[SCM] Samba Shared Repository - branch master updated
Björn Jacke
bjacke at samba.org
Thu Nov 16 22:40:02 UTC 2023
The branch, master has been updated
via 1edf9ecaf56 posix_acls.c: prefer capabilities over become_root
via b250f25fe40 open.c: prefer capabilities over become_root
via 4227b011f6a vfs_recycle.c: prefer capabilities over become_root
via 92278418dc8 vfs_posix_eadb.c: prefer capabilities over become_root
via 62464bd2db2 vfs_default.c: prefer capabilities over become_root
via 0e3836e3961 vfs_acl_xattr.c: prefer capabilities over become_root
via 12734848dc9 vfs_acl_common.c: prefer capabilities over become_root
via 06e5c1e32ea nfs4_acls.c: prefer capabilities over become_root
via 944cb51506a token_util.c: prefer capabilities over become_root
via c1e2fbb1b9a dosmode.c: prefer use of capabilities at two places over become_root
via a1738e8265d system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
from 4481a67c1b2 smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1edf9ecaf56f3312e199e633bff0804243042e33
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:28:01 2022 +0200
posix_acls.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Björn Jacke <bjacke at samba.org>
Autobuild-Date(master): Thu Nov 16 22:39:05 UTC 2023 on atb-devel-224
commit b250f25fe407f9a6269b804382de4854501f2d86
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:27:38 2022 +0200
open.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 4227b011f6ada97a4cd72a440ed887ffdb3f219e
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:26:53 2022 +0200
vfs_recycle.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 92278418dc885ed411f545e73c800ce93f858090
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:26:30 2022 +0200
vfs_posix_eadb.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 62464bd2db2a95b1253364f4493bbb6770b73193
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:26:02 2022 +0200
vfs_default.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 0e3836e3961f2b7c39173ce1023d3c92addef630
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:25:37 2022 +0200
vfs_acl_xattr.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 12734848dc9901b932644139aaa7e3f78e55c8dc
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:25:08 2022 +0200
vfs_acl_common.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 06e5c1e32ea7907523cc19f021225e7541e2075f
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:24:28 2022 +0200
nfs4_acls.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 944cb51506a94084d7ab52ee044fe6f66e1aaeb9
Author: Björn Jacke <bj at sernet.de>
Date: Fri Jun 17 07:22:57 2022 +0200
token_util.c: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit c1e2fbb1b9a7551becf5caa0f08d434edf9ad862
Author: Björn Jacke <bj at sernet.de>
Date: Fri Nov 10 09:58:43 2023 +0100
dosmode.c: prefer use of capabilities at two places over become_root
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit a1738e8265dd256c5a1064482a6dfccbf9ca44f1
Author: Björn Jacke <bj at sernet.de>
Date: Thu Nov 9 14:56:06 2023 +0100
system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/token_util.c | 4 ++--
source3/lib/system.c | 31 +++++++++++++++++++++++++++++--
source3/modules/nfs4_acls.c | 4 ++--
source3/modules/vfs_acl_common.c | 8 ++++----
source3/modules/vfs_acl_xattr.c | 12 ++++++------
source3/modules/vfs_default.c | 4 ++--
source3/modules/vfs_posix_eadb.c | 4 ++--
source3/modules/vfs_recycle.c | 4 ++--
source3/smbd/dosmode.c | 8 ++++----
source3/smbd/open.c | 12 ++++++------
source3/smbd/posix_acls.c | 40 ++++++++++++++++++++--------------------
11 files changed, 79 insertions(+), 52 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 023ad7cbb02..a7ff9bd6c3f 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -699,7 +699,7 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
/* Add in BUILTIN sids */
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
if (ok) {
domain_sid = &_dom_sid;
@@ -707,7 +707,7 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
DEBUG(3, ("Failed to fetch domain sid for %s\n",
lp_workgroup()));
}
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
info = talloc_zero(talloc_tos(), struct acct_info);
if (info == NULL) {
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 132e5827b37..bdaa723fd3c 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -643,18 +643,45 @@ static bool set_process_capability(enum smbd_capability capability,
Gain the oplock capability from the kernel if possible.
****************************************************************************/
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+static bool have_cap_dac_override = true;
+#else
+static bool have_cap_dac_override = false;
+#endif
+
void set_effective_capability(enum smbd_capability capability)
{
+ bool ret = false;
+
+ if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
#if defined(HAVE_POSIX_CAPABILITIES)
- set_process_capability(capability, True);
+ ret = set_process_capability(capability, True);
#endif /* HAVE_POSIX_CAPABILITIES */
+ }
+
+ /*
+ * Fallback to become_root() if CAP_DAC_OVERRIDE is not
+ * available.
