git.ipfire.org Git - thirdparty/samba.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Tue, 19 Oct 2021 22:36:58 +0000 (11:36 +1300)
committer	Jule Anger <janger@samba.org>
	Tue, 9 Nov 2021 19:45:34 +0000 (19:45 +0000)
commit	a3aee582a5c94b3d4de5edd0e9e5a0367addacbd
tree	c8f351bcc8a32ce833c26df5b6946feb9aa309af	tree \| snapshot
parent	43983170fc8671f7c0f0a0a6e1f8a82d9dbc2b60	commit \| diff

CVE-2020-25722 Ensure the structural objectclass cannot be changed

If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.

Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest/knownfail.d/ldap		diff \| blob \| blame \| history
selftest/knownfail.d/modify-order		diff \| blob \| blame \| history
selftest/knownfail.d/uac_mod_lock	[deleted file]	blob \| blame \| history
selftest/knownfail.d/uac_objectclass_restrict		diff \| blob \| blame \| history
source4/dsdb/samdb/ldb_modules/objectclass.c		diff \| blob \| blame \| history