From 3e73b0956ed7cb1a07bbd36dbed91bc8dce6663f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 31 Oct 2016 10:41:39 +1300
Subject: [PATCH] dsdb: Create RID Set as SYSTEM

We do not want random users with add-user rights to own the new RID Set for this
server, and the ridSet class is thankfully system-only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954
---
 source4/dsdb/samdb/ldb_modules/ridalloc.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c
index b5748ec..349e3d3 100644
--- a/source4/dsdb/samdb/ldb_modules/ridalloc.c
+++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c
@@ -347,8 +347,12 @@ static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *m
 
 	/* we need this to go all the way to the top of the module
 	 * stack, as we need all the extra attributes added (including
-	 * complex ones like ntsecuritydescriptor) */
-	ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent);
+	 * complex ones like ntsecuritydescriptor).  We must do this
+	 * as system, otherwise a user might end up owning the RID
+	 * set, and that would be bad... */
+	ret = dsdb_module_add(module, msg,
+			      DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM
+			      | DSDB_MODIFY_RELAX, parent);
 	if (ret != LDB_SUCCESS) {
 		ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
 				       ldb_dn_get_linearized(msg->dn),
-- 
2.7.4