search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Save 3 lines
[Samba.git] / libcli / security / create_descriptor.c
blob4db23bede184f9d2ef68bc0a732a99e54e3e6267
1 /*
2 Copyright (C) Nadezhda Ivanova 2009
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>.
16 */
17
18 /*
19 * Name: create_descriptor
20 *
21 * Component: routines for calculating and creating security descriptors
22 * as described in MS-DTYP 2.5.3.x
23 *
24 * Description:
25 *
26 *
27 * Author: Nadezhda Ivanova
28 */
29 #include "replace.h"
30 #include "lib/util/debug.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33
34 /* Todos:
35 * build the security token dacl as follows:
36 * SYSTEM: GA, OWNER: GA, LOGIN_SID:GW|GE
37 * Need session id information for the login SID. Probably
38 * the best place for this is during token creation
39 *
40 * Implement SD Invariants
41 * ACE sorting rules
42 * LDAP_SERVER_SD_FLAGS_OID control
43 * ADTS 7.1.3.3 needs to be clarified
44 */
45
46 /* the mapping function for generic rights for DS.(GA,GR,GW,GX)
47 * The mapping function is passed as an argument to the
48 * descriptor calculating routine and depends on the security
49 * manager that calls the calculating routine.
50 * TODO: need similar mappings for the file system and
51 * registry security managers in order to make this code
52 * generic for all security managers
53 */
54
55 uint32_t map_generic_rights_ds(uint32_t access_mask)
56 {
57 if (access_mask & SEC_GENERIC_ALL) {
58 access_mask |= SEC_ADS_GENERIC_ALL;
59 access_mask &= ~SEC_GENERIC_ALL;
60 }
61
62 if (access_mask & SEC_GENERIC_EXECUTE) {
63 access_mask |= SEC_ADS_GENERIC_EXECUTE;
64 access_mask &= ~SEC_GENERIC_EXECUTE;
65 }
66
67 if (access_mask & SEC_GENERIC_WRITE) {
68 access_mask |= SEC_ADS_GENERIC_WRITE;
69 access_mask &= ~SEC_GENERIC_WRITE;
70 }
71
72 if (access_mask & SEC_GENERIC_READ) {
73 access_mask |= SEC_ADS_GENERIC_READ;
74 access_mask &= ~SEC_GENERIC_READ;
75 }
76
77 return access_mask;
78 }
79
80 /* Not sure what this has to be,
81 * and it does not seem to have any influence */
82 static bool object_in_list(const struct GUID *object_list, const struct GUID *object)
83 {
84 size_t i;
85
86 if (object_list == NULL) {
87 return true;
88 }
89
90 if (GUID_all_zero(object)) {
91 return true;
92 }
93
94 for (i=0; ; i++) {
95 if (GUID_all_zero(&object_list[i])) {
96 return false;
97 }
98 if (!GUID_equal(&object_list[i], object)) {
99 continue;
100 }
101
102 return true;
103 }
104
105 return false;
106 }
107
108 /* returns true if the ACE gontains generic information
109 * that needs to be processed additionally */
110
111 static bool desc_ace_has_generic(const struct security_ace *ace)
112 {
113 if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ ||
114 ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) {
115 return true;
116 }
117 if (dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner) ||
118 dom_sid_equal(&ace->trustee, &global_sid_Creator_Group)) {
119 return true;
120 }
121 return false;
122 }
123
124 /* creates an ace in which the generic information is expanded */
125
126 static void desc_expand_generic(struct security_ace *new_ace,
127 struct dom_sid *owner,
128 struct dom_sid *group)
129 {
130 new_ace->access_mask = map_generic_rights_ds(new_ace->access_mask);
131 if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Owner)) {
132 new_ace->trustee = *owner;
133 }
134 if (dom_sid_equal(&new_ace->trustee, &global_sid_Creator_Group)) {
135 new_ace->trustee = *group;
136 }
137 new_ace->flags = 0x0;
138 }
139
140 static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
141 struct security_acl *acl,
142 bool is_container,
143 struct dom_sid *owner,
144 struct dom_sid *group,
145 struct GUID *object_list)
146 {
147 uint32_t i;
148 struct security_acl *tmp_acl = NULL;
149
150 if (!acl) {
151 return NULL;
152 }
153 tmp_acl = talloc_zero(mem_ctx, struct security_acl);
154 if (!tmp_acl) {
155 return NULL;
156 }
157
158 for (i=0; i < acl->num_aces; i++) {
159 const struct security_ace *ace = &acl->aces[i];
160 const struct GUID *inherited_object = NULL;
161 const struct GUID *inherited_property = NULL;
162 struct security_ace *tmp_ace = NULL;
163 bool applies = false;
164 bool inherited_only = false;
165 bool expand_ace = false;
166 bool expand_only = false;
167
168 if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
169 applies = true;
170 } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
171 applies = true;
172 }
173
174 if (!applies) {
175 /*
176 * If the ace doesn't apply to the
177 * current node, we should only keep
178 * it as SEC_ACE_FLAG_OBJECT_INHERIT
179 * on a container. We'll add
180 * SEC_ACE_FLAG_INHERITED_ACE
181 * and SEC_ACE_FLAG_INHERIT_ONLY below.
