[SCM] Samba Shared Repository - branch v4-18-stable updated

Jule Anger janger at samba.org
Wed Nov 29 14:38:20 UTC 2023


The branch, v4-18-stable has been updated
       via  2669b77d97b VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release.
       via  2e5bc96588c WHATSNEW: Add release notes for Samba 4.18.9.
       via  be0b6c4b807 vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions
       via  66259b50c17 vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions
       via  11523b490c5 nfs4_acls: Make fstat_with_cap_dac_override static
       via  f9d4855b1ac nfs4_acls: Make stat_with_cap_dac_override static
       via  6090ebfa5c1 nfs4_acls: Make fstatat_with_cap_dac_override static
       via  3241127482d vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function
       via  790363f076f vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function
       via  8ca3c4839fe vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function
       via  cf8f5bdf956 vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function
       via  776091ad50f vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function
       via  53e4d90dbd1 vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c
       via  f00db2a13b7 nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE
       via  619eb761344 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat
       via  fedb492e868 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat
       via  ddef013da21 vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function
       via  71bf59691f5 vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE
       via  d522d15c82b smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor()
       via  a2ad66e4933 system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
       via  9a5b46d89e2 s3: smbd: Ignore fstat() error on deleted stream in fd_close().
       via  cbbfc917b96 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
       via  f967b91da76 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
       via  edac27f5408 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
       via  74a508b39e6 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
       via  46a168c9a89 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
       via  e884fc791e5 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
       via  8e33532980d gitignore: add WAF lockfile
       via  acf4286fbed build: Add 'make printversion' to provide version string
       via  653984f4a6d ctdb-daemon: Call setproctitle_init()
       via  b9b0d8bc0f0 VERSION: Bump version up to Samba 4.18.9...
       via  d709251a392 Merge branch 'v4-18-stable' into v4-18-test
       via  ca1b7c185ed VERSION: Bump version up to Samba 4.18.8...
      from  3dc0412a79f Merge tag 'samba-4.18.8' into v4-18-stable

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 .gitignore                                         |   1 +
 Makefile                                           |   4 +
 VERSION                                            |   2 +-
 WHATSNEW.txt                                       | 124 ++++++++++++++++-
 ctdb/server/ctdbd.c                                |   2 +
 python/samba/dbchecker.py                          |  27 +++-
 python/samba/descriptor.py                         |  25 +++-
 python/samba/provision/__init__.py                 |   5 +
 python/samba/provision/sambadns.py                 |   4 +
 selftest/knownfail.d/samba4.ldap.confidential_attr |   1 +
 source3/lib/system.c                               |  31 ++++-
 source3/modules/nfs4_acls.c                        | 149 +++++++++++++++++++++
 source3/modules/nfs4_acls.h                        |  16 +++
 source3/modules/vfs_aixacl2.c                      |   4 +
 source3/modules/vfs_gpfs.c                         |  76 +----------
 source3/modules/vfs_zfsacl.c                       |   4 +
 source3/smbd/files.c                               |  24 ++--
 source3/smbd/open.c                                |  15 ++-
 source4/dsdb/samdb/ldb_modules/dirsync.c           |  53 +-------
 ...eck-link-output-missing-link-sid-corruption.txt |   8 +-
 .../expected-links-after-dbcheck.ldif              |   2 +-
 .../release-4-5-0-pre1/rootdse-version.final.txt   |   2 +-
 source4/setup/provision.ldif                       |   1 +
 source4/setup/provision_configuration.ldif         |   1 +
 source4/setup/provision_dnszones_add.ldif          |   1 +
 testprogs/blackbox/dbcheck-links.sh                |  12 ++
 wscript                                            |   5 +
 27 files changed, 450 insertions(+), 149 deletions(-)
 create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr


Changeset truncated at 500 lines:

diff --git a/.gitignore b/.gitignore
index de3feaabf28..9a663e2a065 100644
--- a/.gitignore
+++ b/.gitignore
@@ -88,3 +88,4 @@ compile_commands.json
 .clangd/
 .cache/
 .ropeproject/
+.tmplock
diff --git a/Makefile b/Makefile
index 7f5960d5191..dbb9fcdf1c3 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,10 @@ distcheck:
 	touch .tmplock
 	WAFLOCK=.tmplock $(WAF) distcheck
 
