From fed925079b988502674c48555e27e3ee9d214b4b Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@samba.org>
Date: Tue, 18 Jan 2011 15:56:19 +0200
Subject: [PATCH] s4-security: Fixed incorrect inheritance of IO flagged ACES

They should be inherited without the IO flag unless they contain generic information.
---
 libcli/security/create_descriptor.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index e5fa9b8cb52..643c98d3455 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -157,6 +157,11 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
 
 			tmp_acl->aces[tmp_acl->num_aces] = *ace;
 			tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
+			/* remove IO flag from the child's ace */
+			if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
+			    !desc_ace_has_generic(tmp_ctx, ace)) {
+				tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+			}
 
 			if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
 			    tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
-- 
2.34.1