CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless al…

…l rights are granted

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>

selftest/knownfail.d/bug-14810

@@ -1,11 +1,4 @@
 ^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_explicit_right_owner_not_us\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_dacl_explicit_computer\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_dacl_owner_computer_implicit_right_allowed\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_dacl_owner_computer_implicit_right_blocked\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_group_explicit_computer\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_admin_computer\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_explicit_computer\(.*\)
-^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_admin_computer\(.*\)
 ^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_computer\(.*\)
 ^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_user\(.*\)
 ^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare\(.*\)

source4/dsdb/samdb/ldb_modules/acl.c

@@ -525,6 +525,17 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 			flags |= SECINFO_SACL;
 		}
 	}
+
+	if (flags != (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL)) {
+		const struct ldb_message_element *el = samdb_find_attribute(ldb,
+									    sd_msg,
+									    "objectclass",
+									    "computer");
+		if (el != NULL) {
+			return LDB_SUCCESS;
+		}
+	}
+
 	return samdb_msg_add_uint(ldb_module_get_ctx(module), msg, msg,
 				  "sDRightsEffective", flags);
 }