dsdb: Create RID Set as SYSTEM

We do not want random users with add-user rights to own the new RID Set for this
server, and the ridSet class is thankfully system-only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c
index b5c7f52c3e026e8aacbb4e2a2a3f5cde68bd94f9..d3463e6e7a04a1d27632547b46bd3a736e250957 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/ridalloc.c
+++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c
@@ -347,8 +347,12 @@ static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *m
 
        /* we need this to go all the way to the top of the module
         * stack, as we need all the extra attributes added (including
-        * complex ones like ntsecuritydescriptor) */
-       ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent);
+        * complex ones like ntsecuritydescriptor).  We must do this
+        * as system, otherwise a user might end up owning the RID
+        * set, and that would be bad... */
+       ret = dsdb_module_add(module, msg,
+                             DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM
+                             | DSDB_MODIFY_RELAX, parent);
        if (ret != LDB_SUCCESS) {
                ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
                                       ldb_dn_get_linearized(msg->dn),