The branch, master has been updated
via 0dec2ef188a Revert "token_util.c: prefer capabilities over
become_root"
via 32aa11e9b57 Revert "dosmode.c: prefer use of capabilities at two
places over become_root"
via 33e88911ee7 Revert "nfs4_acls.c: prefer capabilities over
become_root"
via af7b930e2bf Revert "vfs_acl_common.c: prefer capabilities over
become_root"
via 52ad635b270 Revert "vfs_default.c: prefer capabilities over
become_root"
via 10c7a3e47c6 Revert "vfs_posix_eadb.c: prefer capabilities over
become_root"
via 7f19afbd40d Revert "vfs_recycle.c: prefer capabilities over
become_root"
via 88eb58af678 Revert "open.c: prefer capabilities over become_root"
via 87479544381 Revert "posix_acls.c: prefer capabilities over
become_root"
via 58ea952fd0c Revert "dosmode: prefer capabilities over become_root"
from 9550d37f2f9 winbind: Log NOT_IMPLEMENTED as debug
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0dec2ef188a93504da873d927ca2b26f8c491fb8
Author: Björn Jacke <bja...@samba.org>
Date: Thu Jan 25 00:46:38 2024 +0100
Revert "token_util.c: prefer capabilities over become_root"
This reverts commit 944cb51506a94084d7ab52ee044fe6f66e1aaeb9.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Wed Mar 27 10:47:23 UTC 2024 on atb-devel-224
commit 32aa11e9b570ce1c0bec889b699bc4897c9d9843
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:04:45 2024 +0100
Revert "dosmode.c: prefer use of capabilities at two places over
become_root"
This reverts commit c1e2fbb1b9a7551becf5caa0f08d434edf9ad862.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 33e88911ee7a8974d52021632ca25c1ddfcb6f45
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:04:23 2024 +0100
Revert "nfs4_acls.c: prefer capabilities over become_root"
This reverts commit 06e5c1e32ea7907523cc19f021225e7541e2075f.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit af7b930e2bfe2275cee14dc2154f2aea8875fa63
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:04:17 2024 +0100
Revert "vfs_acl_common.c: prefer capabilities over become_root"
This reverts commit 12734848dc9901b932644139aaa7e3f78e55c8dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 52ad635b2705bcfc8166bd90b1ad35ebb9cbc986
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:03:57 2024 +0100
Revert "vfs_default.c: prefer capabilities over become_root"
This reverts commit 62464bd2db2a95b1253364f4493bbb6770b73193.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 10c7a3e47c62dcb1dfe7e384960d60cafcb9e44e
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:03:50 2024 +0100
Revert "vfs_posix_eadb.c: prefer capabilities over become_root"
This reverts commit 92278418dc885ed411f545e73c800ce93f858090.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 7f19afbd40d3ad3c8d186d0a2a64d07a2a8bd00a
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:03:44 2024 +0100
Revert "vfs_recycle.c: prefer capabilities over become_root"
This reverts commit 4227b011f6ada97a4cd72a440ed887ffdb3f219e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 88eb58af6783ad23d2e2b602ee9fdbbdf556b354
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:03:35 2024 +0100
Revert "open.c: prefer capabilities over become_root"
This reverts commit b250f25fe407f9a6269b804382de4854501f2d86.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 87479544381e103ee2b1def574a5865a3f6a93d9
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:03:28 2024 +0100
Revert "posix_acls.c: prefer capabilities over become_root"
This reverts commit 1edf9ecaf56f3312e199e633bff0804243042e33.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 58ea952fd0c716f94b1b79b8ed1829bb72732ccc
Author: Björn Jacke <bja...@samba.org>
Date: Mon Mar 25 17:03:14 2024 +0100
Revert "dosmode: prefer capabilities over become_root"
This reverts commit 5e925f9755fad180863861157aa7548d83dd3fde.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bja...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/token_util.c | 4 ++--
source3/modules/nfs4_acls.c | 4 ++--
source3/modules/vfs_acl_common.c | 8 ++++----
source3/modules/vfs_default.c | 4 ++--
source3/modules/vfs_posix_eadb.c | 4 ++--
source3/modules/vfs_recycle.c | 4 ++--
source3/smbd/dosmode.c | 16 ++++++++--------
source3/smbd/open.c | 12 ++++++------
source3/smbd/posix_acls.c | 40 ++++++++++++++++++++--------------------
9 files changed, 48 insertions(+), 48 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index a7ff9bd6c3f..023ad7cbb02 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -699,7 +699,7 @@ NTSTATUS finalize_local_nt_token(struct security_token
*result,
/* Add in BUILTIN sids */
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
if (ok) {
domain_sid = &_dom_sid;
@@ -707,7 +707,7 @@ NTSTATUS finalize_local_nt_token(struct security_token
