACL_DEFAULTED bit (for details see:
/winbase/acctrlow_0fxo.asp?frame=true )


More information about the samba-technical mailing list