Attachment 8800 Details for Bug 9821 – A possible fix for this problem

[patch] A possible fix for this problem

fix-obj-ace-inherit-3.5.x.patch (text/plain), 18.89 KB, created by Richard Sharpe on 2013-04-21 16:00:33 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Richard Sharpe

Created: 2013-04-21 16:00:33 UTC

Size: 18.89 KB

patch

obsolete

>diff --git a/libcli/security/secace.c b/libcli/security/secace.c
>index 7d87b1c..6329d68 100644
>--- a/libcli/security/secace.c
>+++ b/libcli/security/secace.c
>@@ -58,7 +58,8 @@ void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src)
> ********************************************************************/
> 
> void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type,
>-		  uint32_t mask, uint8_t flag)
>+		  uint32_t mask, uint8_t flag, 
>+		  const union security_ace_object_ctr *obj_ctr)
> {
> 	t->type = type;
> 	t->flags = flag;
>@@ -66,6 +67,11 @@ void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum securi
> 	t->access_mask = mask;
> 
> 	t->trustee = *sid;
>+
>+	if ((type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
>+	    type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) && obj_ctr) {
>+		t->object = *obj_ctr;
>+	}
> }
> 
> /*******************************************************************
>diff --git a/libcli/security/secace.h b/libcli/security/secace.h
>index 8b6625d..7827f48 100644
>--- a/libcli/security/secace.h
>+++ b/libcli/security/secace.h
>@@ -26,7 +26,8 @@
> bool sec_ace_object(uint8_t type);
> void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src);
> void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type,
>-		  uint32_t mask, uint8_t flag);
>+		  uint32_t mask, uint8_t flag,
>+		  const union security_ace_object_ctr *obj_ctr);
> NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask);
> NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask);
> NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid);
>diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
>index d45be00..50800df 100644
>--- a/source3/lib/secdesc.c
>+++ b/source3/lib/secdesc.c
>@@ -571,7 +571,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
> 
> 			/* First add the regular ACE entry. */
> 			init_sec_ace(new_ace, ptrustee, ace->type,
>-			     	ace->access_mask, 0);
>+			     	ace->access_mask, 0, NULL);
> 
> 			DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
> 				" inherited as %s:%d/0x%02x/0x%08x\n",
>@@ -594,7 +594,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
> 		}
> 
> 		init_sec_ace(new_ace, ptrustee, ace->type,
>-			     ace->access_mask, new_flags);
>+			     ace->access_mask, new_flags, &ace->object);
> 
> 		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
> 			  " inherited as %s:%d/0x%02x/0x%08x\n",
>diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
>index 799d983..75defa5 100644
>--- a/source3/lib/sharesec.c
>+++ b/source3/lib/sharesec.c
>@@ -133,7 +133,7 @@ SEC_DESC *get_share_security_default( TALLOC_CTX *ctx, size_t *psize, uint32 def
> 	se_map_generic(&spec_access, &file_generic_mapping);
> 
> 	sa = (def_access | spec_access );
>-	init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
>+	init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0, NULL);
> 
> 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &ace)) != NULL) {
> 		psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
>@@ -384,7 +384,7 @@ bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, SEC_DESC **ppsd)
> 
> 		se_map_generic(&s_access, &file_generic_mapping);
> 		sa = (g_access | s_access);
>-		init_sec_ace(&ace_list[i], &sid, type, sa, 0);
>+		init_sec_ace(&ace_list[i], &sid, type, sa, 0, NULL);
> 	}
> 
> 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, num_aces, ace_list)) != NULL) {
>diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
>index 058bf32..06e2fbe 100644
