The Samba-Bugzilla – Attachment 18187 Details for
Bug 15093
files without "read attributes" NFS4 ACL permission are not listed in directories
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backport patch for both 4.18 and 4.19
0001-system.c-fall-back-to-become_root-if-CAP_DAC_OVERRID.patch (text/plain), 2.10 KB, created by
Björn Jacke
on 2023-11-17 08:32:08 UTC
(
hide
)
Description:
Backport patch for both 4.18 and 4.19
Filename:
MIME Type:
Creator:
Björn Jacke
Created:
2023-11-17 08:32:08 UTC
Size:
2.10 KB
patch
obsolete
>From 4302324a25427d1dbd891cb8bd9ba553b0593034 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de> >Date: Thu, 9 Nov 2023 14:56:06 +0100 >Subject: [PATCH] system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't > usable > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093 > >Signed-off-by: Bjoern Jacke <bjacke@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >(cherry picked from commit a1738e8265dd256c5a1064482a6dfccbf9ca44f1) >--- > source3/lib/system.c | 31 +++++++++++++++++++++++++++++-- > 1 file changed, 29 insertions(+), 2 deletions(-) > >diff --git a/source3/lib/system.c b/source3/lib/system.c >index b443efb99cb..66b3525508b 100644 >--- a/source3/lib/system.c >+++ b/source3/lib/system.c >@@ -657,18 +657,45 @@ static bool set_process_capability(enum smbd_capability capability, > Gain the oplock capability from the kernel if possible. > ****************************************************************************/ > >+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE) >+static bool have_cap_dac_override = true; >+#else >+static bool have_cap_dac_override = false; >+#endif >+ > void set_effective_capability(enum smbd_capability capability) > { >+ bool ret = false; >+ >+ if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) { > #if defined(HAVE_POSIX_CAPABILITIES) >- set_process_capability(capability, True); >+ ret = set_process_capability(capability, True); > #endif /* HAVE_POSIX_CAPABILITIES */ >+ } >+ >+ /* >+ * Fallback to become_root() if CAP_DAC_OVERRIDE is not >+ * available. >+ */ >+ if (capability == DAC_OVERRIDE_CAPABILITY) { >+ if (!ret) { >+ have_cap_dac_override = false; >+ } >+ if (!have_cap_dac_override) { >+ become_root(); >+ } >+ } > } > > void drop_effective_capability(enum smbd_capability capability) > { >+ if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) { > #if defined(HAVE_POSIX_CAPABILITIES) >- set_process_capability(capability, False); >+ set_process_capability(capability, False); > #endif /* HAVE_POSIX_CAPABILITIES */ >+ } else { >+ unbecome_root(); >+ } > } > > /************************************************************************** >-- >2.38.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18187">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
cs
:
review+
bjacke
:
ci-passed+
Actions:
View
Attachments on
bug 15093
:
17364
| 18187