BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit
a1738e8265dd256c5a1064482a6dfccbf9ca44f1)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Mon Nov 20 09:55:39 UTC 2023 on atb-devel-224
Gain the oplock capability from the kernel if possible.
****************************************************************************/
Gain the oplock capability from the kernel if possible.
****************************************************************************/
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+static bool have_cap_dac_override = true;
+#else
+static bool have_cap_dac_override = false;
+#endif
+
void set_effective_capability(enum smbd_capability capability)
{
void set_effective_capability(enum smbd_capability capability)
{
+ bool ret = false;
+
+ if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
#if defined(HAVE_POSIX_CAPABILITIES)
#if defined(HAVE_POSIX_CAPABILITIES)
- set_process_capability(capability, True);
+ ret = set_process_capability(capability, True);
#endif /* HAVE_POSIX_CAPABILITIES */
#endif /* HAVE_POSIX_CAPABILITIES */
+ }
+
+ /*
+ * Fallback to become_root() if CAP_DAC_OVERRIDE is not
+ * available.
+ */
+ if (capability == DAC_OVERRIDE_CAPABILITY) {
+ if (!ret) {
+ have_cap_dac_override = false;
+ }
+ if (!have_cap_dac_override) {
+ become_root();
+ }
+ }
}
void drop_effective_capability(enum smbd_capability capability)
{
}
void drop_effective_capability(enum smbd_capability capability)
{
+ if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
#if defined(HAVE_POSIX_CAPABILITIES)
#if defined(HAVE_POSIX_CAPABILITIES)
- set_process_capability(capability, False);
+ set_process_capability(capability, False);
#endif /* HAVE_POSIX_CAPABILITIES */
#endif /* HAVE_POSIX_CAPABILITIES */
+ } else {
+ unbecome_root();
+ }
}
/**************************************************************************
}
/**************************************************************************