+printversion:
+	touch .tmplock
+	WAFLOCK=.tmplock $(WAF) printversion
+
 clean:
 	$(WAF) clean
 
diff --git a/VERSION b/VERSION
index 8fa17dff606..9c7625dd758 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 53fe4eafa72..3c77ebfd0f6 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,124 @@
+                   ==============================
+                   Release Notes for Samba 4.18.9
+                         November 29, 2023
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.18 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+    allow read of object tombstones over LDAP
+    (Administrator action required!)
+    https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
+        Owner mismatch: SY (in ref) DA(in current)
+        Group mismatch: SY (in ref) DA(in current)
+        Part dacl is different between reference and current here is the detail:
+                (A;;LCRPLORC;;;AU) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
+                (A;;LCRP;;;BA) ACE is not present in the current
+   [y/N/all/none] y
+  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.18.8
+--------------------
+
+o  Michael Adam <obnox at samba.org>
+   * BUG 15497: Add make command for querying Samba version.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 15487: smbd crashes if asked to return full information on close of a
+     stream handle with delete on close disposition set.
+   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+     smb_fname_fsp_destructor().
+
+o  Björn Jacke <bj at sernet.de>
+   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
+     listed in directories.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+     AD LDAP to normal users.
+
+o  Christof Schmitt <cs at samba.org>
+   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o  Christof Schmitt <christof.schmitt at us.ibm.com>
+   * BUG 15497: Add make command for querying Samba version.
+
+o  Martin Schwenke <mschwenke at ddn.com>
+   * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.18.8
                           October 10, 2023
@@ -74,8 +195,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.18.7
                          September 27, 2023
diff --git a/ctdb/server/ctdbd.c b/ctdb/server/ctdbd.c
index 10541cb21f1..a388bff1598 100644
--- a/ctdb/server/ctdbd.c
+++ b/ctdb/server/ctdbd.c
@@ -170,6 +170,8 @@ int main(int argc, const char *argv[])
 	const char *test_mode;
 	bool ok;
 
+	setproctitle_init(argc, discard_const(argv), environ);
+
 	/*
 	 * Basic setup
 	 */
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index c9341f6500c..d5bb8a5a1fc 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -20,7 +20,7 @@
 import ldb
 import samba
 import time
-from base64 import b64decode
+from base64 import b64decode, b64encode
 from samba import dsdb
 from samba import common
 from samba.dcerpc import misc
@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack
 from samba.dcerpc import drsblobs
 from samba.samdb import dsdb_Dn
 from samba.dcerpc import security
-from samba.descriptor import get_wellknown_sds, get_diff_sds
+from samba.descriptor import (
+        get_wellknown_sds,
+        get_deletedobjects_descriptor,
+        get_diff_sds
+)
 from samba.auth import system_session, admin_session
 from samba.netcmd import CommandError
 from samba.netcmd.fsmo import get_fsmo_roleowner
@@ -351,6 +355,12 @@ class dbcheck(object):
                 listwko.append('%s:%s' % (wko_prefix, dn))
                 guid_suffix = ""
 
+
+            domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+            sec_desc = get_deletedobjects_descriptor(domain_sid,
+                                                     name_map=self.name_map)
+            sec_desc_b64 = b64encode(sec_desc).decode('utf8')
+
             # Insert a brand new Deleted Objects container
             self.samdb.add_ldif("""dn: %s
 objectClass: top
@@ -359,7 +369,8 @@ description: Container for deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: TRUE
-systemFlags: -1946157056%s""" % (dn, guid_suffix),
+nTSecurityDescriptor:: %s
+systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix),
                                 controls=["relax:0", "provision:0"])
 
             delta = ldb.Message()
@@ -2458,7 +2469,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                     error_count += 1
                     continue
 
-                if self.reset_well_known_acls:
+                if dn == deleted_objects_dn or self.reset_well_known_acls:
                     try:
                         well_known_sd = self.get_wellknown_sd(dn)
                     except KeyError:
@@ -2467,7 +2478,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                     current_sd = ndr_unpack(security.descriptor,
                                             obj[attrname][0])
 
-                    diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
+                    ignoreAdditionalACEs = False
+                    if not self.reset_well_known_acls:
+                        ignoreAdditionalACEs = True
+
+                    diff = get_diff_sds(well_known_sd, current_sd,
+                                        security.dom_sid(self.samdb.get_domain_sid()),
+                                        ignoreAdditionalACEs=ignoreAdditionalACEs)
                     if diff != "":
                         self.err_wrong_default_sd(dn, well_known_sd, diff)
                         error_count += 1
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index ac4c7e3273d..34877fa4814 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}):
 # "get_schema_descriptor" is located in "schema.py"
 
 
+def get_deletedobjects_descriptor(domain_sid, name_map=None):
+    if name_map is None:
+        name_map = {}
+
+    sddl = "O:SYG:SYD:PAI" \
+        "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \
+        "(A;;RPLC;;;BA)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+
 def get_config_descriptor(domain_sid, name_map={}):
     sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
            "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
@@ -407,6 +417,7 @@ def get_wellknown_sds(samdb):
     # Then subcontainers
     subcontainers = [
         (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
+        (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor),
         (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
         (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
         (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
@@ -417,6 +428,7 @@ def get_wellknown_sds(samdb):
         (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
 
         (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
+        (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor),
         (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
         (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
         (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
@@ -441,6 +453,9 @@ def get_wellknown_sds(samdb):
         if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn:
             c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
             subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)),
+                 get_deletedobjects_descriptor)
+            subcontainers.append(c)
             c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
                  get_domain_delete_protected1_descriptor)
             subcontainers.append(c)
@@ -456,6 +471,9 @@ def get_wellknown_sds(samdb):
         if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn:
             c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
             subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)),
+                 get_deletedobjects_descriptor)
+            subcontainers.append(c)
             c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
                  get_domain_delete_protected1_descriptor)
             subcontainers.append(c)
@@ -548,7 +566,8 @@ def get_clean_sd(sd):
     return sd_clean
 
