1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

Revert "posix_acls.c: prefer capabilities over become_root"

This reverts commit 1edf9ecaf5.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Björn Jacke 2024-03-25 17:03:28 +01:00 committed by Ralph Boehme
parent 58ea952fd0
commit 8747954438

View File

@ -2944,11 +2944,11 @@ static bool set_canon_ace_list(files_struct *fsp,
"file [%s] primary group.\n",
fsp_str_dbg(fsp));
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
sret = SMB_VFS_SYS_ACL_SET_FD(fsp,
the_acl_type,
the_acl);
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
if (sret == 0) {
ret = true;
}
@ -3441,12 +3441,12 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
if (has_take_ownership_priv || has_restore_priv) {
status = NT_STATUS_OK;
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
ret = SMB_VFS_FCHOWN(fsp, uid, gid);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
return status;
}
}
@ -3480,13 +3480,13 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
}
status = NT_STATUS_OK;
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
/* Keep the current file gid the same. */
ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
return status;
}
@ -3707,12 +3707,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_perms && file_ace_list) {
if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
}
ret = set_canon_ace_list(fsp, file_ace_list, false,
&fsp->fsp_name->st, &acl_set_support);
if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
if (acl_set_support && ret == false) {
DEBUG(3,("set_nt_acl: failed to set file acl on file "
@ -3727,13 +3727,13 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
if (dir_ace_list) {
if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
}
ret = set_canon_ace_list(fsp, dir_ace_list, true,
&fsp->fsp_name->st,
&acl_set_support);
if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
if (ret == false) {
DEBUG(3,("set_nt_acl: failed to set default "
@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
*/
if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
}
sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
if (sret == -1) {
if (acl_group_override_fsp(fsp)) {
@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
"Override delete_def_acl\n",
fsp_str_dbg(fsp)));
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
sret =
SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
if (sret == -1) {
@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_set_support) {
if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
}
store_inheritance_attributes(fsp,
file_ace_list,
dir_ace_list,
psd->type);
if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
}
@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
fsp_str_dbg(fsp), (unsigned int)posix_perms));
if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
}
sret = SMB_VFS_FCHMOD(fsp, posix_perms);
if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
if(sret == -1) {
if (acl_group_override_fsp(fsp)) {
@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
"Override chmod\n",
fsp_str_dbg(fsp)));
set_effective_capability(DAC_OVERRIDE_CAPABILITY);
become_root();
sret = SMB_VFS_FCHMOD(fsp, posix_perms);
drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
unbecome_root();
}
if (sret == -1) {