Attachment 12620 Details for Bug 9954 – specific patch for this issue (for master)

[patch] specific patch for this issue (for master)

0001-dsdb-Create-RID-Set-as-SYSTEM.patch (text/plain), 1.50 KB, created by Andrew Bartlett on 2016-11-01 08:07:54 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2016-11-01 08:07:54 UTC

Size: 1.50 KB

patch

obsolete

>From 3e73b0956ed7cb1a07bbd36dbed91bc8dce6663f Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Mon, 31 Oct 2016 10:41:39 +1300
>Subject: [PATCH] dsdb: Create RID Set as SYSTEM
>
>We do not want random users with add-user rights to own the new RID Set for this
>server, and the ridSet class is thankfully system-only.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954
>---
> source4/dsdb/samdb/ldb_modules/ridalloc.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c
>index b5748ec..349e3d3 100644
>--- a/source4/dsdb/samdb/ldb_modules/ridalloc.c
>+++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c
>@@ -347,8 +347,12 @@ static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *m
> 
> 	/* we need this to go all the way to the top of the module
> 	 * stack, as we need all the extra attributes added (including
>-	 * complex ones like ntsecuritydescriptor) */
>-	ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent);
>+	 * complex ones like ntsecuritydescriptor).  We must do this
>+	 * as system, otherwise a user might end up owning the RID
>+	 * set, and that would be bad... */
>+	ret = dsdb_module_add(module, msg,
>+			      DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM
>+			      | DSDB_MODIFY_RELAX, parent);
> 	if (ret != LDB_SUCCESS) {
> 		ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
> 				       ldb_dn_get_linearized(msg->dn),
>-- 
>2.7.4
>

Flags:

abartlet: review-

Actions: View

Attachments on bug 9954: 12620