182 *
183 * Otherwise we should completely ignore it.
184 */
185 if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
186 continue;
187 }
188 }
189
190 switch (ace->type) {
191 case SEC_ACE_TYPE_ACCESS_ALLOWED:
192 case SEC_ACE_TYPE_ACCESS_DENIED:
193 case SEC_ACE_TYPE_SYSTEM_AUDIT:
194 case SEC_ACE_TYPE_SYSTEM_ALARM:
195 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
196 break;
197
198 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
199 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
200 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
201 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
202 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
203 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
204 case SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
205 if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
206 inherited_property = &ace->object.object.type.type;
207 }
208 if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
209 inherited_object = &ace->object.object.inherited_type.inherited_type;
210 }
211
212 if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) {
213 /*
214 * An explicit object class schemaId is given,
215 * but doesn't belong to the current object.
216 */
217 applies = false;
218 }
219
220 break;
221
222 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
223 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
224 case SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK:
225 break;
226 case SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE:
227 break;
228 case SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK:
229 case SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT:
230 case SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL:
231 case SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID:
232 default:
233 DBG_WARNING("ACE type %d is not handled\n", ace->type);
234 TALLOC_FREE(tmp_acl);
235 return NULL;
236 }
237
238 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
239 if (!applies) {
240 /*
241 * If the ACE doesn't apply to
242 * the current object, we should
243 * ignore it as it should not be
244 * inherited any further
245 */
246 continue;
247 }
248 /*
249 * We should only keep the expanded version
250 * of the ACE on the current object.
251 */
252 expand_ace = true;
253 expand_only = true;
254 } else if (applies) {
255 /*
256 * We check if should also add
257 * the expanded version of the ACE
258 * in addition, in case we should
259 * expand generic access bits or
260 * special sids.
261 *
262 * In that case we need to
263 * keep the original ACE with
264 * SEC_ACE_FLAG_INHERIT_ONLY.
265 */
266 expand_ace = desc_ace_has_generic(ace);
267 if (expand_ace) {
268 inherited_only = true;
269 }
270 } else {
271 /*
272 * If the ACE doesn't apply
273 * to the current object,
274 * we need to keep it with
275 * SEC_ACE_FLAG_INHERIT_ONLY
276 * in order to apply them to
277 * grandchildren
278 */
279 inherited_only = true;
280 }
281
282 if (expand_ace) {
283 tmp_acl->aces = talloc_realloc(tmp_acl,
284 tmp_acl->aces,
285 struct security_ace,
286 tmp_acl->num_aces+1);
287 if (tmp_acl->aces == NULL) {
288 TALLOC_FREE(tmp_acl);
289 return NULL;
290 }
291
292 tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
293 tmp_acl->num_aces++;
294
295 *tmp_ace = *ace;
296
297 /*
298 * Expand generic access bits as well as special
299 * sids.
300 */
301 desc_expand_generic(tmp_ace, owner, group);
302
303 /*
304 * Expanded ACEs are marked as inherited,
305 * but never inherited any further to
306 * grandchildren.
307 */
308 tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
309 tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
310 tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
311 tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
312
313 /*
314 * Expanded ACEs never have an explicit
315 * object class schemaId, so clear it
316 * if present.
317 */
318 if (inherited_object != NULL) {
319 tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
320 }
321
322 /*
323 * If the ACE had an explicit object class
324 * schemaId, but no attribute/propertySet
325 * we need to downgrade the _OBJECT variants
326 * to the normal ones.
327 */
328 if (inherited_property == NULL) {
329 switch (tmp_ace->type) {
330 case SEC_ACE_TYPE_ACCESS_ALLOWED:
331 case SEC_ACE_TYPE_ACCESS_DENIED:
332 case SEC_ACE_TYPE_SYSTEM_AUDIT:
333 case SEC_ACE_TYPE_SYSTEM_ALARM:
334 case SEC_ACE_TYPE_ALLOWED_COMPOUND:
335 break;
336 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
337 tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED;
338 break;
339 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
340 tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED;
341 break;
342 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
343 tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM;
344 break;
345 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
346 tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT;
347 break;
348 case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
349 tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK;
350 break;
351 case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
352 tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK;
353 break;
354 case SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
355 tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT_CALLBACK;
356 break;
357 default:
358 /*
359 * SEC_ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT
360 * is reserved.