+ */
+ if (capability == DAC_OVERRIDE_CAPABILITY) {
+ if (!ret) {
+ have_cap_dac_override = false;
+ }
+ if (!have_cap_dac_override) {
+ become_root();
+ }
+ }
}
void drop_effective_capability(enum smbd_capability capability)
{
+ if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
#if defined(HAVE_POSIX_CAPABILITIES)
- set_process_capability(capability, False);
+ set_process_capability(capability, False);
#endif /* HAVE_POSIX_CAPABILITIES */
+ } else {
+ unbecome_root();
+ }
}
/**************************************************************************
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 44c4718d3e4..cc9233da87d 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -1201,12 +1201,12 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp,
smbacl4_dump_nfs4acl(10, theacl);
if (set_acl_as_root) {
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
result = set_nfs4_native(handle, fsp, theacl);
saved_errno = errno;
if (set_acl_as_root) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
TALLOC_FREE(frame);
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index daad612e565..692e776d10c 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -761,9 +761,9 @@ static NTSTATUS set_underlying_acl(vfs_handle_struct *handle, files_struct *fsp,
/* Ok, we failed to chown and we have
SEC_STD_WRITE_OWNER access - override. */
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
return status;
}
@@ -1069,7 +1069,7 @@ static int acl_common_remove_object(vfs_handle_struct *handle,
goto out;
}
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (is_directory) {
ret = SMB_VFS_NEXT_UNLINKAT(handle,
dirfsp,
@@ -1081,7 +1081,7 @@ static int acl_common_remove_object(vfs_handle_struct *handle,
smb_fname,
0);
}
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret == -1) {
saved_errno = errno;
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 1a3ab34d659..ee247a312f7 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -46,12 +46,12 @@ static ssize_t getxattr_do(vfs_handle_struct *handle,
ssize_t sizeret;
int saved_errno = 0;
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
sizeret = SMB_VFS_FGETXATTR(fsp, xattr_name, val, size);
if (sizeret == -1) {
saved_errno = errno;
}
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (saved_errno != 0) {
errno = saved_errno;
@@ -132,13 +132,13 @@ static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
(unsigned int)pblob->length, fsp_str_dbg(fsp)));
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ret = SMB_VFS_FSETXATTR(fsp, XATTR_NTACL_NAME,
pblob->data, pblob->length, 0);
if (ret) {
saved_errno = errno;
}
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret) {
DEBUG(5, ("store_acl_blob_fsp: setting attr failed for file %s"
"with error %s\n",
@@ -175,9 +175,9 @@ static int sys_acl_set_fd_xattr(vfs_handle_struct *handle,
return 0;
}
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
return 0;
}
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index d1a19568e4e..3c412f346e1 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1891,14 +1891,14 @@ static void vfswrap_get_dos_attributes_getxattr_done(struct tevent_req *subreq)
state->as_root = true;
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
subreq = SMB_VFS_GETXATTRAT_SEND(state,
state->ev,
state->dir_fsp,
state->smb_fname,
SAMBA_XATTR_DOS_ATTRIB,
sizeof(fstring));
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff --git a/source3/modules/vfs_posix_eadb.c b/source3/modules/vfs_posix_eadb.c
index b3e21b09b8c..34769f58a69 100644
--- a/source3/modules/vfs_posix_eadb.c
+++ b/source3/modules/vfs_posix_eadb.c
@@ -213,12 +213,12 @@ static bool posix_eadb_init(int snum, struct tdb_wrap **p_db)
lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
db = tdb_wrap_open(NULL, eadb, 50000,
lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT),
O_RDWR|O_CREAT, 0600);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
talloc_unlink(NULL, lp_ctx);
/* now we know dbname is not NULL */
diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c
index b794ebc2d8c..b03db6a3b7f 100644
--- a/source3/modules/vfs_recycle.c
+++ b/source3/modules/vfs_recycle.c
@@ -441,10 +441,10 @@ static void recycle_do_touch(vfs_handle_struct *handle,
/* mtime */
ft.mtime = touch_mtime ? ft.atime : smb_fname_tmp->st.st_ex_mtime;
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ret = SMB_VFS_NEXT_FNTIMES(handle, smb_fname_tmp->fsp, &ft);
err = errno;
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret == -1 ) {
DEBUG(0, ("recycle: touching %s failed, reason = %s\n",
smb_fname_str_dbg(smb_fname_tmp), strerror(err)));
diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 41241fd2bfc..5dfab65984a 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -387,12 +387,12 @@ NTSTATUS fget_ea_dos_attribute(struct files_struct *fsp,
run because in cases like NFS, root might have even less
rights than the real user
*/
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
sizeret = SMB_VFS_FGETXATTR(fsp,
SAMBA_XATTR_DOS_ATTRIB,
attrstr,
