summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules/subtree_delete.c
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-11-24 10:14:59 +0100
committerMichael Adam <obnox@samba.org>2012-11-30 17:17:21 +0100
commit5dd4555f391d841b276e53e70eedde36f5190cdd (patch)
treebb4731f3ec23e0d4cefca1b8387c87e5e126976f /source4/dsdb/samdb/ldb_modules/subtree_delete.c
parent60192fd1004015b50e208b3da6a07bd67f9d7990 (diff)
downloadsamba-5dd4555f391d841b276e53e70eedde36f5190cdd.tar.gz
samba-5dd4555f391d841b276e53e70eedde36f5190cdd.tar.bz2
samba-5dd4555f391d841b276e53e70eedde36f5190cdd.zip
s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)
Now that the acl module checks for SEC_ADS_DELETE_TREE, we can do the recursive delete AS_SYSTEM. We need to pass the TRUSTED flags as we operate from the TOP module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules/subtree_delete.c')
-rw-r--r--source4/dsdb/samdb/ldb_modules/subtree_delete.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/subtree_delete.c b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
index ce1b8922f3..f041b7e66e 100644
--- a/source4/dsdb/samdb/ldb_modules/subtree_delete.c
+++ b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
@@ -79,9 +79,17 @@ static int subtree_delete(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_NOT_ALLOWED_ON_NON_LEAF;
}
- /* we need to start from the top since other LDB modules could
- * enforce constraints (eg "objectclass" and "samldb" do so). */
- flags = DSDB_FLAG_TOP_MODULE | DSDB_TREE_DELETE;
+ /*
+ * we need to start from the top since other LDB modules could
+ * enforce constraints (eg "objectclass" and "samldb" do so).
+ *
+ * We pass DSDB_FLAG_AS_SYSTEM as the acl module above us
+ * has already checked for SEC_ADS_DELETE_TREE.
+ */
+ flags = DSDB_FLAG_TOP_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_FLAG_TRUSTED |
+ DSDB_TREE_DELETE;
if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) {
flags |= DSDB_MODIFY_RELAX;
}