summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-03-03 14:25:39 +1100
committerAndrew Tridgell <tridge@samba.org>2010-03-03 23:05:23 +1100
commit8fe783edaf79bcae5c55c9eb5159104537ccf930 (patch)
treeff4570ecbd5ec22cf44f60bce856b3e81fb674c2
parente0726d4d661cfc508e8e8fd210a2cfba7ed53682 (diff)
downloadsamba-8fe783edaf79bcae5c55c9eb5159104537ccf930.tar.gz
samba-8fe783edaf79bcae5c55c9eb5159104537ccf930.tar.xz
samba-8fe783edaf79bcae5c55c9eb5159104537ccf930.zip
s4-posix: allow change ownership of files if the user has the right privileges
When a user has SEC_PRIV_TAKE_OWNERSHIP or SEC_PRIV_RESTORE they have permission to change the ownership of a file. This should fix bug 6987 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c23
1 files changed, 21 insertions, 2 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 3336cd0462..4cb6fce217 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -25,6 +25,7 @@
#include "librpc/gen_ndr/xattr.h"
#include "libcli/security/security.h"
#include "param/param.h"
+#include "../lib/util/unix_privs.h"
#if defined(UID_WRAPPER)
#if !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE)
@@ -392,8 +393,26 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
} else {
ret = fchown(fd, new_uid, new_gid);
}
- if (errno == EPERM && uwrap_enabled()) {
- ret = 0;
+ if (errno == EPERM) {
+ if (uwrap_enabled()) {
+ ret = 0;
+ } else {
+ /* try again as root if we have SEC_PRIV_RESTORE or
+ SEC_PRIV_TAKE_OWNERSHIP */
+ if (security_token_has_privilege(req->session_info->security_token,
+ SEC_PRIV_RESTORE) ||
+ security_token_has_privilege(req->session_info->security_token,
+ SEC_PRIV_TAKE_OWNERSHIP)) {
+ void *privs;
+ privs = root_privileges();
+ if (fd == -1) {
+ ret = chown(name->full_name, new_uid, new_gid);
+ } else {
+ ret = fchown(fd, new_uid, new_gid);
+ }
+ talloc_free(privs);
+ }
+ }
}
if (ret == -1) {
return pvfs_map_errno(pvfs, errno);