s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)

Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/subtree_delete.c b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
index ce1b8922f35b9b380e8eb24dc33ccd5bcce90422..f041b7e66ea19a75424fba14f13c65cff4b07890 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/subtree_delete.c
+++ b/source4/dsdb/samdb/ldb_modules/subtree_delete.c
@@ -79,9 +79,17 @@ static int subtree_delete(struct ldb_module *module, struct ldb_request *req)
                return LDB_ERR_NOT_ALLOWED_ON_NON_LEAF;
        }
 
-       /* we need to start from the top since other LDB modules could
-        * enforce constraints (eg "objectclass" and "samldb" do so). */
-       flags = DSDB_FLAG_TOP_MODULE | DSDB_TREE_DELETE;
+       /*
+        * we need to start from the top since other LDB modules could
+        * enforce constraints (eg "objectclass" and "samldb" do so).
+        *
+        * We pass DSDB_FLAG_AS_SYSTEM as the acl module above us
+        * has already checked for SEC_ADS_DELETE_TREE.
+        */
+       flags = DSDB_FLAG_TOP_MODULE |
+               DSDB_FLAG_AS_SYSTEM |
+               DSDB_FLAG_TRUSTED |
+               DSDB_TREE_DELETE;
        if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) {
                flags |= DSDB_MODIFY_RELAX;
        }