Add a comment about why we are removing the INHERITED bit so people understand.

author Richard Sharpe <realrichardsharpe@gmail.com>

Tue, 2 Apr 2013 13:48:03 +0000 (06:48 -0700)

committer Andreas Schneider <asn@cryptomilk.org>

Tue, 2 Apr 2013 18:05:13 +0000 (20:05 +0200)
author Richard Sharpe <realrichardsharpe@gmail.com>
Tue, 2 Apr 2013 13:48:03 +0000 (06:48 -0700)
committer Andreas Schneider <asn@cryptomilk.org>
Tue, 2 Apr 2013 18:05:13 +0000 (20:05 +0200)
diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c

index a7e99005ebec6ca1ac1cf004834c0aed97792e05..8570334f36c2a5f06508cc0a797231b06085d3a3 100644 (file)
--- a/libcli/security/secdesc.c
+++ b/libcli/security/secdesc.c
@@ -614,6 +614,15 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
                 if (!container) {
                         new_flags = 0;
                 } else {
+                       /*
+                        * We need to remove SEC_ACE_FLAG_INHERITED_ACE here
+                        * if present because it should only be set if the
+                        * parent has the AUTO_INHERITED bit set in the
+                        * type/control field. If we don't it will slip through
+                        * and create DACLs with incorrectly ordered ACEs
+                        * when there are CREATOR_OWNER or CREATOR_GROUP
+                        * ACEs.
+                        */
                         new_flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY
                                         | SEC_ACE_FLAG_INHERITED_ACE);
author	Richard Sharpe <realrichardsharpe@gmail.com>
	Tue, 2 Apr 2013 13:48:03 +0000 (06:48 -0700)
committer	Andreas Schneider <asn@cryptomilk.org>
	Tue, 2 Apr 2013 18:05:13 +0000 (20:05 +0200)