[SCM] Samba Shared Repository - branch v4-18-test updated

Jule Anger Mon, 20 Nov 2023 01:56:20 -0800

The branch, v4-18-test has been updated
       via  a2ad66e4933 system.c: fall back to become_root if CAP_DAC_OVERRIDE 
isn't usable
      from  9a5b46d89e2 s3: smbd: Ignore fstat() error on deleted stream in 
fd_close().


https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test


- Log -----------------------------------------------------------------
commit a2ad66e4933b6fd0a30218b779d5e3e8e9b4750c
Author: Björn Jacke <b...@sernet.de>
Date:   Thu Nov 9 14:56:06 2023 +0100

    system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093
    
    Signed-off-by: Bjoern Jacke <bja...@samba.org>
    Reviewed-by: Christof Schmitt <c...@samba.org>
    (cherry picked from commit a1738e8265dd256c5a1064482a6dfccbf9ca44f1)
    
    Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org>
    Autobuild-Date(v4-18-test): Mon Nov 20 09:55:39 UTC 2023 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/lib/system.c | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/system.c b/source3/lib/system.c
index da92d9b64c8..16fe3839446 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -643,18 +643,45 @@ static bool set_process_capability(enum smbd_capability 
capability,
  Gain the oplock capability from the kernel if possible.
 ****************************************************************************/
 
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+static bool have_cap_dac_override = true;
+#else
+static bool have_cap_dac_override = false;
+#endif
+
 void set_effective_capability(enum smbd_capability capability)
 {
+       bool ret = false;
+
+       if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-       set_process_capability(capability, True);
+               ret = set_process_capability(capability, True);
 #endif /* HAVE_POSIX_CAPABILITIES */
+       }
+
+       /*
+        * Fallback to become_root() if CAP_DAC_OVERRIDE is not
+        * available.
+        */
+       if (capability == DAC_OVERRIDE_CAPABILITY) {
+               if (!ret) {
+                       have_cap_dac_override = false;
+               }
+               if (!have_cap_dac_override) {
+                       become_root();
+               }
+       }
 }
 
 void drop_effective_capability(enum smbd_capability capability)
 {
+       if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-       set_process_capability(capability, False);
+               set_process_capability(capability, False);
 #endif /* HAVE_POSIX_CAPABILITIES */
+       } else {
+               unbecome_root();
+       }
 }
 
 /**************************************************************************


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-18-test updated

Reply via email to