From: Ralph Boehme Date: Mon, 23 Oct 2017 12:15:12 +0000 (+0200) Subject: vfs_nfs4acl_xattr: do xattr ops as root X-Git-Tag: tevent-0.9.34~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4072961c691dbe7434b077147a89d927a299570;p=thirdparty%2Fsamba.git vfs_nfs4acl_xattr: do xattr ops as root This ensures we can always fetch the ACL xattr blob when we wanted, unrestricted of filesystem permissions or Linux xattr security namespace restrictions. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/modules/vfs_nfs4acl_xattr.c b/source3/modules/vfs_nfs4acl_xattr.c index 31b85aea13f..2515d0c7987 100644 --- a/source3/modules/vfs_nfs4acl_xattr.c +++ b/source3/modules/vfs_nfs4acl_xattr.c @@ -72,12 +72,15 @@ static NTSTATUS nfs4acl_get_blob(struct vfs_handle_struct *handle, } do { + int saved_errno = 0; + allocsize *= 4; ok = data_blob_realloc(mem_ctx, blob, allocsize); if (!ok) { return NT_STATUS_NO_MEMORY; } + become_root(); if (fsp != NULL && fsp->fh->fd != -1) { length = SMB_VFS_NEXT_FGETXATTR(handle, fsp, @@ -91,6 +94,13 @@ static NTSTATUS nfs4acl_get_blob(struct vfs_handle_struct *handle, blob->data, blob->length); } + if (length == -1) { + saved_errno = errno; + } + unbecome_root(); + if (saved_errno != 0) { + errno = saved_errno; + } } while (length == -1 && errno == ERANGE && allocsize <= 65536); if (length == -1) { @@ -243,6 +253,7 @@ static bool nfs4acl_smb4acl_set_fn(vfs_handle_struct *handle, struct nfs4acl_config *config = NULL; DATA_BLOB blob; NTSTATUS status; + int saved_errno = 0; int ret; SMB_VFS_HANDLE_GET_DATA(handle, config, @@ -262,6 +273,7 @@ static bool nfs4acl_smb4acl_set_fn(vfs_handle_struct *handle, return false; } + become_root(); if (fsp->fh->fd != -1) { ret = SMB_VFS_NEXT_FSETXATTR(handle, fsp, config->xattr_name, blob.data, blob.length, 0); @@ -270,7 +282,14 @@ static bool nfs4acl_smb4acl_set_fn(vfs_handle_struct *handle, config->xattr_name, blob.data, blob.length, 0); } + if (ret != 0) { + saved_errno = errno; + } + unbecome_root(); data_blob_free(&blob); + if (saved_errno != 0) { + errno = saved_errno; + } if (ret != 0) { DBG_ERR("can't store acl in xattr: %s\n", strerror(errno)); return false;