CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index fb2854438e1e95908f777a8e6d24e40763ceebe9..7070affa6459c5f12a1515dd79bffbe10fb0cf0b 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -876,6 +876,9 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
                        return ldb_oom(ldb);
                }
 
+               /*
+                * Force SD propagation on children of this record
+                */
                ret = dsdb_module_schedule_sd_propagation(module, nc_root,
                                                          dn, false);
                if (ret != LDB_SUCCESS) {
@@ -966,6 +969,10 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
                        return ldb_oom(ldb);
                }
 
+               /*
+                * Force SD propagation on this record (get a new
+                * inherited SD from the potentially new parent
+                */
                ret = dsdb_module_schedule_sd_propagation(module, nc_root,
                                                          newdn, true);
                if (ret != LDB_SUCCESS) {