*result,
DEBUG(3, ("Failed to fetch domain sid for %s\n",
lp_workgroup()));
}
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
info = talloc_zero(talloc_tos(), struct acct_info);
if (info == NULL) {
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 0cc2b6cf364..c80f8390170 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -1201,12 +1201,12 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle,
files_struct *fsp,
smbacl4_dump_nfs4acl(10, theacl);
if (set_acl_as_root) {
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
result = set_nfs4_native(handle, fsp, theacl);
saved_errno = errno;
if (set_acl_as_root) {
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
TALLOC_FREE(frame);
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 314fc79a3a6..e04b672cf9a 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -764,9 +764,9 @@ static NTSTATUS set_underlying_acl(vfs_handle_struct
*handle, files_struct *fsp,
/* Ok, we failed to chown and we have
SEC_STD_WRITE_OWNER access - override. */
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
return status;
}
@@ -1072,7 +1072,7 @@ static int acl_common_remove_object(vfs_handle_struct
*handle,
goto out;
}
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
if (is_directory) {
ret = SMB_VFS_NEXT_UNLINKAT(handle,
dirfsp,
@@ -1084,7 +1084,7 @@ static int acl_common_remove_object(vfs_handle_struct
*handle,
smb_fname,
0);
}
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
if (ret == -1) {
saved_errno = errno;
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 98188a50c34..62ad5063af0 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1897,14 +1897,14 @@ static void
vfswrap_get_dos_attributes_getxattr_done(struct tevent_req *subreq)
state->as_root = true;
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
subreq = SMB_VFS_GETXATTRAT_SEND(state,
state->ev,
state->dir_fsp,
state->smb_fname,
SAMBA_XATTR_DOS_ATTRIB,
sizeof(fstring));
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
if (tevent_req_nomem(subreq, req)) {
return;
}
diff --git a/source3/modules/vfs_posix_eadb.c b/source3/modules/vfs_posix_eadb.c
index 34769f58a69..b3e21b09b8c 100644
--- a/source3/modules/vfs_posix_eadb.c
+++ b/source3/modules/vfs_posix_eadb.c
@@ -213,12 +213,12 @@ static bool posix_eadb_init(int snum, struct tdb_wrap
**p_db)
lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
db = tdb_wrap_open(NULL, eadb, 50000,
lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT),
O_RDWR|O_CREAT, 0600);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
talloc_unlink(NULL, lp_ctx);
/* now we know dbname is not NULL */
diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c
index a9d60f6adbb..327a7eea06e 100644
--- a/source3/modules/vfs_recycle.c
+++ b/source3/modules/vfs_recycle.c
@@ -401,10 +401,10 @@ static void recycle_do_touch(vfs_handle_struct *handle,
/* mtime */
ft.mtime = touch_mtime ? ft.atime : smb_fname_tmp->st.st_ex_mtime;
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_NEXT_FNTIMES(handle, smb_fname_tmp->fsp, &ft);
err = errno;
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
if (ret == -1 ) {
DEBUG(0, ("recycle: touching %s failed, reason = %s\n",
smb_fname_str_dbg(smb_fname_tmp), strerror(err)));
diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 4ae08f38dcf..4d897d6d7a1 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -388,12 +388,12 @@ NTSTATUS fget_ea_dos_attribute(struct files_struct *fsp,
run because in cases like NFS, root might have even less
rights than the real user
*/
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
sizeret = SMB_VFS_FGETXATTR(fsp,
SAMBA_XATTR_DOS_ATTRIB,
attrstr,
sizeof(attrstr));
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if (sizeret == -1) {
DBG_INFO("Cannot get attribute "
@@ -508,14 +508,14 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_FSETXATTR(smb_fname->fsp,
SAMBA_XATTR_DOS_ATTRIB,
blob.data, blob.length, 0);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
if (ret == 0) {
status = NT_STATUS_OK;
}
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -1037,9 +1037,9 @@ int file_set_dosmode(connection_struct *conn,
return -1;
}
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_FCHMOD(smb_fname->fsp, unixmode);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
done:
if (!newfile) {
@@ -1209,9 +1209,9 @@ int file_ntimes(connection_struct *conn,
/* Check if we have write access. */
if (can_write_to_fsp(fsp)) {
/* We are allowed to become root and change the filetime. */
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_FNTIMES(fsp, ft);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
return ret;
