The branch, v4-19-test has been updated via a5b61b469a2 pytests: sid_strings: do not fail if epoch ending has zeros via af4fe00f264 system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable from adb1da16e39 s3: smbd: Ignore fstat() error on deleted stream in fd_close().
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log ----------------------------------------------------------------- commit a5b61b469a2303c31ca681a10bc70fb7cb86668e Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Nov 15 13:03:27 2023 +1300 pytests: sid_strings: do not fail if epoch ending has zeros To avoid collisions in random OID strings, we started using the epoch date modulus 100 million. The trouble is we did not strip out the leading zeros, so the field might be '00000123' when it should be '123', if the date happened not to correspond to an epoch with a zero in the eighth to last place. This has been the case for most of the last 1041 days, but fortunately the bug was only introduced earlier this year. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Martin Schwenke <mschwe...@ddn.com> (cherry picked from commit 426ca4cf4b667aae03f0344cee449e972de90ac7) Autobuild-User(v4-19-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-19-test): Mon Nov 20 10:00:15 UTC 2023 on atb-devel-224 commit af4fe00f2646bcc297053241d51ac841d982a078 Author: Björn Jacke <b...@sernet.de> Date: Thu Nov 9 14:56:06 2023 +0100 system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093 Signed-off-by: Bjoern Jacke <bja...@samba.org> Reviewed-by: Christof Schmitt <c...@samba.org> (cherry picked from commit a1738e8265dd256c5a1064482a6dfccbf9ca44f1) ----------------------------------------------------------------------- Summary of changes: python/samba/tests/sid_strings.py | 2 +- source3/lib/system.c | 31 +++++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/sid_strings.py b/python/samba/tests/sid_strings.py index 5ff1edc0642..139849a4981 100644 --- a/python/samba/tests/sid_strings.py +++ b/python/samba/tests/sid_strings.py @@ -98,7 +98,7 @@ class SidStringBase(TestCase): class_dn = f'CN={class_name},{self.schema_dn}' - governs_id = f'1.3.6.1.4.1.7165.4.6.2.9.{self.timestamp[-8:]}.{suffix}' + governs_id = f'1.3.6.1.4.1.7165.4.6.2.9.1{self.timestamp[-7:]}.{suffix}' # expected_sid can be a SID string, an error code, None, or a # special value indicating a deferred error, as follows: diff --git a/source3/lib/system.c b/source3/lib/system.c index 7c9a6b5fa08..57e917fa79c 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -643,18 +643,45 @@ static bool set_process_capability(enum smbd_capability capability, Gain the oplock capability from the kernel if possible. ****************************************************************************/ +#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE) +static bool have_cap_dac_override = true; +#else +static bool have_cap_dac_override = false; +#endif + void set_effective_capability(enum smbd_capability capability) { + bool ret = false; + + if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) { #if defined(HAVE_POSIX_CAPABILITIES) - set_process_capability(capability, True); + ret = set_process_capability(capability, True); #endif /* HAVE_POSIX_CAPABILITIES */ + } + + /* + * Fallback to become_root() if CAP_DAC_OVERRIDE is not + * available. + */ + if (capability == DAC_OVERRIDE_CAPABILITY) { + if (!ret) { + have_cap_dac_override = false; + } + if (!have_cap_dac_override) { + become_root(); + } + } } void drop_effective_capability(enum smbd_capability capability) { + if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) { #if defined(HAVE_POSIX_CAPABILITIES) - set_process_capability(capability, False); + set_process_capability(capability, False); #endif /* HAVE_POSIX_CAPABILITIES */ + } else { + unbecome_root(); + } } /************************************************************************** -- Samba Shared Repository