mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
This commit is contained in:
parent
057c56ac24
commit
8ababf4367
@ -323,6 +323,50 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
|
||||
SEC_DESC_SERVER_SECURITY);
|
||||
}
|
||||
|
||||
|
||||
if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
|
||||
user_descriptor->owner_sid = NULL;
|
||||
|
||||
/*
|
||||
* We need the correct owner sid
|
||||
* when calculating the DACL or SACL
|
||||
*/
|
||||
if (old_descriptor) {
|
||||
user_descriptor->owner_sid = old_descriptor->owner_sid;
|
||||
}
|
||||
}
|
||||
if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
|
||||
user_descriptor->group_sid = NULL;
|
||||
|
||||
/*
|
||||
* We need the correct group sid
|
||||
* when calculating the DACL or SACL
|
||||
*/
|
||||
if (old_descriptor) {
|
||||
user_descriptor->group_sid = old_descriptor->group_sid;
|
||||
}
|
||||
}
|
||||
if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
|
||||
user_descriptor->dacl = NULL;
|
||||
|
||||
/*
|
||||
* We add SEC_DESC_DACL_PROTECTED so that
|
||||
* create_security_descriptor() skips
|
||||
* the unused inheritance calculation
|
||||
*/
|
||||
user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
|
||||
}
|
||||
if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
|
||||
user_descriptor->sacl = NULL;
|
||||
|
||||
/*
|
||||
* We add SEC_DESC_SACL_PROTECTED so that
|
||||
* create_security_descriptor() skips
|
||||
* the unused inheritance calculation
|
||||
*/
|
||||
user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
|
||||
}
|
||||
|
||||
default_owner = get_default_ag(mem_ctx, dn,
|
||||
session_info->security_token, ldb);
|
||||
default_group = get_default_group(mem_ctx, ldb, default_owner);
|
||||
|
Loading…
Reference in New Issue
Block a user