Fix a subtle logic bug in the adaption of se_create_child_secdesc(), pass RAW-ACL...

Jeremy.

diff --git a/source/lib/secdesc.c b/source/lib/secdesc.c
index a49ee8d2244d764898fdf600a2b922416838cc3d..96806b3b167aed3d11ccb69e6a20215b1399c40d 100644 (file)
--- a/source/lib/secdesc.c
+++ b/source/lib/secdesc.c
@@ -546,6 +546,9 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
                        ptrustee = creator;
                        new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+               } else if (container &&
+                               !(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
+                       ptrustee = &ace->trustee;
                }
 
                init_sec_ace(new_ace, ptrustee, ace->type,

diff --git a/source/modules/vfs_acl_xattr.c b/source/modules/vfs_acl_xattr.c
index ee0c16e695e3ee886c8d22089039e1edd57b4ad4..6f1c1a397215ff9b6de41c3a19cb97985e0e6faa 100644 (file)
--- a/source/modules/vfs_acl_xattr.c
+++ b/source/modules/vfs_acl_xattr.c
@@ -363,10 +363,18 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
        status = get_nt_acl_xattr_internal(handle,
                                        NULL,
                                        parent_name,
-                                       DACL_SECURITY_INFORMATION,
+                                       (OWNER_SECURITY_INFORMATION |
+                                        GROUP_SECURITY_INFORMATION |
+                                        DACL_SECURITY_INFORMATION),
                                        &parent_desc);
         if (NT_STATUS_IS_OK(status)) {
                /* Create an inherited descriptor from the parent. */
+
+               if (DEBUGLEVEL >= 10) {
+                       DEBUG(10,("inherit_new_acl: parent acl is:\n"));
+                       NDR_PRINT_DEBUG(security_descriptor, parent_desc);
+               }
+
                status = se_create_child_secdesc(ctx,
                                &psd,
                                &size,
@@ -377,6 +385,12 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
+
+               if (DEBUGLEVEL >= 10) {
+                       DEBUG(10,("inherit_new_acl: child acl is:\n"));
+                       NDR_PRINT_DEBUG(security_descriptor, psd);
+               }
+
        } else {
                DEBUG(10,("inherit_new_acl: directory %s failed "
                        "to get acl %s\n",
@@ -401,6 +415,11 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
                if (!psd) {
                        return NT_STATUS_NO_MEMORY;
                }
+
+               if (DEBUGLEVEL >= 10) {
+                       DEBUG(10,("inherit_new_acl: default acl is:\n"));
+                       NDR_PRINT_DEBUG(security_descriptor, psd);
+               }
        }
 
        status = create_acl_blob(psd, &blob);