Patches bug #10773 (SECINFO_PROTECTED_DACL is not ignored)

Jeremy Allison jra at
Thu Aug 21 17:34:22 MDT 2014

On Wed, Aug 20, 2014 at 04:35:47PM +0200, Stefan (metze) Metzmacher wrote:
> Hi,
> here're some patches for
> It seems we need to ignore flags like SECINFO_PROTECTED_DACL.
> Otherwise we get unexpected behaviours from the Windows
> MoveSecurityAttributes() function.
> Please review.
> Jeremy, do you think we should keep the SECINFO_PROTECTED_DACL
> logic in posix_get_nt_acl_common()?

Great catch - thanks ! Pushed. The interaction between
get_sd() and the code in smbd/posix_acls.c was really
toxic and hadn't been noticed at all :-(.

It was added in commit 9251afe35bc402bbab816d7c33673d4ef3fb0351
when I added the parameter "map acl inheritance" and I know I
*certainly* didn't understand the relationship between
SECINFO_PROTECTED_DACL flag sent in the incoming set_sd
request and the SEC_DESC_DACL_PROTECTED flags in the sd

So I think the following additional patch would certainly clean
up this code.

Review welcome !


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-smbd-POSIX-ACLs.-Remove-incorrect-check-for-SECIN.patch
Type: text/x-diff
Size: 1188 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list