From c1e2fbb1b9a7551becf5caa0f08d434edf9ad862 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
Date: Fri, 10 Nov 2023 09:58:43 +0100
Subject: [PATCH] dosmode.c: prefer use of capabilities at two places over
 become_root

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
---
 source3/smbd/dosmode.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 41241fd2bfc..5dfab65984a 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -387,12 +387,12 @@ NTSTATUS fget_ea_dos_attribute(struct files_struct *fsp,
 		   run because in cases like NFS, root might have even less
 		   rights than the real user
 		*/
-		become_root();
+		set_effective_capability(DAC_OVERRIDE_CAPABILITY);
 		sizeret = SMB_VFS_FGETXATTR(fsp,
 					    SAMBA_XATTR_DOS_ATTRIB,
 					    attrstr,
 					    sizeof(attrstr));
-		unbecome_root();
+		drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
 	}
 	if (sizeret == -1) {
 		DBG_INFO("Cannot get attribute "
@@ -507,14 +507,14 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn,
 			return NT_STATUS_ACCESS_DENIED;
 		}
 
-		become_root();
+		set_effective_capability(DAC_OVERRIDE_CAPABILITY);
 		ret = SMB_VFS_FSETXATTR(smb_fname->fsp,
 					SAMBA_XATTR_DOS_ATTRIB,
 					blob.data, blob.length, 0);
+		drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
 		if (ret == 0) {
 			status = NT_STATUS_OK;
 		}
-		unbecome_root();
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
-- 
2.47.3