1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/source4/dsdb
Nadezhda Ivanova 08187833fe CVE-2020-25720: s4-acl: Change behavior of Create Children check
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
..
common CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password() 2022-09-12 23:07:38 +00:00
dns s4: rename source4/smbd/ to source4/samba/ 2020-11-27 10:07:18 +00:00
kcc dsdb periodic: DNS: split aging from tombstone deletion 2021-06-20 23:26:32 +00:00
repl s4: rename source4/smbd/ to source4/samba/ 2020-11-27 10:07:18 +00:00
samdb CVE-2020-25720: s4-acl: Change behavior of Create Children check 2022-09-16 02:32:36 +00:00
schema dsdb/schema: let dsdb_syntax_DN_BINARY_drsuapi_to_ldb return WERR_DS_INVALID_ATTRIBUTE_SYNTAX 2022-01-12 03:09:52 +00:00
tests/python CVE-2020-25720: s4-acl: Change behavior of Create Children check 2022-09-16 02:32:36 +00:00
pydsdb.c CVE-2020-25720 pydsdb: Add AD schema GUID constants 2022-09-16 02:32:36 +00:00
samdb.pc.in
wscript_build CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c 2021-11-09 19:45:34 +00:00