From 31e4015b78e4e6ce1f83cc556febb4394bb8ef78 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 29 Jan 2016 23:34:15 +0100
Subject: [PATCH] CVE-2018-14628: s4:setup: set the correct
 nTSecurityDescriptor on the CN=Deleted Objects container

This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47)
---
 selftest/knownfail.d/samba4.ldap.confidential_attr | 1 +
 source4/setup/provision.ldif                       | 1 +
 source4/setup/provision_configuration.ldif         | 1 +
 source4/setup/provision_dnszones_add.ldif          | 1 +
 4 files changed, 4 insertions(+)
 create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr

diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr
new file mode 100644
index 00000000000..46a75ce928b
--- /dev/null
+++ b/selftest/knownfail.d/samba4.ldap.confidential_attr
@@ -0,0 +1 @@
+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 5d9eba49f86..7f966fd57f8 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -34,6 +34,7 @@ isDeleted: TRUE
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 # Computers located in "provision_computers*.ldif"
 # Users/Groups located in "provision_users*.ldif"
diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index 53c9c8536de..8fcbddbdae4 100644
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -14,6 +14,7 @@ description: Container for deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 # Extended rights
 
diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif
index 860aa4b72b3..a2d6b6bab8f 100644
--- a/source4/setup/provision_dnszones_add.ldif
+++ b/source4/setup/provision_dnszones_add.ldif
@@ -8,6 +8,7 @@ description: Deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 dn: CN=LostAndFound,${ZONE_DN}
 objectClass: top
-- 
2.34.1