CVE-2020-25720 s4:tests/sec_descriptor: Add missing security descriptor modify

The variable sub_sddl1 previously went unused, so this call to
modify_sd_on_dn() was presumably intended to go here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
index 6471fc15c55fa9d00a4a377f3454fdc1cff8de93..5211634ab2f534cf8c94a9af7697adced4f4f617 100755 (executable)
--- a/source4/dsdb/tests/python/sec_descriptor.py
+++ b/source4/dsdb/tests/python/sec_descriptor.py
@@ -2111,6 +2111,8 @@ class SdAutoInheritTests(DescriptorTests):
 
         self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
 
+        self.sd_utils.modify_sd_on_dn(self.sub_dn, sub_sddl1, controls=controls)
+
         sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
                                             None, attrs, controls=controls)
         ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
@@ -2142,7 +2144,7 @@ class SdAutoInheritTests(DescriptorTests):
 
         sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
         sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
-        self.assertTrue(sub_usn2 == sub_usn0)
+        self.assertGreater(sub_usn2, sub_usn0)
 
 
 if "://" not in host: