s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)

Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

1 files changed, 11 insertions, 3 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/subtree_delete.c b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
index ce1b8922f3..f041b7e66e 100644
--- a/source4/dsdb/samdb/ldb_modules/subtree_delete.c
+++ b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
@@ -79,9 +79,17 @@ static int subtree_delete(struct ldb_module *module, struct ldb_request *req)
 		return LDB_ERR_NOT_ALLOWED_ON_NON_LEAF;
 	}
 
-	/* we need to start from the top since other LDB modules could
-	 * enforce constraints (eg "objectclass" and "samldb" do so). */
-	flags = DSDB_FLAG_TOP_MODULE | DSDB_TREE_DELETE;
+	/*
+	 * we need to start from the top since other LDB modules could
+	 * enforce constraints (eg "objectclass" and "samldb" do so).
+	 *
+	 * We pass DSDB_FLAG_AS_SYSTEM as the acl module above us
+	 * has already checked for SEC_ADS_DELETE_TREE.
+	 */
+	flags = DSDB_FLAG_TOP_MODULE |
+		DSDB_FLAG_AS_SYSTEM |
+		DSDB_FLAG_TRUSTED |
+		DSDB_TREE_DELETE;
 	if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) {
 		flags |= DSDB_MODIFY_RELAX;
 	}