2025-01-11 05:18:09 +03:00 · 2012-08-29 13:40:29 -07:00 · 2012-08-29 13:40:29 -07:00 · 3d34406c7b
commit 3d34406c7b
parent 795920cf4a
1 changed files with 35 additions and 0 deletions
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@ -830,6 +830,39 @@ static void do_nt_transact_create_pipe(connection_struct *conn,
 	return;
 }

+/*********************************************************************
+ Windows seems to do canonicalization of inheritance bits. Do the
+ same.
+*********************************************************************/
+
+static void canonicalize_inheritance_bits(struct security_descriptor *psd)
+{
+	bool set_auto_inherited = false;
+
+	/*
+	 * We need to filter out the
+	 * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
+	 * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
+	 * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
+	 * when an ACE is inherited. Otherwise we zero these bits out.
+	 * See:
+	 *
+	 * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
+	 *
+	 * for details.
+	 */
+
+	if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
+			== (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
+		set_auto_inherited = true;
+	}
+
+	psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
+	if (set_auto_inherited) {
+		psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
+	}
+}
+
 /****************************************************************************
 Internal fn to set security descriptors.
 ****************************************************************************/
@ -898,6 +931,8 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
 		}
 	}

+	canonicalize_inheritance_bits(psd);
+
 	if (DEBUGLEVEL >= 10) {
 		DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
 		NDR_PRINT_DEBUG(security_descriptor, psd);