diff options
author | Andreas Schneider <asn@samba.org> | 2014-01-17 16:06:42 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-04-17 14:56:05 +0200 |
commit | 28b87dd75e7292c4c451c753c44a640cbcf5d8cb (patch) | |
tree | 46d2e51fae4b1e559340f56292bbbb25f789e325 /source4/ntvfs | |
parent | d2a7ce9d67fbd68b6a2ffb4a3501cc82870a7b1d (diff) | |
download | samba-28b87dd75e7292c4c451c753c44a640cbcf5d8cb.tar.gz |
s4-ntfs: Improve uid check in wrapper mode.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/ntvfs')
-rw-r--r-- | source4/ntvfs/posix/pvfs_acl.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index a6e4c7eeda5..269b5ecd098 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -266,6 +266,23 @@ static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_ } } +static bool pvfs_privileged_access(uid_t uid) +{ + uid_t euid; + + if (uid_wrapper_enabled()) { + setenv("UID_WRAPPER_MYUID", "1", 1); + } + + euid = geteuid(); + + if (uid_wrapper_enabled()) { + unsetenv("UID_WRAPPER_MYUID"); + } + + return (uid == euid); +} + /* answer a setfileinfo for an ACL */ @@ -395,7 +412,7 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, ret = fchown(fd, new_uid, new_gid); } if (errno == EPERM) { - if (uid_wrapper_enabled()) { + if (pvfs_privileged_access(name->st.st_uid)) { ret = 0; } else { /* try again as root if we have SEC_PRIV_RESTORE or @@ -521,7 +538,6 @@ static NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs, struct pvfs_filename *name, uint32_t *access_mask) { - uid_t uid = geteuid(); uint32_t max_bits = 0; struct security_token *token = req->session_info->security_token; @@ -531,7 +547,7 @@ static NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs, if (name == NULL) { max_bits |= SEC_RIGHTS_FILE_ALL | SEC_STD_ALL; - } else if (uid == name->st.st_uid || uid_wrapper_enabled()) { + } else if (pvfs_privileged_access(name->st.st_uid)) { /* use the IxUSR bits */ if ((name->st.st_mode & S_IWUSR)) { max_bits |= SEC_RIGHTS_FILE_ALL | SEC_STD_ALL; |