Created attachment 6949 [details]
possible start of a patch
The attached patch attempts to prevent the modification of systemOnly attributes.
The problem is that we rely on this at the moment (internal callers are not marked to indicate that this modification is safe/permitted).
When all the callers are fixed (preferably with some per-attribute flag) then something like this needs to be committed.
BTW, this is MS-ATDS 188.8.131.52.3.2 Contraints (modify operation)
Andrew, can you have a look at this again?
What was wrong with this patch ? at 10 000ft it looks like going in the right direction.
Is this a blocker for 4.1.0 or 4.2?
(In reply to comment #4)
> Is this a blocker for 4.1.0 or 4.2?
Comment from Metze:
https://bugzilla.samba.org/show_bug.cgi?id=8487 (We should not allow the
modification of systemOnly attributes)
has a patches that needs verification
and maybe a bit more work. We may be able to move this to 4.2 if it
requires a lot of work.
Don't block 4.1.0, this is not a regression compared to 4.0.x
Any news on this one?
Is this a showstopper for 4.2.0?
I guess this will be fixed in 4.7 by
Author: Garming Sam <email@example.com>
AuthorDate: Tue Mar 7 12:30:09 2017 +1300
Commit: Andrew Bartlett <firstname.lastname@example.org>
CommitDate: Mon Mar 13 05:10:12 2017 +0100
objectclass_attrs: Restrict systemOnly attributes
This allows restriction of auditing attributes from being wiped.
Modifications of the RID Set must be done as SYSTEM.
Signed-off-by: Garming Sam <email@example.com>
Reviewed-by: Andrew Bartlett <firstname.lastname@example.org>