Permissions incorrectly ordered on Windows after disabling inheritance
Jeremy Allison
jra at samba.org
Mon Aug 27 21:47:31 MDT 2012
On Mon, Aug 27, 2012 at 08:16:40PM -0700, Jeremy Allison wrote:
> On Mon, Aug 27, 2012 at 08:05:06PM -0700, Richard Sharpe wrote:
> > On Mon, Aug 27, 2012 at 6:49 PM, Jeremy Allison <jra at samba.org> wrote:
> > > On Mon, Aug 27, 2012 at 04:59:34PM -0700, Richard Sharpe wrote:
> > >> On Mon, Aug 27, 2012 at 4:29 PM, Walkes, Dan <dwalkes at tandbergdata.com> wrote:
> > >> > Awesome! Thanks!
> > >>
> > >> Looks like the problem is in lib/secdesc.c:se_create_child_secdesc. It
> > >> needs to make an ordering pass over the ACL in the SD to ensure that
> > >> the ACEs are ordered correctly. At least that is the case in the
> > >> Samba 3.5.x code, and I don't think there has been much change there
> > >> in 3.6.x.
> > >
> > > Actually, looking more closely at this I think it's a pretty
> > > simple bug in that I just forgot to set the SEC_ACE_FLAG_INHERITED_ACE
> > > on inherited ACE's when I create them :-).
> > >
> > > Should have a patch to test tomorrow (home now..).
> >
> > Well, I guess that depends on the semantics of Creator Owner with the
> > inherited bit set, doesn't it? Does Windows mark the new ACE created
> > as a result of a Creator Owner ace that has the inherited bit set as
> > inherited as well?
>
> Yep (been testing against Win7). Windows marks *all*
> ACE's it creates as part of the inheritance code path
> with the SEC_ACE_FLAG_INHERITED_ACE bit.
>
> It doesn't matter what the original inherited bit was.
And here's a COMPLETELY UNTESTED :-) patch.
Compiles, but that's all I can say right now..
I'll test when I get into work on my test environment
tomorrow.
Cheers,
Jeremy.
-------------- next part --------------
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index 007e097..8f71b18 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -625,7 +625,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
/* First add the regular ACE entry. */
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, 0);
+ ace->access_mask, SEC_ACE_FLAG_INHERITED_ACE);
DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -648,7 +648,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
}
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, new_flags);
+ ace->access_mask, new_flags | SEC_ACE_FLAG_INHERITED_ACE);
DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
" inherited as %s:%d/0x%02x/0x%08x\n",
More information about the samba-technical
mailing list