CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl

This requires an additional control to be used in the
LSA server to add domain trust account objects.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104

1 files changed, 14 insertions, 1 deletions

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index cc2048da07..b7936b892e 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -800,6 +800,7 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx,
 			       struct trustAuthInOutBlob *in,
 			       struct ldb_dn **user_dn)
 {
+	struct ldb_request *req;
 	struct ldb_message *msg;
 	struct ldb_dn *dn;
 	uint32_t i;
@@ -860,7 +861,19 @@ static NTSTATUS add_trust_user(TALLOC_CTX *mem_ctx,
 	}
 
 	/* create the trusted_domain user account */
-	ret = ldb_add(sam_ldb, msg);
+	ret = ldb_build_add_req(&req, sam_ldb, mem_ctx, msg, NULL, NULL,
+				ldb_op_default_callback, NULL);
+	if (ret != LDB_SUCCESS) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = ldb_request_add_control(req, DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID,
+				      false, NULL);
+	if (ret != LDB_SUCCESS) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = dsdb_autotransaction_request(sam_ldb, req);
 	if (ret != LDB_SUCCESS) {
 		DEBUG(0,("Failed to create user record %s: %s\n",
 			 ldb_dn_get_linearized(msg->dn),