diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-11-24 10:14:59 +0100 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2012-11-30 17:17:21 +0100 |
commit | 5dd4555f391d841b276e53e70eedde36f5190cdd (patch) | |
tree | bb4731f3ec23e0d4cefca1b8387c87e5e126976f | |
parent | 60192fd1004015b50e208b3da6a07bd67f9d7990 (diff) | |
download | samba-5dd4555f391d841b276e53e70eedde36f5190cdd.tar.gz samba-5dd4555f391d841b276e53e70eedde36f5190cdd.tar.bz2 samba-5dd4555f391d841b276e53e70eedde36f5190cdd.zip |
s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)
Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.
We need to pass the TRUSTED flags as we operate from
the TOP module.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/subtree_delete.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/subtree_delete.c b/source4/dsdb/samdb/ldb_modules/subtree_delete.c index ce1b8922f3..f041b7e66e 100644 --- a/source4/dsdb/samdb/ldb_modules/subtree_delete.c +++ b/source4/dsdb/samdb/ldb_modules/subtree_delete.c @@ -79,9 +79,17 @@ static int subtree_delete(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_NOT_ALLOWED_ON_NON_LEAF; } - /* we need to start from the top since other LDB modules could - * enforce constraints (eg "objectclass" and "samldb" do so). */ - flags = DSDB_FLAG_TOP_MODULE | DSDB_TREE_DELETE; + /* + * we need to start from the top since other LDB modules could + * enforce constraints (eg "objectclass" and "samldb" do so). + * + * We pass DSDB_FLAG_AS_SYSTEM as the acl module above us + * has already checked for SEC_ADS_DELETE_TREE. + */ + flags = DSDB_FLAG_TOP_MODULE | + DSDB_FLAG_AS_SYSTEM | + DSDB_FLAG_TRUSTED | + DSDB_TREE_DELETE; if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) { flags |= DSDB_MODIFY_RELAX; } |