diff options
| author | Nadezhda Ivanova <nivanova@symas.com> | 2013-10-14 12:38:10 +0300 |
|---|---|---|
| committer | Nadezhda Ivanova <nivanova@samba.org> | 2013-10-14 13:31:50 +0200 |
| commit | 13a10d43141c29dad61868b451c0c1dca82360de (patch) | |
| tree | ec660ca94f27c085be55e5f85e6789a1a2437099 /source4/dsdb/samdb/ldb_modules | |
| parent | 064433f265d2215389f2a377b6e8243318669b65 (diff) | |
| download | samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.gz samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.bz2 samba-13a10d43141c29dad61868b451c0c1dca82360de.zip | |
s4-samldb: Do not allow deletion of objects with RID < 1000
According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion
of security objects with RID < 1000. This patch will prevent deletion of
well-known accounts and groups.
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 603370fd62..b79810279c 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -2552,6 +2552,11 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) /* Special object (security principal?) */ return LDB_SUCCESS; } + /* do not allow deletion of well-known sids */ + if (rid < DSDB_SAMDB_MINIMUM_ALLOWED_RID && + (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { + return LDB_ERR_OTHER; + } /* Deny delete requests from groups which are primary ones */ ret = dsdb_module_search(ac->module, ac, &res, |