From 13a10d43141c29dad61868b451c0c1dca82360de Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@symas.com>
Date: Mon, 14 Oct 2013 12:38:10 +0300
Subject: s4-samldb: Do not allow deletion of objects with RID < 1000

According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion
of security objects with RID < 1000. This patch will prevent deletion of
well-known accounts and groups.

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by:   Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 603370fd62..b79810279c 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2552,6 +2552,11 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac)
 		/* Special object (security principal?) */
 		return LDB_SUCCESS;
 	}
+	/* do not allow deletion of well-known sids */
+	if (rid < DSDB_SAMDB_MINIMUM_ALLOWED_RID &&
+	    (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+		return LDB_ERR_OTHER;
+	}
 
 	/* Deny delete requests from groups which are primary ones */
 	ret = dsdb_module_search(ac->module, ac, &res,
-- 
cgit