summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/rootdse.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 516194d2b7..050cf5e062 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1173,6 +1173,14 @@ static int rootdse_become_master(struct ldb_module *module,
bool am_rodc;
struct dcerpc_binding_handle *irpc_handle;
int ret;
+ struct auth_session_info *session_info;
+ enum security_user_level level;
+
+ session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
+ level = security_session_user_level(session_info, NULL);
+ if (level < SECURITY_ADMINISTRATOR) {
+ return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
+ }
ret = samdb_rodc(ldb, &am_rodc);
if (ret != LDB_SUCCESS) {