361 */
362 break;
363 }
364 }
365
366 if (expand_only) {
367 continue;
368 }
369 }
370
371 tmp_acl->aces = talloc_realloc(tmp_acl,
372 tmp_acl->aces,
373 struct security_ace,
374 tmp_acl->num_aces+1);
375 if (tmp_acl->aces == NULL) {
376 TALLOC_FREE(tmp_acl);
377 return NULL;
378 }
379
380 tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
381 tmp_acl->num_aces++;
382
383 *tmp_ace = *ace;
384 tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
385
386 if (inherited_only) {
387 tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
388 } else {
389 tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
390 }
391
392 if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
393 tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
394 tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
395 tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
396 }
397 }
398 if (tmp_acl->num_aces == 0) {
399 TALLOC_FREE(tmp_acl);
400 return NULL;
401 }
402 if (acl) {
403 tmp_acl->revision = acl->revision;
404 }
405 return tmp_acl;
406 }
407
408 static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
409 struct security_acl *acl,
410 bool is_container,
411 struct dom_sid *owner,
412 struct dom_sid *group,
413 struct GUID *object_list,
414 bool is_protected)
415 {
416 uint32_t i;
417 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
418 struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
419 struct security_acl *new_acl;
420
421 if (!acl)
422 return NULL;
423
424 if (!tmp_acl)
425 return NULL;
426
427 tmp_acl->revision = acl->revision;
428 DBG_DEBUG("acl revision %d\n", acl->revision);
429
430 for (i=0; i < acl->num_aces; i++){
431 struct security_ace *ace = &acl->aces[i];
432 /* Remove ID flags from user-provided ACEs
433 * if we break inheritance, ignore them otherwise */
434 if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) {
435 if (is_protected) {
436 ace->flags &= ~SEC_ACE_FLAG_INHERITED_ACE;
437 } else {
438 continue;
439 }
440 }
441
442 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
443 !(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT ||
444 ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
445 continue;
446
447 tmp_acl->aces = talloc_realloc(tmp_acl,
448 tmp_acl->aces,
449 struct security_ace,
450 tmp_acl->num_aces+1);
451 tmp_acl->aces[tmp_acl->num_aces] = *ace;
452 tmp_acl->num_aces++;
453 if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
454 continue;
455 }
456 /* if the ACE contains CO, CG, GA, GE, GR or GW, and is inheritable
457 * it has to be expanded to two aces, the original as IO,
458 * and another one where these are translated */
459 if (desc_ace_has_generic(ace)) {
460 if (!(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
461 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces-1],
462 owner,
463 group);
464 } else {
465 /*The original ACE becomes read only */
466 tmp_acl->aces[tmp_acl->num_aces-1].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
467 tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces,
468 struct security_ace,
469 tmp_acl->num_aces+1);
470 /* add a new ACE with expanded generic info */
471 tmp_acl->aces[tmp_acl->num_aces] = *ace;
472 desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
473 owner,
474 group);
475 tmp_acl->num_aces++;
476 }
477 }
478 }
479 new_acl = security_acl_dup(mem_ctx,tmp_acl);
480
481 if (new_acl)
482 new_acl->revision = acl->revision;
483
484 talloc_free(tmp_ctx);
485 return new_acl;
486 }
487
488 static void cr_descr_log_descriptor(struct security_descriptor *sd,
489 const char *message,
490 int level)
491 {
492 if (sd) {
493 DEBUG(level,("%s: %s\n", message,
494 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,
495 "", sd)));
496 }
497 else {
498 DEBUG(level,("%s: NULL\n", message));
499 }
500 }
501
502 #if 0
503 static void cr_descr_log_acl(struct security_acl *acl,
504 const char *message,
505 int level)
506 {
507 if (acl) {
508 DEBUG(level,("%s: %s\n", message,
509 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_acl,
510 "", acl)));
511 }
512 else {
513 DEBUG(level,("%s: NULL\n", message));
514 }
515 }
516 #endif
517
518 static bool compute_acl(struct security_descriptor *parent_sd,
519 struct security_descriptor *creator_sd,
520 bool is_container,
521 uint32_t inherit_flags,
522 struct GUID *object_list,
523 uint32_t (*generic_map)(uint32_t access_mask),
524 struct security_token *token,
525 struct security_descriptor *new_sd) /* INOUT argument */
