From da60caf2c7bc3a1012862f39cc7aa669e24b3d16 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2016 10:41:39 +1300 Subject: dsdb: Create RID Set as SYSTEM We do not want random users with add-user rights to own the new RID Set for this server, and the ridSet class is thankfully system-only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit fe90dadd2cd13c20484c06318724c592e5cf298e) --- source4/dsdb/samdb/ldb_modules/ridalloc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c index b5c7f52c3e0..d3463e6e7a0 100644 --- a/source4/dsdb/samdb/ldb_modules/ridalloc.c +++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c @@ -347,8 +347,12 @@ static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *m /* we need this to go all the way to the top of the module * stack, as we need all the extra attributes added (including - * complex ones like ntsecuritydescriptor) */ - ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent); + * complex ones like ntsecuritydescriptor). We must do this + * as system, otherwise a user might end up owning the RID + * set, and that would be bad... */ + ret = dsdb_module_add(module, msg, + DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM + | DSDB_MODIFY_RELAX, parent); if (ret != LDB_SUCCESS) { ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s", ldb_dn_get_linearized(msg->dn), -- cgit v1.2.1