From 5073d5997cb1d7f654423655e0d1eeb117bdab38 Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@symas.com>
Date: Fri, 22 Oct 2021 21:33:03 +0300
Subject: CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL

The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 librpc/idl/security.idl | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'librpc/idl')

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d05e3c3e1b7..2ef34170479 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -206,6 +206,15 @@ interface security
 		 SEC_ADS_GENERIC_READ           |
 		 SEC_ADS_GENERIC_ALL_DS);
 
+	/*
+	 * Rights implicitly granted to a user who is an owner of the security
+	 * descriptor being processed.
+	 */
+	typedef enum {
+		IMPLICIT_OWNER_READ_CONTROL_RIGHTS,
+		IMPLICIT_OWNER_READ_CONTROL_AND_WRITE_DAC_RIGHTS
+	} implicit_owner_rights;
+
 	/***************************************************************/
 	/* WELL KNOWN SIDS */
 
-- 
cgit v1.2.1