fix bug 15738
Under certain conditions, (see https://bugzilla.samba.org/show_bug.cgi?id=15738) Windows was providing object allowed ACEs like this:
aces: struct security_ace
type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
flags : 0x02 (2)
0: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0048 (72)
access_mask : 0x00000100 (256)
object : union security_ace_object_ctr(case 1)
object: struct security_ace_object
flags : 0x00000001 (1)
1: SEC_ACE_OBJECT_TYPE_PRESENT
0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
type : union security_ace_object_type(case 1)
type : edacfd8f-ffb3-11d1-b41d-00a0c968f939
inherited_type : union security_ace_object_inherited_type(case 0)
trustee : S-1-5-11
coda : union security_ace_coda(case 5)
ignored : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........where we didn't cope with the ignored bit at the end.
With this patch, we do cope, but also we have tests.
Checklist
-
Commits have Signed-off-by:with name/author being identical to the commit author -
(optional) This MR is just one part towards a larger feature. -
(optional, if backport required) Bugzilla bug filed and BUG:tag added -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated -
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)
Reviewer's checklist:
-
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md -
This feature/change has adequate documentation added -
No obvious mistakes in the code