I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."

Andreas Schneider asn at samba.org
Tue Apr 2 03:23:12 MDT 2013


On Wednesday 27 March 2013 14:50:15 Jeremy Allison wrote:
> On Wed, Mar 27, 2013 at 02:35:42PM -0700, Richard Sharpe wrote:
> > This appears to be the fix:
> > 
> > --- samba-3.6.12/source3/lib/secdesc.c.orig       2013-01-29
> > 00:49:31.000000000 -0800
> > +++ samba-3.6.12/source3/lib/secdesc.c  2013-03-27 21:25:35.978421867
> > -0700
> > @@ -592,7 +592,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_
> > 
> >                 struct security_ace *new_ace =
> >                 &new_ace_list[new_ace_list_ndx];
> >                 const struct dom_sid *ptrustee = &ace->trustee;
> >                 const struct dom_sid *creator = NULL;
> > 
> > -               uint8 new_flags = ace->flags;
> > +               uint8 new_flags = ace->flags &
> > ~SEC_ACE_FLAG_INHERITED_ACE;
> > 
> >                 if (!is_inheritable_ace(ace, container)) {
> >                 
> >                         continue;
> > 
> > We are trying to OR in the INHERITED flag depending on the flag in the
> > type/control field on the parent SD, but are forgetting that it might
> > already be in the flags on the ACE we are dealing with. So, we have to
> > get rid of it first.
> 
> Actually I think this is the more correct place to do it (see attached).
> It's in the place we're already modifying new_flags anyway.

If we have a mail thread about a bit, maybe it makes sense to also add a 
comment to the code why we remove it? :)


	-- andreas

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
Samba Team                             asn at samba.org
www.samba.org



More information about the samba-technical mailing list