1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

Revert "posix_acls.c: prefer capabilities over become_root"

This reverts commit 1edf9ecaf5.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Björn Jacke 2024-03-25 17:03:28 +01:00 committed by Ralph Boehme
parent 58ea952fd0
commit 8747954438

View File

@ -2944,11 +2944,11 @@ static bool set_canon_ace_list(files_struct *fsp,
"file [%s] primary group.\n", "file [%s] primary group.\n",
fsp_str_dbg(fsp)); fsp_str_dbg(fsp));
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
sret = SMB_VFS_SYS_ACL_SET_FD(fsp, sret = SMB_VFS_SYS_ACL_SET_FD(fsp,
the_acl_type, the_acl_type,
the_acl); the_acl);
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
if (sret == 0) { if (sret == 0) {
ret = true; ret = true;
} }
@ -3441,12 +3441,12 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
if (has_take_ownership_priv || has_restore_priv) { if (has_take_ownership_priv || has_restore_priv) {
status = NT_STATUS_OK; status = NT_STATUS_OK;
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
ret = SMB_VFS_FCHOWN(fsp, uid, gid); ret = SMB_VFS_FCHOWN(fsp, uid, gid);
if (ret != 0) { if (ret != 0) {
status = map_nt_error_from_unix(errno); status = map_nt_error_from_unix(errno);
} }
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
return status; return status;
} }
} }
@ -3480,13 +3480,13 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
} }
status = NT_STATUS_OK; status = NT_STATUS_OK;
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
/* Keep the current file gid the same. */ /* Keep the current file gid the same. */
ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1); ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
if (ret != 0) { if (ret != 0) {
status = map_nt_error_from_unix(errno); status = map_nt_error_from_unix(errno);
} }
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
return status; return status;
} }
@ -3707,12 +3707,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_perms && file_ace_list) { if (acl_perms && file_ace_list) {
if (set_acl_as_root) { if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
} }
ret = set_canon_ace_list(fsp, file_ace_list, false, ret = set_canon_ace_list(fsp, file_ace_list, false,
&fsp->fsp_name->st, &acl_set_support); &fsp->fsp_name->st, &acl_set_support);
if (set_acl_as_root) { if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
if (acl_set_support && ret == false) { if (acl_set_support && ret == false) {
DEBUG(3,("set_nt_acl: failed to set file acl on file " DEBUG(3,("set_nt_acl: failed to set file acl on file "
@ -3727,13 +3727,13 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) { if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
if (dir_ace_list) { if (dir_ace_list) {
if (set_acl_as_root) { if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
} }
ret = set_canon_ace_list(fsp, dir_ace_list, true, ret = set_canon_ace_list(fsp, dir_ace_list, true,
&fsp->fsp_name->st, &fsp->fsp_name->st,
&acl_set_support); &acl_set_support);
if (set_acl_as_root) { if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
if (ret == false) { if (ret == false) {
DEBUG(3,("set_nt_acl: failed to set default " DEBUG(3,("set_nt_acl: failed to set default "
@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
*/ */
if (set_acl_as_root) { if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
} }
sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp); sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
if (set_acl_as_root) { if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
if (sret == -1) { if (sret == -1) {
if (acl_group_override_fsp(fsp)) { if (acl_group_override_fsp(fsp)) {
@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
"Override delete_def_acl\n", "Override delete_def_acl\n",
fsp_str_dbg(fsp))); fsp_str_dbg(fsp)));
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
sret = sret =
SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp); SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
if (sret == -1) { if (sret == -1) {
@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
if (acl_set_support) { if (acl_set_support) {
if (set_acl_as_root) { if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
} }
store_inheritance_attributes(fsp, store_inheritance_attributes(fsp,
file_ace_list, file_ace_list,
dir_ace_list, dir_ace_list,
psd->type); psd->type);
if (set_acl_as_root) { if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
} }
@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
fsp_str_dbg(fsp), (unsigned int)posix_perms)); fsp_str_dbg(fsp), (unsigned int)posix_perms));
if (set_acl_as_root) { if (set_acl_as_root) {
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
} }
sret = SMB_VFS_FCHMOD(fsp, posix_perms); sret = SMB_VFS_FCHMOD(fsp, posix_perms);
if (set_acl_as_root) { if (set_acl_as_root) {
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
if(sret == -1) { if(sret == -1) {
if (acl_group_override_fsp(fsp)) { if (acl_group_override_fsp(fsp)) {
@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
"Override chmod\n", "Override chmod\n",
fsp_str_dbg(fsp))); fsp_str_dbg(fsp)));
set_effective_capability(DAC_OVERRIDE_CAPABILITY); become_root();
sret = SMB_VFS_FCHMOD(fsp, posix_perms); sret = SMB_VFS_FCHMOD(fsp, posix_perms);
drop_effective_capability(DAC_OVERRIDE_CAPABILITY); unbecome_root();
} }
if (sret == -1) { if (sret == -1) {