token_util.c: prefer capabilities over become_root

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 023ad7cbb028a026666c52eba148f0d2f5c34565..a7ff9bd6c3f155b085302341e7f918faaeffcb70 100644 (file)
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -699,7 +699,7 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
 
        /* Add in BUILTIN sids */
 
-       become_root();
+       set_effective_capability(DAC_OVERRIDE_CAPABILITY);
        ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
        if (ok) {
                domain_sid = &_dom_sid;
@@ -707,7 +707,7 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
                DEBUG(3, ("Failed to fetch domain sid for %s\n",
                          lp_workgroup()));
        }
-       unbecome_root();
+       drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
 
        info = talloc_zero(talloc_tos(), struct acct_info);
        if (info == NULL) {