Bug 8487 - We should not allow the modification of systemOnly attributes
Summary: We should not allow the modification of systemOnly attributes
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2011-09-26 23:00 UTC by Andrew Bartlett
Modified: 2017-04-07 15:38 UTC (History)
1 user (show)

See Also:

possible start of a patch (1.27 KB, patch)
2011-09-26 23:00 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2011-09-26 23:00:33 UTC
Created attachment 6949 [details]
possible start of a patch

The attached patch attempts to prevent the modification of systemOnly attributes.  

The problem is that we rely on this at the moment (internal callers are not marked to indicate that this modification is safe/permitted).

When all the callers are fixed (preferably with some per-attribute flag) then something like this needs to be committed.
Comment 1 Andrew Bartlett 2011-09-26 23:01:34 UTC
BTW, this is MS-ATDS Contraints (modify operation)
Comment 2 Stefan Metzmacher 2013-08-09 10:33:18 UTC
Andrew, can you have a look at this again?
Comment 3 Matthieu Patou 2013-08-21 04:34:49 UTC
What was wrong with this patch ? at 10 000ft it looks like going in the right direction.
Comment 4 Karolin Seeger 2013-08-30 08:28:47 UTC
Is this a blocker for 4.1.0 or 4.2?
Comment 5 Karolin Seeger 2013-08-30 09:48:33 UTC
(In reply to comment #4)
> Is this a blocker for 4.1.0 or 4.2?

Comment from Metze:
https://bugzilla.samba.org/show_bug.cgi?id=8487 (We should not allow the
modification of systemOnly attributes)
has a patches that needs verification
and maybe a bit more work. We may be able to move this to 4.2 if it
requires a lot of work.
Comment 6 Stefan Metzmacher 2013-09-27 07:58:37 UTC
Don't block 4.1.0, this is not a regression compared to 4.0.x
Comment 7 Karolin Seeger 2013-12-10 15:33:27 UTC
Any news on this one?
Comment 8 Karolin Seeger 2014-11-27 10:48:36 UTC
Is this a showstopper for 4.2.0?
Comment 9 Stefan Metzmacher 2017-04-07 15:38:43 UTC
I guess this will be fixed in 4.7 by
commit c4aa78ba875f3a9ca4e586823ce63826da8daa90
Author:     Garming Sam <garming@catalyst.net.nz>
AuthorDate: Tue Mar 7 12:30:09 2017 +1300
Commit:     Andrew Bartlett <abartlet@samba.org>
CommitDate: Mon Mar 13 05:10:12 2017 +0100

    objectclass_attrs: Restrict systemOnly attributes
    This allows restriction of auditing attributes from being wiped.
    Modifications of the RID Set must be done as SYSTEM.
    Signed-off-by: Garming Sam <garming@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet@samba.org>