>--- a/source3/lib/util_seaccess.c
>+++ b/source3/lib/util_seaccess.c
>@@ -262,13 +262,15 @@ NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
> 
> 	/*basic access for every one*/
> 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ, 0);
>+		GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ, 0, NULL);
> 
> 	/*full access for builtin aliases Administrators and Account Operators*/
> 	init_sec_ace(&ace[1], &adm_sid,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0,
>+		NULL);
> 	init_sec_ace(&ace[2], &act_sid,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, GENERIC_RIGHTS_SAM_ALL_ACCESS, 0,
>+		NULL);
> 
> 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
> 		return NT_STATUS_NO_MEMORY;
>diff --git a/source3/libgpo/gpo_reg.c b/source3/libgpo/gpo_reg.c
>index 9367bca..4bd6edb 100644
>--- a/source3/libgpo/gpo_reg.c
>+++ b/source3/libgpo/gpo_reg.c
>@@ -699,19 +699,19 @@ static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx,
> 	init_sec_ace(&ace[0],
> 		     &global_sid_System,
> 		     SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     mask, 0);
>+		     mask, 0, NULL);
> 
> 	mask = REG_KEY_ALL;
> 	init_sec_ace(&ace[1],
> 		     &global_sid_Builtin_Administrators,
> 		     SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     mask, 0);
>+		     mask, 0, NULL);
> 
> 	mask = REG_KEY_READ;
> 	init_sec_ace(&ace[2],
> 		     sid ? sid : &global_sid_Authenticated_Users,
> 		     SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     mask, 0);
>+		     mask, 0, NULL);
> 
> 	inherit_flags = SEC_ACE_FLAG_OBJECT_INHERIT |
> 			SEC_ACE_FLAG_CONTAINER_INHERIT |
>@@ -721,19 +721,19 @@ static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx,
> 	init_sec_ace(&ace[3],
> 		     &global_sid_System,
> 		     SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     mask, inherit_flags);
>+		     mask, inherit_flags, NULL);
> 
> 	mask = REG_KEY_ALL;
> 	init_sec_ace(&ace[4],
> 		     &global_sid_Builtin_Administrators,
> 		     SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     mask, inherit_flags);
>+		     mask, inherit_flags, NULL);
> 
> 	mask = REG_KEY_READ;
> 	init_sec_ace(&ace[5],
> 		     sid ? sid : &global_sid_Authenticated_Users,
> 		     SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     mask, inherit_flags);
>+		     mask, inherit_flags, NULL);
> 
> 	theacl = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 6, ace);
> 	W_ERROR_HAVE_NO_MEMORY(theacl);
>diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c
>index 0e2ffda..a530264 100644
>--- a/source3/libsmb/libsmb_xattr.c
>+++ b/source3/libsmb/libsmb_xattr.c
>@@ -385,7 +385,7 @@ parse_ace(struct cli_state *ipc_cli,
>         
> done:
> 	mask = amask;
>-	init_sec_ace(ace, &sid, atype, mask, aflags);
>+	init_sec_ace(ace, &sid, atype, mask, aflags, NULL);
> 	TALLOC_FREE(frame);
> 	return true;
> }
>diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
>index ecc889a..ba1a606 100644
>--- a/source3/modules/vfs_acl_common.c
>+++ b/source3/modules/vfs_acl_common.c
>@@ -212,7 +212,8 @@ static void add_directory_inheritable_components(vfs_handle_struct *handle,
> 			access_mask,
> 			SEC_ACE_FLAG_CONTAINER_INHERIT|
> 				SEC_ACE_FLAG_OBJECT_INHERIT|
>-				SEC_ACE_FLAG_INHERIT_ONLY);
>+				SEC_ACE_FLAG_INHERIT_ONLY,
>+			NULL);
> 	access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
> 				(mode << 3) & 0700, false);
> 	init_sec_ace(&new_ace_list[num_aces+1],
>@@ -221,7 +222,8 @@ static void add_directory_inheritable_components(vfs_handle_struct *handle,
> 			access_mask,
> 			SEC_ACE_FLAG_CONTAINER_INHERIT|
> 				SEC_ACE_FLAG_OBJECT_INHERIT|
>-				SEC_ACE_FLAG_INHERIT_ONLY);
>+				SEC_ACE_FLAG_INHERIT_ONLY,
>+			NULL);
> 	access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
> 				(mode << 6) & 0700, false);
> 	init_sec_ace(&new_ace_list[num_aces+2],
