git.samba.org - samba.git/commit

author	Nadezhda Ivanova <nivanova@symas.com>
	Mon, 25 Oct 2021 10:10:56 +0000 (13:10 +0300)
committer	Andrew Bartlett <abartlet@samba.org>
	Fri, 16 Sep 2022 02:32:36 +0000 (02:32 +0000)
commit	08187833fee57a8dba6c67546dfca516cd1f9d7a
tree	52a83240d4a30fa6fb3f8924fcf34fd812dc6694	tree
parent	0e1d8929f872708e79edf802e5d2ff847c9b3ee5	commit \| diff

CVE-2020-25720: s4-acl: Change behavior of Create Children check

Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/bug-14810		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/acl.c		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/descriptor.c		diff \| blob \| history
source4/dsdb/samdb/samdb.h		diff \| blob \| history
source4/dsdb/tests/python/sec_descriptor.py		diff \| blob \| history
source4/dsdb/tests/python/user_account_control.py		diff \| blob \| history
source4/libcli/ldap/ldap_controls.c		diff \| blob \| history