Bug 7711 - ACL module: support the tree delete right
Summary: ACL module: support the tree delete right
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 8622 9306
  Show dependency treegraph
 
Reported: 2010-10-04 09:49 UTC by Matthias Dieter Wallnöfer
Modified: 2012-12-04 10:53 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2010-10-04 09:49:10 UTC
At the moment we handle tree deletes as if they would be normal deletes regarding the ACLs.
But this is not the Windows behaviour. If you've got there the TREE_DELETE right on the base object and send then the TREE_DELETE control you are able to delete all subobjects fully independently of their security descriptors (beside other checks as system flags and similar which remain).

Source: MS-ADTS 3.1.1.5.5.7
Comment 1 Nadezhda Ivanova 2010-10-04 23:14:02 UTC
Yeah, that's true. At the time the acl module was created we did not support the delete tree operation. I'll fix it when I have the time.

Comment 2 Stefan Metzmacher 2012-11-26 08:21:52 UTC
I'll upload patches for 4.0
Comment 3 Karolin Seeger 2012-12-04 10:53:01 UTC
Metze says this one is fixed in 4.0.0rc6 (with the patches for bug #8621).
Closing out bug report.

Thanks!