CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL

The implicit right of an object's owner to modify its security descriptor no longer exists, according to the new access rules. However, we continue to grant this implicit right for fileserver access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Nadezhda Ivanova <nivanova@symas.com> 2021-10-22 21:33:03 +0300
committer: Andrew Bartlett <abartlet@samba.org> 2022-09-16 02:32:36 +0000
commit: 5073d5997cb1d7f654423655e0d1eeb117bdab38 (patch)
tree: 6066c5ea83b4dcb71e5217e986a70d21d00fd9c6 /librpc
parent: 72b8e98252b0231868f04d40456459057126980c (diff)
download: samba-5073d5997cb1d7f654423655e0d1eeb117bdab38.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d05e3c3e1b7..2ef34170479 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -206,6 +206,15 @@ interface security
 		 SEC_ADS_GENERIC_READ           |
 		 SEC_ADS_GENERIC_ALL_DS);
 
+	/*
+	 * Rights implicitly granted to a user who is an owner of the security
+	 * descriptor being processed.
+	 */
+	typedef enum {
+		IMPLICIT_OWNER_READ_CONTROL_RIGHTS,
+		IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS
+	} implicit_owner_rights;
+
 	/***************************************************************/
 	/* WELL KNOWN SIDS */
author	Nadezhda Ivanova <nivanova@symas.com>	2021-10-22 21:33:03 +0300
committer	Andrew Bartlett <abartlet@samba.org>	2022-09-16 02:32:36 +0000
commit	5073d5997cb1d7f654423655e0d1eeb117bdab38 (patch)
tree	6066c5ea83b4dcb71e5217e986a70d21d00fd9c6 /librpc
parent	72b8e98252b0231868f04d40456459057126980c (diff)
download	samba-5073d5997cb1d7f654423655e0d1eeb117bdab38.tar.gz