2025-01-11 05:18:09 +03:00 · 2022-09-19 22:50:58 +02:00 · 2022-09-19 22:50:58 +02:00 · 1a9aac53e8
commit 1a9aac53e8
parent 7efe673fbd
1 changed files with 35 additions and 0 deletions
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@ -21,6 +21,7 @@

 #include "includes.h"
 #include "libcli/security/security.h"
+#include "librpc/ndr/libndr.h"

 /*
  return a blank security descriptor (no owners, dacl or sacl)
@ -485,6 +486,32 @@ NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
 {
 	return security_descriptor_acl_del_ace(sd, true, ace);
 }
+
+static bool security_ace_object_equal(const struct security_ace_object *object1,
+				      const struct security_ace_object *object2)
+{
+	if (object1 == object2) {
+		return true;
+	}
+	if ((object1 == NULL) || (object2 == NULL)) {
+		return false;
+	}
+	if (object1->flags != object2->flags) {
+		return false;
+	}
+	if (object1->flags & SEC_ACE_OBJECT_TYPE_PRESENT
+			&& !GUID_equal(&object1->type.type, &object2->type.type)) {
+		return false;
+	}
+	if (object1->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
+	    && !GUID_equal(&object1->inherited_type.inherited_type,
+			   &object2->inherited_type.inherited_type)) {
+		return false;
+	}
+
+	return true;
+}
+
 /*
  compare two security ace structures
 */
@ -506,6 +533,14 @@ bool security_ace_equal(const struct security_ace *ace1,
 	if (ace1->access_mask != ace2->access_mask) {
 		return false;
 	}
+	if ((ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
+	     || ace1->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
+	     || ace1->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT
+	     || ace1->type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT)
+	    && !security_ace_object_equal(&ace1->object.object,
+					  &ace2->object.object)) {
+		return false;
+	}
 	if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) {
 		return false;
 	}