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ae47d130650..9512fb20c59 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -999,11 +999,11 @@ static void change_file_owner_to_parent_fsp(struct
files_struct *parent_fsp,
return;
}
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_FCHOWN(fsp,
parent_fsp->fsp_name->st.st_ex_uid,
(gid_t)-1);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
if (ret == -1) {
DBG_ERR("failed to fchown "
"file %s to parent directory uid %u. Error "
@@ -1036,11 +1036,11 @@ static NTSTATUS change_dir_owner_to_parent_fsp(struct
files_struct *parent_fsp,
return NT_STATUS_OK;
}
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_FCHOWN(fsp,
parent_fsp->fsp_name->st.st_ex_uid,
(gid_t)-1);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
if (ret == -1) {
status = map_nt_error_from_unix(errno);
DBG_ERR("failed to chown "
@@ -5542,13 +5542,13 @@ static NTSTATUS inherit_new_acl(files_struct *dirfsp,
files_struct *fsp)
if (inherit_owner) {
/* We need to be root to force this. */
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
status = SMB_VFS_FSET_NT_ACL(metadata_fsp(fsp),
security_info_sent,
psd);
if (inherit_owner) {
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
TALLOC_FREE(frame);
return status;
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 530056175e0..d275bdb908b 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2944,11 +2944,11 @@ static bool set_canon_ace_list(files_struct *fsp,
"file [%s] primary group.\n",
fsp_str_dbg(fsp));
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
sret = SMB_VFS_SYS_ACL_SET_FD(fsp,
the_acl_type,
the_acl);
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
if (sret == 0) {
ret = true;
}
@@ -3441,12 +3441,12 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid,
gid_t gid)
if (has_take_ownership_priv || has_restore_priv) {
status = NT_STATUS_OK;
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
ret = SMB_VFS_FCHOWN(fsp, uid, gid);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
return status;
}
}
@@ -3480,13 +3480,13 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid,
gid_t gid)
}
status = NT_STATUS_OK;
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
/* Keep the current file gid the same. */
ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
return status;
}
@@ -3707,12 +3707,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
if (acl_perms && file_ace_list) {
if (set_acl_as_root) {
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
ret = set_canon_ace_list(fsp, file_ace_list, false,
&fsp->fsp_name->st, &acl_set_support);
if (set_acl_as_root) {
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if (acl_set_support && ret == false) {
DEBUG(3,("set_nt_acl: failed to set file acl on file "
@@ -3727,13 +3727,13 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
if (dir_ace_list) {
if (set_acl_as_root) {
-
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
ret = set_canon_ace_list(fsp, dir_ace_list, true,
&fsp->fsp_name->st,
&acl_set_support);
if (set_acl_as_root) {
-
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if (ret == false) {
DEBUG(3,("set_nt_acl: failed to set default "
@@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
*/
if (set_acl_as_root) {
-
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
if (set_acl_as_root) {
-
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if (sret == -1) {
if (acl_group_override_fsp(fsp)) {
@@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
"Override delete_def_acl\n",
fsp_str_dbg(fsp)));
-
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
sret =
SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
-
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if (sret == -1) {
@@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
if (acl_set_support) {
if (set_acl_as_root) {
- set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
store_inheritance_attributes(fsp,
file_ace_list,
dir_ace_list,
psd->type);
if (set_acl_as_root) {
- drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
}
@@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
fsp_str_dbg(fsp), (unsigned int)posix_perms));
if (set_acl_as_root) {
-
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
}
sret = SMB_VFS_FCHMOD(fsp, posix_perms);
if (set_acl_as_root) {
-
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if(sret == -1) {
if (acl_group_override_fsp(fsp)) {
@@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t
security_info_sent, const struct
"Override chmod\n",
fsp_str_dbg(fsp)));
-
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ become_root();
sret = SMB_VFS_FCHMOD(fsp, posix_perms);
-
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+ unbecome_root();
}
if (sret == -1) {
--
Samba Shared Repository