sizeof(attrstr));
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if (sizeret == -1) {
DBG_INFO("Cannot get attribute "
@@ -507,14 +507,14 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ret = SMB_VFS_FSETXATTR(smb_fname->fsp,
SAMBA_XATTR_DOS_ATTRIB,
blob.data, blob.length, 0);
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret == 0) {
status = NT_STATUS_OK;
}
- unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index cb1e2adbf1e..30d0d3ab728 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1054,11 +1054,11 @@ static void change_file_owner_to_parent_fsp(struct files_struct *parent_fsp,
return;
}
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ret = SMB_VFS_FCHOWN(fsp,
parent_fsp->fsp_name->st.st_ex_uid,
(gid_t)-1);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret == -1) {
DBG_ERR("failed to fchown "
"file %s to parent directory uid %u. Error "
@@ -1091,11 +1091,11 @@ static NTSTATUS change_dir_owner_to_parent_fsp(struct files_struct *parent_fsp,
return NT_STATUS_OK;
}
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ret = SMB_VFS_FCHOWN(fsp,
parent_fsp->fsp_name->st.st_ex_uid,
(gid_t)-1);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret == -1) {
status = map_nt_error_from_unix(errno);
DBG_ERR("failed to chown "
@@ -5558,13 +5558,13 @@ static NTSTATUS inherit_new_acl(files_struct *dirfsp, files_struct *fsp)
if (inherit_owner) {
/* We need to be root to force this. */
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
status = SMB_VFS_FSET_NT_ACL(metadata_fsp(fsp),
security_info_sent,
psd);
if (inherit_owner) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
TALLOC_FREE(frame);
return status;
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index d275bdb908b..530056175e0 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2944,11 +2944,11 @@ static bool set_canon_ace_list(files_struct *fsp,
"file [%s] primary group.\n",
fsp_str_dbg(fsp));
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
sret = SMB_VFS_SYS_ACL_SET_FD(fsp,
the_acl_type,
the_acl);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (sret == 0) {
ret = true;
}
@@ -3441,12 +3441,12 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
if (has_take_ownership_priv || has_restore_priv) {
status = NT_STATUS_OK;
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
ret = SMB_VFS_FCHOWN(fsp, uid, gid);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
return status;
}
}
@@ -3480,13 +3480,13 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
}
status = NT_STATUS_OK;
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
/* Keep the current file gid the same. */
ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
return status;
}
@@ -3707,12 +3707,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_perms && file_ace_list) {
if (set_acl_as_root) {
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
ret = set_canon_ace_list(fsp, file_ace_list, false,
&fsp->fsp_name->st, &acl_set_support);
if (set_acl_as_root) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if (acl_set_support && ret == false) {
DEBUG(3,("set_nt_acl: failed to set file acl on file "
@@ -3727,13 +3727,13 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
if (dir_ace_list) {
if (set_acl_as_root) {
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
ret = set_canon_ace_list(fsp, dir_ace_list, true,
&fsp->fsp_name->st,
&acl_set_support);
if (set_acl_as_root) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if (ret == false) {
DEBUG(3,("set_nt_acl: failed to set default "
@@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
*/
if (set_acl_as_root) {
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
if (set_acl_as_root) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if (sret == -1) {
if (acl_group_override_fsp(fsp)) {
@@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
"Override delete_def_acl\n",
fsp_str_dbg(fsp)));
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
sret =
SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if (sret == -1) {
@@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_set_support) {
if (set_acl_as_root) {
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
store_inheritance_attributes(fsp,
file_ace_list,
dir_ace_list,
psd->type);
if (set_acl_as_root) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
}
@@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
fsp_str_dbg(fsp), (unsigned int)posix_perms));
if (set_acl_as_root) {
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
sret = SMB_VFS_FCHMOD(fsp, posix_perms);
if (set_acl_as_root) {
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if(sret == -1) {
if (acl_group_override_fsp(fsp)) {
@@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
"Override chmod\n",
fsp_str_dbg(fsp)));
- become_root();
+ set_effective_capability(DAC_OVERRIDE_CAPABILITY);
sret = SMB_VFS_FCHMOD(fsp, posix_perms);
- unbecome_root();
+ drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
}
if (sret == -1) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list