[SCM] Samba Shared Repository - branch v4-18-test updated

Mon Nov 20 09:56:02 UTC 2023

The branch, v4-18-test has been updated
       via  a2ad66e4933 system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
      from  9a5b46d89e2 s3: smbd: Ignore fstat() error on deleted stream in fd_close().

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test


- Log -----------------------------------------------------------------
commit a2ad66e4933b6fd0a30218b779d5e3e8e9b4750c
Author: Björn Jacke <bj at sernet.de>
Date:   Thu Nov 9 14:56:06 2023 +0100

    system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093
    
    Signed-off-by: Bjoern Jacke <bjacke at samba.org>
    Reviewed-by: Christof Schmitt <cs at samba.org>
    (cherry picked from commit a1738e8265dd256c5a1064482a6dfccbf9ca44f1)
    
    Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-18-test): Mon Nov 20 09:55:39 UTC 2023 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/lib/system.c | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/system.c b/source3/lib/system.c
index da92d9b64c8..16fe3839446 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -643,18 +643,45 @@ static bool set_process_capability(enum smbd_capability capability,
  Gain the oplock capability from the kernel if possible.
 ****************************************************************************/
 
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+static bool have_cap_dac_override = true;
+#else
+static bool have_cap_dac_override = false;
+#endif
+
 void set_effective_capability(enum smbd_capability capability)
 {
+	bool ret = false;
+
+	if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-	set_process_capability(capability, True);
+		ret = set_process_capability(capability, True);
 #endif /* HAVE_POSIX_CAPABILITIES */
+	}
+
+	/*
+	 * Fallback to become_root() if CAP_DAC_OVERRIDE is not
+	 * available.
+	 */
+	if (capability == DAC_OVERRIDE_CAPABILITY) {
+		if (!ret) {
+			have_cap_dac_override = false;
+		}
+		if (!have_cap_dac_override) {
+			become_root();
+		}
+	}
 }
 
 void drop_effective_capability(enum smbd_capability capability)
 {
+	if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-	set_process_capability(capability, False);
+		set_process_capability(capability, False);
 #endif /* HAVE_POSIX_CAPABILITIES */
+	} else {
+		unbecome_root();
+	}
 }
 
 /**************************************************************************


-- 
Samba Shared Repository

