CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN

We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 04a51ecab5143426e9e8b2449962bf0fd43887d6..52ff3d75ee21f6ac2bcceffd5b6c6bef49959ed6 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -6290,7 +6290,22 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
                  ar->index_current, msg->num_elements);
 
        if (renamed) {
-               sd_updated = true;
+               /*
+                * This is an new name for this object, so we must
+                * inherit from the parent
+                *
+                * This is needed because descriptor is above
+                * repl_meta_data in the module stack, so this will
+                * not be trigered 'naturally' by the flow of
+                * operations.
+                */
+               ret = dsdb_module_schedule_sd_propagation(ar->module,
+                                                         ar->objs->partition_dn,
+                                                         msg->dn,
+                                                         true);
+               if (ret != LDB_SUCCESS) {
+                       return ldb_operr(ldb);
+               }
        }
 
        if (sd_updated && !isDeleted) {