Proposal for changes in become root

[Xavi Hernandez]

On Mon, Apr 22, 2024 at 1:51 PM Ralph Boehme <slow at samba.org> wrote:

> On 4/22/24 12:46, Xavi Hernandez wrote:
> > I've just started to take a look, but if I understand it correctly, the
> > user credentials will be set just before doing the system call.
>
> exactly.
>
> > I've not
> > seen any reference to become_root() (I may have missed something,
> > though),
>
> that part is not implemented yet, so far there's only the root
> impersonation object in the struct samba_impersonation. This still needs
> to be fleshed out in samba_impersonation_create().
>
> Iirc we'd then have a new function like samba_root_impersonation() then
> checks imp->is_become_root and either returns imp or imp->become_root.
>
> In places were we currently call become_root(), we'd then call root_imp
> = samba_root_impersonation() and pass root_imp to the function we want
> to execute as root.
>
> Note that we'll likely also have to bite the bullet and properly handle
> capabilities instead of using [set|drop]_effective_capability(). To do
> this we somehow need to track the current and modified set of
> capabilities in the impersonation objects.
>
> > but I guess it needs to integrate with that and, in this case,
> > it won't issue any syscalls to change the current process owner, right ?
> >
> > That approach could be very useful for what I really wanted to do. If I
> > see it correctly, the credentials switch happens in vfs_default, so
> > modules are free to implement the credentials as they want.
>
> yes.
>
> In the end you would cache your own impersonation tokens in a cache
> associated with the main impersonation object cache id
> (samba_impersonation_cache_id()), using a talloc destructor on an object
> that is a talloc child of the impersonation object and removes the VFS
> module token from the VFS module cache.
>
> Makes sense?
>

Yes. It makes a lot of sense. I still need to understand the details
better, but let me know if I can help with something.

Regards,

Xavi