diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2019-11-26 15:50:35 +1300 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-01-08 11:31:41 +0100 |
| commit | febccb4845e75fbf8c382df9f897215835e9d979 (patch) | |
| tree | 74fbbbab81e8bb7b4fb2806baa0d0e46b31d44a9 | |
| parent | 2cf368d0023c68dc91f50e4cd73fcc83f77cf234 (diff) | |
| download | samba-febccb4845e75fbf8c382df9f897215835e9d979.tar.gz | |
CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | selftest/knownfail.d/repl_secdesc | 1 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 22 |
2 files changed, 21 insertions, 2 deletions
diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc index 7d554ff237a..13a9ce458dd 100644 --- a/selftest/knownfail.d/repl_secdesc +++ b/selftest/knownfail.d/repl_secdesc @@ -1,3 +1,2 @@ ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict -^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 942de232ede..0e12c6cfa81 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -5590,6 +5590,15 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar) replmd_ldb_message_sort(msg, ar->schema); if (!remote_isDeleted) { + /* + * Ensure any local ACL inheritence is applied from + * the parent object. + * + * This is needed because descriptor is above + * repl_meta_data in the module stack, so this will + * not be trigered 'naturally' by the flow of + * operations. + */ ret = dsdb_module_schedule_sd_propagation(ar->module, ar->objs->partition_dn, msg->dn, true); @@ -6372,9 +6381,20 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) } if (sd_updated && !isDeleted) { + /* + * This is an existing object, so there is no need to + * inherit from the parent, but we must inherit any + * incoming changes to our child objects. + * + * This is needed because descriptor is above + * repl_meta_data in the module stack, so this will + * not be trigered 'naturally' by the flow of + * operations. + */ ret = dsdb_module_schedule_sd_propagation(ar->module, ar->objs->partition_dn, - msg->dn, true); + msg->dn, + false); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } |