Better empty DACL approach
Matt Zinkevicius
mattzink at qwest.net
Tue Jun 26 11:01:03 GMT 2001
> > This is not the correct way to handle this. You don't have to waste
memory,
> > you should just check that the security descriptor's type contains the
>
> Well it isn't really wasted as it's only one byte, and the talloc
> pool is destroyed immediately after the access check takes place.
Hah. You're right about 1 byte. I thought it said talloc(sizeof(SEC_ACE) *
(ace_cnt+1)) which wastes several bytes.
> OK this looks like a better way to do it. There may be some
> checks in some other code that check the value of the dacl
> pointer instead of checking for the DACL_PRESENT bit.
Yeah there is :-) I had to fix all those places as well.
Also somewhat related: Don't forget that the SEC_DESC->dacl pointer itself
should be NULL if DACL_PRESENT isn't present. Exceptions being the weird
interactions with the DACL_DEFAULTED bit (for details see:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/hh
/winbase/acctrlow_0fxo.asp?frame=true )
--Matt
More information about the samba-technical
mailing list