 
-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
+def get_diff_sds(refsd, cursd, domainsid, checkSacl=True,
+                 ignoreAdditionalACEs=False):
     """Get the difference between 2 sd
 
     This function split the textual representation of ACL into smaller
@@ -603,6 +622,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
                     h_ref.remove(k)
 
             if len(h_cur) + len(h_ref) > 0:
+                if txt == "" and len(h_ref) == 0:
+                    if ignoreAdditionalACEs:
+                        return ""
+
                 txt = "%s\tPart %s is different between reference" \
                       " and current here is the detail:\n" % (txt, part)
 
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index ff9b8fac916..f7d7468e4fa 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -78,6 +78,7 @@ from samba.provision.backend import (
     LDBBackend,
 )
 from samba.descriptor import (
+    get_deletedobjects_descriptor,
     get_empty_descriptor,
     get_config_descriptor,
     get_config_partitions_descriptor,
@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
     msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
                                         "subRefs")
 
+    deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
+
     samdb.invocation_id = invocationid
 
     # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
                 "FOREST_FUNCTIONALITY": str(forestFunctionality),
                 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
                 "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+                "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
                 "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
                 "SERVICES_DESCRIPTOR": protected1_descr,
                 "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         "RIDAVAILABLESTART": str(next_rid + 600),
         "POLICYGUID_DC": policyguid_dc,
         "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+        "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
         "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
         "SYSTEM_DESCRIPTOR": system_desc,
         "BUILTIN_DESCRIPTOR": builtin_desc,
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 9184711a764..d057b7830ad 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -42,6 +42,7 @@ from samba.dsdb import (
     DS_GUID_USERS_CONTAINER
 )
 from samba.descriptor import (
+    get_deletedobjects_descriptor,
     get_domain_descriptor,
     get_domain_delete_protected1_descriptor,
     get_domain_delete_protected2_descriptor,
@@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
     domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
     forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
     descriptor = get_dns_partition_descriptor(domainsid)
+    deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
 
     setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
         "ZONE_DN": domainzone_dn,
@@ -278,6 +280,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
         "ZONE_DNS": domainzone_dns,
         "CONFIGDN": configdn,
         "SERVERDN": serverdn,
+        "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
         "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
         "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
     })
@@ -297,6 +300,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
             "ZONE_DNS": forestzone_dns,
             "CONFIGDN": configdn,
             "SERVERDN": serverdn,
+            "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
             "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
             "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
         })
diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr
new file mode 100644
index 00000000000..46a75ce928b
--- /dev/null
+++ b/selftest/knownfail.d/samba4.ldap.confidential_attr
@@ -0,0 +1 @@
+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects
diff --git a/source3/lib/system.c b/source3/lib/system.c
index da92d9b64c8..16fe3839446 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -643,18 +643,45 @@ static bool set_process_capability(enum smbd_capability capability,
  Gain the oplock capability from the kernel if possible.
 ****************************************************************************/
 
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+static bool have_cap_dac_override = true;
+#else
+static bool have_cap_dac_override = false;
+#endif
+
 void set_effective_capability(enum smbd_capability capability)
 {
+	bool ret = false;
+
+	if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-	set_process_capability(capability, True);
+		ret = set_process_capability(capability, True);
 #endif /* HAVE_POSIX_CAPABILITIES */
+	}
+
+	/*
+	 * Fallback to become_root() if CAP_DAC_OVERRIDE is not
+	 * available.
+	 */
+	if (capability == DAC_OVERRIDE_CAPABILITY) {
+		if (!ret) {
+			have_cap_dac_override = false;
+		}
+		if (!have_cap_dac_override) {
+			become_root();
+		}
+	}
 }
 
 void drop_effective_capability(enum smbd_capability capability)
 {
+	if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-	set_process_capability(capability, False);
+		set_process_capability(capability, False);
 #endif /* HAVE_POSIX_CAPABILITIES */
+	} else {
+		unbecome_root();
+	}
 }
 
 /**************************************************************************
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 2daae990042..4a1caa36d3c 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -116,6 +116,155 @@ int smbacl4_get_vfs_params(struct connection_struct *conn,
 	return 0;
 }
 
+static int fstatat_with_cap_dac_override(int fd,
+					 const char *pathname,
+					 SMB_STRUCT_STAT *sbuf,
+					 int flags,
+					 bool fake_dir_create_times)
+{
+	int ret;
+
+	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	ret = sys_fstatat(fd,
+			  pathname,
+			  sbuf,
+			  flags,
+			  fake_dir_create_times);
+	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+
+	return ret;
+}
+
+static int stat_with_cap_dac_override(struct vfs_handle_struct *handle,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list