>@@ -230,7 +232,8 @@ static void add_directory_inheritable_components(vfs_handle_struct *handle,
> 			access_mask,
> 			SEC_ACE_FLAG_CONTAINER_INHERIT|
> 				SEC_ACE_FLAG_OBJECT_INHERIT|
>-				SEC_ACE_FLAG_INHERIT_ONLY);
>+				SEC_ACE_FLAG_INHERIT_ONLY,
>+			NULL);
> 	psd->dacl->aces = new_ace_list;
> 	psd->dacl->num_aces += 3;
> }
>diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
>index beaa9e5..7723654 100644
>--- a/source3/printing/nt_printing.c
>+++ b/source3/printing/nt_printing.c
>@@ -5403,7 +5403,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
> 
> 	sa = PRINTER_ACE_PRINT;
> 	init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
>+		     sa, SEC_ACE_FLAG_CONTAINER_INHERIT, NULL);
> 
> 	/* Add the domain admins group if we are a DC */
> 
>@@ -5416,9 +5416,11 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
> 		sa = PRINTER_ACE_FULL_CONTROL;
> 		init_sec_ace(&ace[i++], &domadmins_sid,
> 			SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
>-			SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
>+			SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY,
>+			NULL);
> 		init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
>+			sa, SEC_ACE_FLAG_CONTAINER_INHERIT,
>+			NULL);
> 	}
> 	else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) {
> 		sid_append_rid(&adm_sid, DOMAIN_USER_RID_ADMIN);
>@@ -5426,9 +5428,10 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
> 		sa = PRINTER_ACE_FULL_CONTROL;
> 		init_sec_ace(&ace[i++], &adm_sid,
> 			SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
>-			SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
>+			SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY,
>+			NULL);
> 		init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
>+			sa, SEC_ACE_FLAG_CONTAINER_INHERIT, NULL);
> 	}
> 
> 	/* add BUILTIN\Administrators as FULL CONTROL */
>@@ -5436,10 +5439,10 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
> 	sa = PRINTER_ACE_FULL_CONTROL;
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
> 		SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
>-		SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
>+		SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY, NULL);
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
> 		SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
>+		sa, SEC_ACE_FLAG_CONTAINER_INHERIT, NULL);
> 
> 	/* Make the security descriptor owned by the BUILTIN\Administrators */
> 
>diff --git a/source3/registry/reg_dispatcher.c b/source3/registry/reg_dispatcher.c
>index cc6d95f..b4f311b 100644
>--- a/source3/registry/reg_dispatcher.c
>+++ b/source3/registry/reg_dispatcher.c
>@@ -45,17 +45,17 @@ static WERROR construct_registry_sd(TALLOC_CTX *ctx, SEC_DESC **psd)
> 	/* basic access for Everyone */
> 
> 	init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     REG_KEY_READ, 0);
>+		     REG_KEY_READ, 0, NULL);
> 
> 	/* Full Access 'BUILTIN\Administrators' */
> 
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
>-		     SEC_ACE_TYPE_ACCESS_ALLOWED, REG_KEY_ALL, 0);
>+		     SEC_ACE_TYPE_ACCESS_ALLOWED, REG_KEY_ALL, 0, NULL);
> 
> 	/* Full Access 'NT Authority\System' */
> 
> 	init_sec_ace(&ace[i++], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-		     REG_KEY_ALL, 0);
>+		     REG_KEY_ALL, 0, NULL);
> 
> 	/* create the security descriptor */
> 
>diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
>index e903f0e..f5e5fb5 100644
>--- a/source3/rpc_server/srv_lsa_nt.c
>+++ b/source3/rpc_server/srv_lsa_nt.c
>@@ -325,26 +325,26 @@ static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s
> 	/* READ|EXECUTE access for Everyone */
> 
> 	init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			map->generic_execute | map->generic_read, 0);
>+			map->generic_execute | map->generic_read, 0, NULL);
> 
> 	/* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
