diff options
author | Andrew Bartlett <abartlet@samba.org> | 2019-12-06 18:26:42 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-01-08 11:31:41 +0100 |
commit | da1d3a0c03c002f6d2ffc6cfc7c0c15a4baa1000 (patch) | |
tree | f9881474feeaf5e0ee873aa06505c2c04e89482f | |
parent | febccb4845e75fbf8c382df9f897215835e9d979 (diff) | |
download | samba-da1d3a0c03c002f6d2ffc6cfc7c0c15a4baa1000.tar.gz |
CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
Previously if there was a conflict, but the incoming object would still
win, this was not marked as a rename, and so inheritence was not done.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | selftest/knownfail.d/repl_secdesc | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 |
2 files changed, 13 insertions, 1 deletions
diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc index 13a9ce458dd..9dd632d99ed 100644 --- a/selftest/knownfail.d/repl_secdesc +++ b/selftest/knownfail.d/repl_secdesc @@ -1,2 +1 @@ -^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 0e12c6cfa81..045d1e0524d 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -6197,6 +6197,19 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) * replmd_replicated_apply_search_callback()) */ ret = replmd_replicated_handle_rename(ar, msg, ar->req, &renamed); + + /* + * This looks strange, but we must set this after any + * rename, otherwise the SD propegation will not + * happen (which might matter if we have a new parent) + * + * The additional case of calling + * replmd_op_name_modify_callback (below) is: + * - a no-op if there was no name change + * and + * - called in the default case regardless. + */ + renamed = true; } if (ret != LDB_SUCCESS) { |