From e0ab14f52a52c8317473b4c4cd3cf50265e1f9e4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 Nov 2012 17:23:53 +0100
Subject: s4:dsdb/acl_read: make sure confidential attributes require
 CONTROL_ACCESS (bug #8620)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
---
 source4/dsdb/samdb/ldb_modules/acl_read.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'source4/dsdb')

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 8542163f98..e2a2d4cb9a 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -154,6 +154,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 				access_mask = SEC_ADS_READ_PROP;
 			}
 
+			if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
+				access_mask |= SEC_ADS_CONTROL_ACCESS;
+			}
+
 			ret = acl_check_access_on_attribute(ac->module,
 							    tmp_ctx,
 							    sd,
-- 
cgit