s3-lib: Create a sec_desc_merge and sec_desc_merge_buf function.

Signed-off-by: Günther Deschner <gd@samba.org>

diff --git a/source3/include/proto.h b/source3/include/proto.h
index dabfa152579603e1232276ea249d87cc1e8d1fed..2c5b7105a11d0c15da7583c514dbfc759972cdd3 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -693,7 +693,8 @@ ssize_t drain_socket(int sockfd, size_t count);
 /* The following definitions come from lib/secdesc.c  */
 
 uint32_t get_sec_info(const SEC_DESC *sd);
-SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb);
+SEC_DESC *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC *new_sdb, SEC_DESC *old_sdb);
+SEC_DESC_BUF *sec_desc_merge_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb);
 SEC_DESC *make_sec_desc(TALLOC_CTX *ctx,
                        enum security_descriptor_revision revision,
                        uint16 type,

diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index d45be00212444fb94a8287365f0378d8518ee7a1..f5a0039ec7cb8f80345292bdff32d7ca883189b1 100644 (file)
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -63,7 +63,7 @@ uint32_t get_sec_info(const SEC_DESC *sd)
  security descriptor new_sec.
 ********************************************************************/
 
-SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb)
+SEC_DESC_BUF *sec_desc_merge_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb)
 {
        DOM_SID *owner_sid, *group_sid;
        SEC_DESC_BUF *return_sdb;
@@ -108,6 +108,47 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU
        return(return_sdb);
 }
 
+SEC_DESC *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC *new_sdb, SEC_DESC *old_sdb)
+{
+       DOM_SID *owner_sid, *group_sid;
+       SEC_ACL *dacl, *sacl;
+       SEC_DESC *psd = NULL;
+       uint16 secdesc_type;
+       size_t secdesc_size;
+
+       /* Copy over owner and group sids.  There seems to be no flag for
+          this so just check the pointer values. */
+
+       owner_sid = new_sdb->owner_sid ? new_sdb->owner_sid :
+               old_sdb->owner_sid;
+
+       group_sid = new_sdb->group_sid ? new_sdb->group_sid :
+               old_sdb->group_sid;
+
+       secdesc_type = new_sdb->type;
+
+       /* Ignore changes to the system ACL.  This has the effect of making
+          changes through the security tab audit button not sticking.
+          Perhaps in future Samba could implement these settings somehow. */
+
+       sacl = NULL;
+       secdesc_type &= ~SEC_DESC_SACL_PRESENT;
+
+       /* Copy across discretionary ACL */
+
+       if (secdesc_type & SEC_DESC_DACL_PRESENT) {
+               dacl = new_sdb->dacl;
+       } else {
+               dacl = old_sdb->dacl;
+       }
+
+       /* Create new security descriptor from bits */
+       psd = make_sec_desc(ctx, new_sdb->revision, secdesc_type,
+                           owner_sid, group_sid, sacl, dacl, &secdesc_size);
+
+       return psd;
+}
+
 /*******************************************************************
  Creates a SEC_DESC structure
 ********************************************************************/

diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index ba667c32515de99b2410dd0927048cb7d0a321f3..9ac74d63fddaa5ebb6fce4639f7a9c9d83f7b260 100644 (file)
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -402,7 +402,7 @@ static int sec_desc_upg_fn( TDB_CONTEXT *the_tdb, TDB_DATA key,
                return 0;
        }
 
-       if ( !(sd_store = sec_desc_merge( ctx, sd_new, sd_orig )) ) {
+       if ( !(sd_store = sec_desc_merge_buf( ctx, sd_new, sd_orig )) ) {
                DEBUG(0,("sec_desc_upg_fn: Failed to update sec_desc for %s\n", key.dptr ));
                return 0;
        }

diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index db6a6d784ad6a43b1264d95069abf3cd520d7258..f96a147a27dd507f4f36217908c1926d46cfe35b 100644 (file)
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -5465,7 +5465,7 @@ static WERROR update_printer_sec(struct policy_handle *handle,
                }
        }
 
-       new_secdesc_ctr = sec_desc_merge(p->mem_ctx, secdesc_ctr, old_secdesc_ctr);
+       new_secdesc_ctr = sec_desc_merge_buf(p->mem_ctx, secdesc_ctr, old_secdesc_ctr);
        if (!new_secdesc_ctr) {
                result = WERR_NOMEM;
                goto done;