s4-security: Fixed incorrect inheritance of IO flagged ACES

They should be inherited without the IO flag unless they contain generic information.

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index e5fa9b8cb523807f78f36ac84e9b446cd1f1992a..643c98d34554b9773f93884c2ec0e463b0732e92 100644 (file)
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 
                        tmp_acl->aces[tmp_acl->num_aces] = *ace;
                        tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+                       /* remove IO flag from the child's ace */
+                       if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
+                           !desc_ace_has_generic(tmp_ctx, ace)) {
+                               tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+                       }
 
                        if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
                            tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;