526 {
527 struct security_acl *user_dacl, *user_sacl, *inherited_dacl, *inherited_sacl;
528 int level = 10;
529
530 if (!parent_sd || !(inherit_flags & SEC_DACL_AUTO_INHERIT)) {
531 inherited_dacl = NULL;
532 } else if (creator_sd && (creator_sd->type & SEC_DESC_DACL_PROTECTED)) {
533 inherited_dacl = NULL;
534 } else {
535 inherited_dacl = calculate_inherited_from_parent(new_sd,
536 parent_sd->dacl,
537 is_container,
538 new_sd->owner_sid,
539 new_sd->group_sid,
540 object_list);
541 }
542
543
544 if (!parent_sd || !(inherit_flags & SEC_SACL_AUTO_INHERIT)) {
545 inherited_sacl = NULL;
546 } else if (creator_sd && (creator_sd->type & SEC_DESC_SACL_PROTECTED)) {
547 inherited_sacl = NULL;
548 } else {
549 inherited_sacl = calculate_inherited_from_parent(new_sd,
550 parent_sd->sacl,
551 is_container,
552 new_sd->owner_sid,
553 new_sd->group_sid,
554 object_list);
555 }
556
557 if (!creator_sd || (inherit_flags & SEC_DEFAULT_DESCRIPTOR)) {
558 user_dacl = NULL;
559 user_sacl = NULL;
560 } else {
561 user_dacl = process_user_acl(new_sd,
562 creator_sd->dacl,
563 is_container,
564 new_sd->owner_sid,
565 new_sd->group_sid,
566 object_list,
567 creator_sd->type & SEC_DESC_DACL_PROTECTED);
568 user_sacl = process_user_acl(new_sd,
569 creator_sd->sacl,
570 is_container,
571 new_sd->owner_sid,
572 new_sd->group_sid,
573 object_list,
574 creator_sd->type & SEC_DESC_SACL_PROTECTED);
575 }
576 cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
577 cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
578
579 new_sd->dacl = security_acl_concatenate(new_sd, user_dacl, inherited_dacl);
580 if (new_sd->dacl) {
581 new_sd->type |= SEC_DESC_DACL_PRESENT;
582 }
583 if (inherited_dacl) {
584 new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
585 }
586
587 new_sd->sacl = security_acl_concatenate(new_sd, user_sacl, inherited_sacl);
588 if (new_sd->sacl) {
589 new_sd->type |= SEC_DESC_SACL_PRESENT;
590 }
591 if (inherited_sacl) {
592 new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
593 }
594 /* This is a hack to handle the fact that
595 * apprantly any AI flag provided by the user is preserved */
596 if (creator_sd)
597 new_sd->type |= creator_sd->type;
598 cr_descr_log_descriptor(new_sd, __location__"final sd", level);
599 return true;
600 }
601
602 struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
603 struct security_descriptor *parent_sd,
604 struct security_descriptor *creator_sd,
605 bool is_container,
606 struct GUID *object_list,
607 uint32_t inherit_flags,
608 struct security_token *token,
609 struct dom_sid *default_owner, /* valid only for DS, NULL for the other RSs */
610 struct dom_sid *default_group, /* valid only for DS, NULL for the other RSs */
611 uint32_t (*generic_map)(uint32_t access_mask))
612 {
613 struct security_descriptor *new_sd;
614 struct dom_sid *new_owner = NULL;
615 struct dom_sid *new_group = NULL;
616
617 new_sd = security_descriptor_initialise(mem_ctx);
618 if (!new_sd) {
619 return NULL;
620 }
621
622 if (!creator_sd || !creator_sd->owner_sid) {
623 if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
624 new_owner = parent_sd->owner_sid;
625 } else if (!default_owner) {
626 new_owner = &token->sids[PRIMARY_USER_SID_INDEX];
627 } else {
628 new_owner = default_owner;
629 new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
630 }
631 } else {
632 new_owner = creator_sd->owner_sid;
633 }
634
635 if (!creator_sd || !creator_sd->group_sid){
636 if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
637 new_group = parent_sd->group_sid;
638 } else if (!default_group && token->num_sids > PRIMARY_GROUP_SID_INDEX) {
639 new_group = &token->sids[PRIMARY_GROUP_SID_INDEX];
640 } else if (!default_group) {
641 /* This will happen only for anonymous, which has no other groups */
642 new_group = &token->sids[PRIMARY_USER_SID_INDEX];
643 } else {
644 new_group = default_group;
645 new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
646 }
647 } else {
648 new_group = creator_sd->group_sid;
649 }
650
651 new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid));
652 new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid));
653 if (!new_sd->owner_sid || !new_sd->group_sid){
654 talloc_free(new_sd);
655 return NULL;
656 }
657
658 if (!compute_acl(parent_sd, creator_sd,
659 is_container, inherit_flags, object_list,
660 generic_map,token,new_sd)){
661 talloc_free(new_sd);
662 return NULL;
663 }
664
665 return new_sd;
666 }
Samba GIT mirror