s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags

A client can send a full security_descriptor while just passing
sd_flags of SECINFO_DACL.

We need to NULL out elements which will be ignored depending on
the sd_flags and may set the old owner/group sids. Otherwise
the calculation of the DACL/SACL can replace CREATOR_OWNER with
the wrong sid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 18caa381038b475f6444b6046f910b5976a826c8..95204b3c5c40409ea6cb095b6073a44ebb11bec3 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -323,6 +323,50 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
                        SEC_DESC_SERVER_SECURITY);
        }
 
+
+       if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
+               user_descriptor->owner_sid = NULL;
+
+               /*
+                * We need the correct owner sid
+                * when calculating the DACL or SACL
+                */
+               if (old_descriptor) {
+                       user_descriptor->owner_sid = old_descriptor->owner_sid;
+               }
+       }
+       if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
+               user_descriptor->group_sid = NULL;
+
+               /*
+                * We need the correct group sid
+                * when calculating the DACL or SACL
+                */
+               if (old_descriptor) {
+                       user_descriptor->group_sid = old_descriptor->group_sid;
+               }
+       }
+       if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
+               user_descriptor->dacl = NULL;
+
+               /*
+                * We add SEC_DESC_DACL_PROTECTED so that
+                * create_security_descriptor() skips
+                * the unused inheritance calculation
+                */
+               user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
+       }
+       if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
+               user_descriptor->sacl = NULL;
+
+               /*
+                * We add SEC_DESC_SACL_PROTECTED so that
+                * create_security_descriptor() skips
+                * the unused inheritance calculation
+                */
+               user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
+       }
+
        default_owner = get_default_ag(mem_ctx, dn,
                                       session_info->security_token, ldb);
        default_group = get_default_group(mem_ctx, ldb, default_owner);