> 
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
>-			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
>+			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0, NULL);
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
>-			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
>+			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0, NULL);
> 
> 	/* Add Full Access for Domain Admins */
> 	sid_copy(&adm_sid, get_global_sam_sid());
> 	sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
> 	init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			map->generic_all, 0);
>+			map->generic_all, 0, NULL);
> 
> 	/* If we have a sid, give it some special access */
> 
> 	if (sid) {
> 		init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			sid_access, 0);
>+			sid_access, 0, NULL);
> 	}
> 
> 	if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
>diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
>index 487fb3d..870a9ab 100644
>--- a/source3/rpc_server/srv_samr_nt.c
>+++ b/source3/rpc_server/srv_samr_nt.c
>@@ -133,14 +133,14 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
> 	/* basic access for Everyone */
> 
> 	init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			map->generic_execute | map->generic_read, 0);
>+			map->generic_execute | map->generic_read, 0, NULL);
> 
> 	/* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
> 
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
>-			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
>+			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0, NULL);
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
>-			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
>+			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0, NULL);
> 
> 	/* Add Full Access for Domain Admins if we are a DC */
> 
>@@ -148,13 +148,13 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
> 		sid_copy( &domadmin_sid, get_global_sam_sid() );
> 		sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
> 		init_sec_ace(&ace[i++], &domadmin_sid,
>-			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
>+			SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0, NULL);
> 	}
> 
> 	/* if we have a sid, give it some special access */
> 
> 	if ( sid ) {
>-		init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
>+		init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0, NULL);
> 	}
> 
> 	/* create the security descriptor */
>diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c
>index 26dc09e..5f66483 100644
>--- a/source3/rpc_server/srv_svcctl_nt.c
>+++ b/source3/rpc_server/srv_svcctl_nt.c
>@@ -144,12 +144,12 @@ static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx )
> 	/* basic access for Everyone */
> 
> 	init_sec_ace(&ace[i++], &global_sid_World,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, SC_MANAGER_READ_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, SC_MANAGER_READ_ACCESS, 0, NULL);
> 
> 	/* Full Access 'BUILTIN\Administrators' */
> 
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, SC_MANAGER_ALL_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, SC_MANAGER_ALL_ACCESS, 0, NULL);
> 
> 
> 	/* create the security descriptor */
>diff --git a/source3/services/services_db.c b/source3/services/services_db.c
>index b610c92..967ba6f 100644
>--- a/source3/services/services_db.c
>+++ b/source3/services/services_db.c
>@@ -97,15 +97,16 @@ static SEC_DESC* construct_service_sd( TALLOC_CTX *ctx )
> 	/* basic access for Everyone */
> 
> 	init_sec_ace(&ace[i++], &global_sid_World,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_READ_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_READ_ACCESS, 0, NULL);
> 
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Power_Users,
>-			SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_EXECUTE_ACCESS, 0);
