s4-samldb: Do not allow deletion of objects with RID < 1000

According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion of security objects with RID < 1000. This patch will prevent deletion of well-known accounts and groups. Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104
author: Nadezhda Ivanova <nivanova@symas.com> 2013-10-14 12:38:10 +0300
committer: Nadezhda Ivanova <nivanova@samba.org> 2013-10-14 13:31:50 +0200
commit: 13a10d43141c29dad61868b451c0c1dca82360de (patch)
tree: ec660ca94f27c085be55e5f85e6789a1a2437099 /source4
parent: 064433f265d2215389f2a377b6e8243318669b65 (diff)
download: samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.gz
samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.bz2
samba-13a10d43141c29dad61868b451c0c1dca82360de.zip
3 files changed, 40 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 603370fd62..b79810279c 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2552,6 +2552,11 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac)
 		/* Special object (security principal?) */
 		return LDB_SUCCESS;
 	}
+	/* do not allow deletion of well-known sids */
+	if (rid < DSDB_SAMDB_MINIMUM_ALLOWED_RID &&
+	    (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+		return LDB_ERR_OTHER;
+	}
 
 	/* Deny delete requests from groups which are primary ones */
 	ret = dsdb_module_search(ac->module, ac, &res,
diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index 7605c65cdd..7f77d4e382 100644
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -244,6 +244,7 @@ struct dsdb_extended_sec_desc_propagation_op {
 };
 
 #define DSDB_ACL_CHECKS_DIRSYNC_FLAG 0x1
+#define DSDB_SAMDB_MINIMUM_ALLOWED_RID   1000
 
 #define DSDB_METADATA_SCHEMA_SEQ_NUM	"SCHEMA_SEQ_NUM"
 #endif /* __SAMDB_H__ */
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index 754096a015..b2d4d4920f 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -586,7 +586,7 @@ class SamTests(samba.tests.TestCase):
 
     def test_sam_attributes(self):
         """Test the behaviour of special attributes of SAM objects"""
-        print "Testing the behaviour of special attributes of SAM objects\n"""
+        print "Testing the behaviour of special attributes of SAM objects\n"
 
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -2604,7 +2604,7 @@ class SamTests(samba.tests.TestCase):
 
     def test_sam_description_attribute(self):
         """Test SAM description attribute"""
-        print "Test SAM description attribute"""
+        print "Test SAM description attribute"
 
         self.ldb.add({
             "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
@@ -2772,7 +2772,7 @@ class SamTests(samba.tests.TestCase):
 
     def test_fSMORoleOwner_attribute(self):
         """Test fSMORoleOwner attribute"""
-        print "Test fSMORoleOwner attribute"""
+        print "Test fSMORoleOwner attribute"
 
         ds_service_name = self.ldb.get_dsServiceName()
 
@@ -2846,6 +2846,37 @@ class SamTests(samba.tests.TestCase):
 
         delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
 
+    def test_protected_sid_objects(self):
+        """Test deletion of objects with RID < 1000"""
+        self.ldb.create_ou("ou=ldaptestou," + self.base_dn)
+        # a list of some well-known sids
+        # objects in Builtin are aready covered by objectclass
+        protected_list = [
+            ["CN=Domain Admins","CN=Users,"],
+            ["CN=Schema Admins","CN=Users,"],
+            ["CN=Enterprise Admins","CN=Users,"],
+            ["CN=Administrator","CN=Users,"],
+            ["CN=Domain Controllers","CN=Users,"],
+            ]
+
+
+
+        for pr_object in protected_list:
+            try:
+                self.ldb.delete(pr_object[0] + "," + pr_object[1] + self.base_dn)
+            except LdbError, (num, _):
+                self.assertEquals(num, ERR_OTHER)
+            else:
+                self.fail("Deleted " + pr_object[0])
+
+            try:
+                self.ldb.rename(pr_object[0] + "," + pr_object[1] + self.base_dn,
+                                pr_object[0] + "2," + pr_object[1] + self.base_dn)
+            except LdbError, (num, _):
+                self.fail("Could not rename " + pr_object[0])
+
+            self.ldb.rename(pr_object[0] + "2," + pr_object[1] + self.base_dn,
+                            pr_object[0] + "," + pr_object[1] + self.base_dn)
 
 if not "://" in host:
     if os.path.isfile(host):
author	Nadezhda Ivanova <nivanova@symas.com>	2013-10-14 12:38:10 +0300
committer	Nadezhda Ivanova <nivanova@samba.org>	2013-10-14 13:31:50 +0200
commit	13a10d43141c29dad61868b451c0c1dca82360de (patch)
tree	ec660ca94f27c085be55e5f85e6789a1a2437099 /source4
parent	064433f265d2215389f2a377b6e8243318669b65 (diff)
download	samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.gz samba-13a10d43141c29dad61868b451c0c1dca82360de.tar.bz2 samba-13a10d43141c29dad61868b451c0c1dca82360de.zip