diff options
author | Andrew Bartlett <abartlet@samba.org> | 2016-10-31 10:41:39 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2016-11-30 12:19:33 +0100 |
commit | da60caf2c7bc3a1012862f39cc7aa669e24b3d16 (patch) | |
tree | 46000f4ce59e7cce202fca55acad194fa0c914db | |
parent | da6d45a59399e487b468fa8bb7a85c1032a26de5 (diff) | |
download | samba-da60caf2c7bc3a1012862f39cc7aa669e24b3d16.tar.gz |
dsdb: Create RID Set as SYSTEM
We do not want random users with add-user rights to own the new RID Set for this
server, and the ridSet class is thankfully system-only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit fe90dadd2cd13c20484c06318724c592e5cf298e)
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/ridalloc.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c index b5c7f52c3e0..d3463e6e7a0 100644 --- a/source4/dsdb/samdb/ldb_modules/ridalloc.c +++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c @@ -347,8 +347,12 @@ static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *m /* we need this to go all the way to the top of the module * stack, as we need all the extra attributes added (including - * complex ones like ntsecuritydescriptor) */ - ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent); + * complex ones like ntsecuritydescriptor). We must do this + * as system, otherwise a user might end up owning the RID + * set, and that would be bad... */ + ret = dsdb_module_add(module, msg, + DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM + | DSDB_MODIFY_RELAX, parent); if (ret != LDB_SUCCESS) { ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s", ldb_dn_get_linearized(msg->dn), |