Permissions incorrectly ordered on Windows after disabling inheritance

[Richard Sharpe]

On Mon, Aug 27, 2012 at 4:29 PM, Walkes, Dan <dwalkes at tandbergdata.com> wrote:
> Awesome!  Thanks!

Looks like the problem is in lib/secdesc.c:se_create_child_secdesc. It
needs to make an ordering pass over the ACL in the SD to ensure that
the ACEs  are ordered correctly. At least that is the case in the
Samba 3.5.x code, and I don't think there has been much change there
in 3.6.x.

> -----Original Message-----
> From: Richard Sharpe [mailto:realrichardsharpe at gmail.com]
> Sent: Monday, August 27, 2012 5:24 PM
> To: Walkes, Dan
> Subject: Re: Permissions incorrectly ordered on Windows after disabling inheritance
>
> On Mon, Aug 27, 2012 at 4:09 PM, Richard Sharpe <realrichardsharpe at gmail.com> wrote:
>> On Mon, Aug 27, 2012 at 3:48 PM, Walkes, Dan <dwalkes at tandbergdata.com> wrote:
>>> Richard and Andrew, thanks very much for your responses.  I've
>>> responded inline below
>>
>> Thanks for the captures.
>>
>> OK, in looking at Step4UnCheck... we see the Inherited bits added in
>> frame 1840 as you say. Just before that in frame 1833 we see the
>> existing SD queried. Those Creator Owner and Creator Group entries
>> were already there and they are inheritable, but I expect that.
>>
>> Now I will look at the next capture.
>
> OK, I  can see the problem. It is in frame 522 of Step 6. The ACE for the owner, which was added as a result of the Creator Owner entry and the Group Owner Sid, which was created as a result of the Creator Group entry are in the wrong place. I will have to check, but I believe that inherited entries should come last, so the ACL has been incorrectly sorted.
>
> It should be easy to fix in the code. I will look at it over the next day or so.



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)