Attachment 18248 Details for Bug 15583 – patch that fixes the behavior

[patch] patch that fixes the behavior

0001-Revert-posix_acls.c-prefer-capabilities-over-become_.patch (text/plain), 5.17 KB, created by Björn Baumbach on 2024-02-15 22:32:17 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Björn Baumbach

Created: 2024-02-15 22:32:17 UTC

Size: 5.17 KB

patch

obsolete

>From 79f70d9d3f4487165ca407c0bd891e404cf5e9d8 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
>Date: Thu, 15 Feb 2024 19:20:48 +0100
>Subject: [PATCH] Revert "posix_acls.c: prefer capabilities over become_root"
>
>This reverts commit 1edf9ecaf56f3312e199e633bff0804243042e33.
>---
> source3/smbd/posix_acls.c | 40 +++++++++++++++++++--------------------
> 1 file changed, 20 insertions(+), 20 deletions(-)
>
>diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
>index 530056175e0..d275bdb908b 100644
>--- a/source3/smbd/posix_acls.c
>+++ b/source3/smbd/posix_acls.c
>@@ -2944,11 +2944,11 @@ static bool set_canon_ace_list(files_struct *fsp,
> 				  "file [%s] primary group.\n",
> 				  fsp_str_dbg(fsp));
> 
>-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			become_root();
> 			sret = SMB_VFS_SYS_ACL_SET_FD(fsp,
> 						      the_acl_type,
> 						      the_acl);
>-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			unbecome_root();
> 			if (sret == 0) {
> 				ret = true;
> 			}
>@@ -3441,12 +3441,12 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
> 
> 		if (has_take_ownership_priv || has_restore_priv) {
> 			status = NT_STATUS_OK;
>-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			become_root();
> 			ret = SMB_VFS_FCHOWN(fsp, uid, gid);
> 			if (ret != 0) {
> 				status = map_nt_error_from_unix(errno);
> 			}
>-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			unbecome_root();
> 			return status;
> 		}
> 	}
>@@ -3480,13 +3480,13 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
> 	}
> 
> 	status = NT_STATUS_OK;
>-	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+	become_root();
> 	/* Keep the current file gid the same. */
> 	ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
> 	if (ret != 0) {
> 		status = map_nt_error_from_unix(errno);
> 	}
>-	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+	unbecome_root();
> 
> 	return status;
> }
>@@ -3707,12 +3707,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 
> 	if (acl_perms && file_ace_list) {
> 		if (set_acl_as_root) {
>-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			become_root();
> 		}
> 		ret = set_canon_ace_list(fsp, file_ace_list, false,
> 					 &fsp->fsp_name->st, &acl_set_support);
> 		if (set_acl_as_root) {
>-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			unbecome_root();
> 		}
> 		if (acl_set_support && ret == false) {
> 			DEBUG(3,("set_nt_acl: failed to set file acl on file "
>@@ -3727,13 +3727,13 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 	if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
> 		if (dir_ace_list) {
> 			if (set_acl_as_root) {
>-				set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+				become_root();
> 			}
> 			ret = set_canon_ace_list(fsp, dir_ace_list, true,
> 						 &fsp->fsp_name->st,
> 						 &acl_set_support);
> 			if (set_acl_as_root) {
>-				drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+				unbecome_root();
> 			}
> 			if (ret == false) {
> 				DEBUG(3,("set_nt_acl: failed to set default "
>@@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 			 */
> 
> 			if (set_acl_as_root) {
>-				set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+				become_root();
> 			}
> 			sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
> 			if (set_acl_as_root) {
>-				drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+				unbecome_root();
> 			}
> 			if (sret == -1) {
> 				if (acl_group_override_fsp(fsp)) {
>@@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 						 "Override delete_def_acl\n",
> 						 fsp_str_dbg(fsp)));
> 
>-					set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+					become_root();
> 					sret =
> 					    SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
>-					drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+					unbecome_root();
> 				}
> 
> 				if (sret == -1) {
>@@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 
> 	if (acl_set_support) {
> 		if (set_acl_as_root) {
>-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			become_root();
> 		}
> 		store_inheritance_attributes(fsp,
> 				file_ace_list,
> 				dir_ace_list,
> 				psd->type);
> 		if (set_acl_as_root) {
>-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+			unbecome_root();
> 		}
> 	}
> 
>@@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 				 fsp_str_dbg(fsp), (unsigned int)posix_perms));
> 
> 			if (set_acl_as_root) {
>-				set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+				become_root();
> 			}
> 			sret = SMB_VFS_FCHMOD(fsp, posix_perms);
> 			if (set_acl_as_root) {
>-				drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+				unbecome_root();
> 			}
> 			if(sret == -1) {
> 				if (acl_group_override_fsp(fsp)) {
>@@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
> 						 "Override chmod\n",
> 						 fsp_str_dbg(fsp)));
> 
>-					set_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+					become_root();
> 					sret = SMB_VFS_FCHMOD(fsp, posix_perms);
>-					drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
>+					unbecome_root();
> 				}
> 
> 				if (sret == -1) {
>-- 
>2.34.1
>

Actions: View

Attachments on bug 15583: 18248 | 18249 | 18250 | 18251 | 18252 | 18277 | 18278