Skip to content

CVE-2020-25720 s4-acl: Check attribute access rights for LDAP adds of computers

Jo Sutton requested to merge samba-team/devel/samba:jsutton24/attribute-authorisation into master

Previously, these rights were only checked during LDAP modifies. Now we also check them for adds of computer objects, if configured in dsHuristics

This CVE-2020-25720 matches MS behaviour after the Nov 2021 updates, that we didn't have the time to do safely at that point (and Samba has better mitigations on servicePrincipalName, which was the primary concern).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Andrew Bartlett

Merge request reports