From 8fe783edaf79bcae5c55c9eb5159104537ccf930 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 3 Mar 2010 14:25:39 +1100 Subject: s4-posix: allow change ownership of files if the user has the right privileges When a user has SEC_PRIV_TAKE_OWNERSHIP or SEC_PRIV_RESTORE they have permission to change the ownership of a file. This should fix bug 6987 Pair-Programmed-With: Andrew Bartlett --- source4/ntvfs/posix/pvfs_acl.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 3336cd0462..4cb6fce217 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -25,6 +25,7 @@ #include "librpc/gen_ndr/xattr.h" #include "libcli/security/security.h" #include "param/param.h" +#include "../lib/util/unix_privs.h" #if defined(UID_WRAPPER) #if !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE) @@ -392,8 +393,26 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs, } else { ret = fchown(fd, new_uid, new_gid); } - if (errno == EPERM && uwrap_enabled()) { - ret = 0; + if (errno == EPERM) { + if (uwrap_enabled()) { + ret = 0; + } else { + /* try again as root if we have SEC_PRIV_RESTORE or + SEC_PRIV_TAKE_OWNERSHIP */ + if (security_token_has_privilege(req->session_info->security_token, + SEC_PRIV_RESTORE) || + security_token_has_privilege(req->session_info->security_token, + SEC_PRIV_TAKE_OWNERSHIP)) { + void *privs; + privs = root_privileges(); + if (fd == -1) { + ret = chown(name->full_name, new_uid, new_gid); + } else { + ret = fchown(fd, new_uid, new_gid); + } + talloc_free(privs); + } + } } if (ret == -1) { return pvfs_map_errno(pvfs, errno); -- cgit