diff options
author | Nadezhda Ivanova <nivanova@symas.com> | 2021-10-22 21:33:03 +0300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2022-09-16 02:32:36 +0000 |
commit | 5073d5997cb1d7f654423655e0d1eeb117bdab38 (patch) | |
tree | 6066c5ea83b4dcb71e5217e986a70d21d00fd9c6 /librpc | |
parent | 72b8e98252b0231868f04d40456459057126980c (diff) | |
download | samba-5073d5997cb1d7f654423655e0d1eeb117bdab38.tar.gz |
CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'librpc')
-rw-r--r-- | librpc/idl/security.idl | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index d05e3c3e1b7..2ef34170479 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -206,6 +206,15 @@ interface security SEC_ADS_GENERIC_READ | SEC_ADS_GENERIC_ALL_DS); + /* + * Rights implicitly granted to a user who is an owner of the security + * descriptor being processed. + */ + typedef enum { + IMPLICIT_OWNER_READ_CONTROL_RIGHTS, + IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS + } implicit_owner_rights; + /***************************************************************/ /* WELL KNOWN SIDS */ |