The routine call_nt_transact_create() in smbd/nttrans.c will always apply the security descriptor if the 'params' block contains one but this is not always correct. According to M$ documentation for CreateFile under the lpSecurityAttributes item: CreateFile ignores lpSecurityDescriptor when opening an existing file, but continues to use the other structure members. So the routine should really check the smb_action and qualify the test on FILE_WAS_CREATED; in addition to the other tests. I have a patch which I'll attach once I submit this.
Created attachment 888 [details] Check smb_action before applying SD The patch includes some extra setup code for set_sd() if the underlying NT ACL code make use of the granted access rights to determine if it can apply the SD. It may not apply to the standard code but I needed it for something I was working on.
jeremy, please look at this when you get a chance.
Applied (finally!) - thanks. Jeremy.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.