From 5dd4555f391d841b276e53e70eedde36f5190cdd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 24 Nov 2012 10:14:59 +0100 Subject: s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711) Now that the acl module checks for SEC_ADS_DELETE_TREE, we can do the recursive delete AS_SYSTEM. We need to pass the TRUSTED flags as we operate from the TOP module. Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/dsdb/samdb/ldb_modules/subtree_delete.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/subtree_delete.c b/source4/dsdb/samdb/ldb_modules/subtree_delete.c index ce1b8922f3..f041b7e66e 100644 --- a/source4/dsdb/samdb/ldb_modules/subtree_delete.c +++ b/source4/dsdb/samdb/ldb_modules/subtree_delete.c @@ -79,9 +79,17 @@ static int subtree_delete(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_NOT_ALLOWED_ON_NON_LEAF; } - /* we need to start from the top since other LDB modules could - * enforce constraints (eg "objectclass" and "samldb" do so). */ - flags = DSDB_FLAG_TOP_MODULE | DSDB_TREE_DELETE; + /* + * we need to start from the top since other LDB modules could + * enforce constraints (eg "objectclass" and "samldb" do so). + * + * We pass DSDB_FLAG_AS_SYSTEM as the acl module above us + * has already checked for SEC_ADS_DELETE_TREE. + */ + flags = DSDB_FLAG_TOP_MODULE | + DSDB_FLAG_AS_SYSTEM | + DSDB_FLAG_TRUSTED | + DSDB_TREE_DELETE; if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) { flags |= DSDB_MODIFY_RELAX; } -- cgit