Permissions incorrectly ordered on Windows after disabling inheritance

Jeremy Allison jra at samba.org
Mon Aug 27 21:47:31 MDT 2012 

On Mon, Aug 27, 2012 at 08:16:40PM -0700, Jeremy Allison wrote:
> On Mon, Aug 27, 2012 at 08:05:06PM -0700, Richard Sharpe wrote:
> > On Mon, Aug 27, 2012 at 6:49 PM, Jeremy Allison <jra at samba.org> wrote:
> > > On Mon, Aug 27, 2012 at 04:59:34PM -0700, Richard Sharpe wrote:
> > >> On Mon, Aug 27, 2012 at 4:29 PM, Walkes, Dan <dwalkes at tandbergdata.com> wrote:
> > >> > Awesome!  Thanks!
> > >>
> > >> Looks like the problem is in lib/secdesc.c:se_create_child_secdesc. It
> > >> needs to make an ordering pass over the ACL in the SD to ensure that
> > >> the ACEs  are ordered correctly. At least that is the case in the
> > >> Samba 3.5.x code, and I don't think there has been much change there
> > >> in 3.6.x.
> > >
> > > Actually, looking more closely at this I think it's a pretty
> > > simple bug in that I just forgot to set the SEC_ACE_FLAG_INHERITED_ACE
> > > on inherited ACE's when I create them :-).
> > >
> > > Should have a patch to test tomorrow (home now..).
> > 
> > Well, I guess that depends on the semantics of Creator Owner with the
> > inherited bit set, doesn't it? Does Windows mark the new ACE created
> > as a result of a Creator Owner ace that has the inherited bit set as
> > inherited as well?
> 
> Yep (been testing against Win7). Windows marks *all*
> ACE's it creates as part of the inheritance code path
> with the SEC_ACE_FLAG_INHERITED_ACE bit.
> 
> It doesn't matter what the original inherited bit was.

And here's a COMPLETELY UNTESTED :-) patch.

Compiles, but that's all I can say right now..

I'll test when I get into work on my test environment
tomorrow.

Cheers,

	Jeremy.
-------------- next part --------------
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index 007e097..8f71b18 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -625,7 +625,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
 			/* First add the regular ACE entry. */
 			init_sec_ace(new_ace, ptrustee, ace->type,
-			     	ace->access_mask, 0);
+			     	ace->access_mask, SEC_ACE_FLAG_INHERITED_ACE);
 
 			DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
 				" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -648,7 +648,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 		}
 
 		init_sec_ace(new_ace, ptrustee, ace->type,
-			     ace->access_mask, new_flags);
+			     ace->access_mask, new_flags | SEC_ACE_FLAG_INHERITED_ACE);
 
 		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
 			  " inherited as %s:%d/0x%02x/0x%08x\n",

More information about the samba-technical mailing list