Microsoft will, as part of this security release, change the ACL model in Windows such that new objects must honour some kind of ACL (details to be determined). That is, instead of as per MS-ATDS 5.1.3.2 Access Rights https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/990fb975-ab31-4bc1-8b75-5da132cd4584 The new behaviour is likely to be that the ACL will be inherited onto a new object, with any automatic attributes created, then all other changes considered as requiring WP after the fact, just as they would once the object has been created. This will include the obvious case of the new object having an ACL in ntSecurityDescriptor in the ADD.
A top level bug 14564 / CVE-2020-25722 will be used for these related issues.
Fixing this has been deferred to master, but we may backport this if we find a condition where this, rather than a per-attribute check, is most appropriate.
Removing embargo. Patches to address this are public at https://gitlab.com/samba-team/samba/-/merge_requests/2514
This bug was referenced in samba master: cbbf3fd7412ba073b26b0d0a32fe25b343fed5ca 890d2c5cf5d47758b5429f87a064f04512ff7136 0af5706b559e89c77123ed174b41fd3d01705aa5 cc709077822a39227174b91ed2345c2bd603f61f 2563f85237bd4260b7b527f3695f27da4cc61a74 c2761a47fd12cc2a79a02707ed9d778e496b1fd4 0e1d8929f872708e79edf802e5d2ff847c9b3ee5 08187833fee57a8dba6c67546dfca516cd1f9d7a 6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8 72b8e98252b0231868f04d40456459057126980c 5073d5997cb1d7f654423655e0d1eeb117bdab38 acc9999a08f12d5bff6edb631a9515fe7e5087c3 95fe9659574337234616625fc32d5f00035ae7c9 cc64ea24daa649dc8de4a212c7abfbe111095655
This bug was referenced in samba v4-17-stable (Release samba-4.17.7): b7af8aa2552e0690aac58fb98e3134b71f678ece 307b2e65d51903f6805460a2633ebe809d4052ab
This bug was referenced in samba v4-17-test: b7af8aa2552e0690aac58fb98e3134b71f678ece 307b2e65d51903f6805460a2633ebe809d4052ab
This bug was referenced in samba v4-17-test: 3ecdec683b60cf100b1c031841b709c91191c8f2
This bug was referenced in samba v4-17-stable (Release samba-4.17.8): 3ecdec683b60cf100b1c031841b709c91191c8f2