The branch, master has been updated
via b5a2f95 s4-tests: Some tests that prove behavior for INHERITED
user-provided ACEs is different if the P flag is set.
via c3f6cc9 security: Fixed some handling of ACEs with INHERITED flag
provided by the user
from 14edbf7 s4-build: need EXPAND_VARIABLES() for terminal in make test
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b5a2f956c6f9ac8d37a77e0f20e9d3c87ab50f9d
Author: Nadezhda Ivanova <[email protected]>
Date: Thu Feb 10 12:43:35 2011 +0200
s4-tests: Some tests that prove behavior for INHERITED user-provided ACEs
is different if the P flag is set.
Autobuild-User: Nadezhda Ivanova <[email protected]>
Autobuild-Date: Thu Feb 10 12:31:34 CET 2011 on sn-devel-104
commit c3f6cc9993f7fd45cff63c6a5fefde084a6cc173
Author: Nadezhda Ivanova <[email protected]>
Date: Thu Feb 10 12:39:22 2011 +0200
security: Fixed some handling of ACEs with INHERITED flag provided by the
user
Some tests showed that these ACEs are not removed if the DACL_PROTECTED
flag is provided at the same time.
This is not documented but tests prove it and it has been observerd in
deployment.
-----------------------------------------------------------------------
Summary of changes:
libcli/security/create_descriptor.c | 21 ++++++++++++----
source4/dsdb/tests/python/sec_descriptor.py | 34 +++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/create_descriptor.c
b/libcli/security/create_descriptor.c
index 643c98d..9e348a7 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -210,7 +210,8 @@ static struct security_acl *process_user_acl(TALLOC_CTX
*mem_ctx,
bool is_container,
struct dom_sid *owner,
struct dom_sid *group,
- struct GUID *object_list)
+ struct GUID *object_list,
+ bool is_protected)
{
uint32_t i;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -232,8 +233,16 @@ static struct security_acl *process_user_acl(TALLOC_CTX
*mem_ctx,
for (i=0; i < acl->num_aces; i++){
struct security_ace *ace = &acl->aces[i];
- if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
- continue;
+ /* Remove ID flags from user-provided ACEs
+ * if we break inheritance, ignore them otherwise */
+ if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
+ if (is_protected) {
+ ace->flags &= ~SEC_ACE_FLAG_INHERITED_ACE;
+ } else {
+ continue;
+ }
+ }
+
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT ||
ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
@@ -358,13 +367,15 @@ static bool compute_acl(struct security_descriptor
*parent_sd,
is_container,
new_sd->owner_sid,
new_sd->group_sid,
- object_list);
+ object_list,
+ creator_sd->type &
SEC_DESC_DACL_PROTECTED);
user_sacl = process_user_acl(new_sd,
creator_sd->sacl,
is_container,
new_sd->owner_sid,
new_sd->group_sid,
- object_list);
+ object_list,
+ creator_sd->type &
SEC_DESC_SACL_PROTECTED);
}
cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
diff --git a/source4/dsdb/tests/python/sec_descriptor.py
b/source4/dsdb/tests/python/sec_descriptor.py
index 2db33ae..705bf89 100755
--- a/source4/dsdb/tests/python/sec_descriptor.py
+++ b/source4/dsdb/tests/python/sec_descriptor.py
@@ -1655,6 +1655,40 @@ class DaclDescriptorTests(DescriptorTests):
self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
+ def test_216(self):
+ """ Make sure ID ACES provided by user are ignored
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ # Add some custom ACE
+ mod = "D:(D;ID;WP;;;AU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group",
groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ # Make sure created group object does not contain the ID ace
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
+ self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
+
+ def test_217(self):
+ """ Make sure ID ACES provided by user are not ignored if P flag is set
+ """
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
+ # Add some custom ACE
+ mod = "D:P(A;ID;WP;;;AU)"
+ tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group",
groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ # Make sure created group object does not contain the ID ace
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
+ self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
+
########################################################################################
--
Samba Shared Repository