>+			SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_EXECUTE_ACCESS, 0,
>+			NULL);
> 
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Server_Operators,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_ALL_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_ALL_ACCESS, 0, NULL);
> 	init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
>-		SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_ALL_ACCESS, 0);
>+		SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_ALL_ACCESS, 0, NULL);
> 
> 	/* create the security descriptor */
> 
>diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
>index 555f9c0..0f28ff7 100644
>--- a/source3/smbd/posix_acls.c
>+++ b/source3/smbd/posix_acls.c
>@@ -3072,7 +3072,7 @@ static void add_or_replace_ace(SEC_ACE *nt_ace_list, size_t *num_aces,
> 	}
> 
> 	/* not found, append it */
>-	init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
>+	init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags, NULL);
> }
> 
> 
>@@ -3233,7 +3233,8 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
> 					&ace->trustee,
> 					nt_acl_type,
> 					acc,
>-					ace->ace_flags);
>+					ace->ace_flags,
>+					NULL);
> 			}
> 
> 			/* The User must have access to a profile share - even
>@@ -3257,7 +3258,8 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
> 					ace->ace_flags |
> 					SEC_ACE_FLAG_OBJECT_INHERIT|
> 					SEC_ACE_FLAG_CONTAINER_INHERIT|
>-					SEC_ACE_FLAG_INHERIT_ONLY);
>+					SEC_ACE_FLAG_INHERIT_ONLY,
>+					NULL);
> 			}
> 
> 			/* The User must have access to a profile share - even
>@@ -3862,17 +3864,20 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC
> 				&file_owner_sid,
> 				SEC_ACE_TYPE_ACCESS_ALLOWED,
> 				GENERIC_ALL_ACCESS,
>-				0);
>+				0,
>+				NULL);
> 		init_sec_ace(&ace[1],
> 				&file_grp_sid,
> 				SEC_ACE_TYPE_ACCESS_ALLOWED,
> 				GENERIC_ALL_ACCESS,
>-				0);
>+				0,
>+				NULL);
> 		init_sec_ace(&ace[2],
> 				&global_sid_World,
> 				SEC_ACE_TYPE_ACCESS_ALLOWED,
> 				GENERIC_ALL_ACCESS,
>-				0);
>+				0,
>+				NULL);
> 		psd->dacl = make_sec_acl(talloc_tos(),
> 					NT4_ACL_REVISION,
> 					3,
>@@ -4772,7 +4777,8 @@ NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
> 			&owner_sid,
> 			SEC_ACE_TYPE_ACCESS_ALLOWED,
> 			access_mask,
>-			0);
>+			0,
>+			NULL);
> 	idx++;
> 
> 	access_mask = 0;
>@@ -4788,7 +4794,8 @@ NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
> 			&group_sid,
> 			SEC_ACE_TYPE_ACCESS_ALLOWED,
> 			access_mask,
>-			0);
>+			0,
>+			NULL);
> 		idx++;
> 	}
> 
>@@ -4804,7 +4811,8 @@ NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
> 			&global_sid_World,
> 			SEC_ACE_TYPE_ACCESS_ALLOWED,
> 			access_mask,
>-			0);
>+			0,
>+			NULL);
> 		idx++;
> 	}
> 
>@@ -4812,7 +4820,8 @@ NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
> 			&global_sid_System,
> 			SEC_ACE_TYPE_ACCESS_ALLOWED,
> 			SEC_RIGHTS_FILE_ALL,
>-			0);
>+			0,
>+			NULL);
> 	idx++;
> 
> 	new_dacl = make_sec_acl(ctx,
>diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
>index 4be77ec..756ab28 100644
>--- a/source3/utils/sharesec.c
>+++ b/source3/utils/sharesec.c
>@@ -284,7 +284,7 @@ static bool parse_ace(SEC_ACE *ace, const char *orig_str)
> 
>  done:
> 	mask = amask;
>-	init_sec_ace(ace, &sid, atype, mask, aflags);
>+	init_sec_ace(ace, &sid, atype, mask, aflags, NULL);
> 	SAFE_FREE(str);
> 	TALLOC_FREE(frame);
> 	return True;
>diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
>index eefe4fe..b09d5d8 100644
>--- a/source3/utils/smbcacls.c
>+++ b/source3/utils/smbcacls.c
>@@ -520,7 +520,7 @@ static bool parse_ace(struct cli_state *cli, SEC_ACE *ace,
> 
>  done:
> 	mask = amask;
>-	init_sec_ace(ace, &sid, atype, mask, aflags);
>+	init_sec_ace(ace, &sid, atype, mask, aflags, NULL);
> 	TALLOC_FREE(frame);
> 	SAFE_FREE(str);
> 	return True;

Actions: View

Attachments on bug 9821: 8798 | 8799 | 8800 | 8808