From 944cb51506a94084d7ab52ee044fe6f66e1aaeb9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
Date: Fri, 17 Jun 2022 07:22:57 +0200
Subject: [PATCH] token_util.c: prefer capabilities over become_root

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
---
 source3/auth/token_util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 023ad7cbb02..a7ff9bd6c3f 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -699,7 +699,7 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
 
 	/* Add in BUILTIN sids */
 
-	become_root();
+	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
 	ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
 	if (ok) {
 		domain_sid = &_dom_sid;
@@ -707,7 +707,7 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
 		DEBUG(3, ("Failed to fetch domain sid for %s\n",
 			  lp_workgroup()));
 	}
-	unbecome_root();
+	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
 
 	info = talloc_zero(talloc_tos(), struct acct_info);
 	if (info == NULL) {
-- 
2.47.3