Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to...

Only works on Linux kernels 2.6.26 and above. Grants CAP_KILL capability
to allow Linux threads under different euids to send signals to each other.

Same as mater commit 899bd0005f56dcc1e95c3988d41ab3f628bb15db.

Jeremy.
(cherry picked from commit cbf09baa90f5c4cfa8a0019ccc79211d72d13629)

diff --git a/source/include/smb.h b/source/include/smb.h
index 327f21290677a3506f45914428ba1aa2d2b614de..3825c6397ef61f0fbd0e1faf8d509f1c1dff3eec 100644 (file)
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -1684,7 +1684,8 @@ minimum length == 18.
 enum smbd_capability {
     KERNEL_OPLOCK_CAPABILITY,
     DMAPI_ACCESS_CAPABILITY,
-    LEASE_CAPABILITY
+    LEASE_CAPABILITY,
+    KILL_CAPABILITY
 };
 
 /* if a kernel does support oplocks then a structure of the following

diff --git a/source/lib/system.c b/source/lib/system.c
index 36745b112f0b21f3039f9a98471ad4f00de4dff4..fd18928598c2ad0f0747d084b50caf99b2d44328 100644 (file)
--- a/source/lib/system.c
+++ b/source/lib/system.c
@@ -705,6 +705,11 @@ int sys_chroot(const char *dname)
 
 #if defined(HAVE_POSIX_CAPABILITIES)
 
+/* This define hasn't made it into the glibc capabilities header yet. */
+#ifndef SECURE_NO_SETUID_FIXUP
+#define SECURE_NO_SETUID_FIXUP          2
+#endif
+
 /**************************************************************************
  Try and abstract process capabilities (for systems that have them).
 ****************************************************************************/
@@ -735,6 +740,32 @@ static bool set_process_capability(enum smbd_capability capability,
        }
 #endif
 
+#if defined(HAVE_PRCTL) && defined(PR_SET_SECUREBITS) && defined(SECURE_NO_SETUID_FIXUP)
+        /* New way of setting capabilities as "sticky". */
+
+       /*
+        * Use PR_SET_SECUREBITS to prevent setresuid()
+        * atomically dropping effective capabilities on
+        * uid change. Only available in Linux kernels
+        * 2.6.26 and above.
+        *
+        * See here:
+        * http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html
+        * for details.
+        *
+        * Specifically the CAP_KILL capability we need
+        * to allow Linux threads under different euids
+        * to send signals to each other.
+        */
+
+       if (prctl(PR_SET_SECUREBITS, 1 << SECURE_NO_SETUID_FIXUP)) {
+               DEBUG(0,("set_process_capability: "
+                       "prctl PR_SET_SECUREBITS failed with error %s\n",
+                       strerror(errno) ));
+               return false;
+       }
+#endif
+
        cap = cap_get_proc();
        if (cap == NULL) {
                DEBUG(0,("set_process_capability: cap_get_proc failed: %s\n",
@@ -761,6 +792,11 @@ static bool set_process_capability(enum smbd_capability capability,
                case LEASE_CAPABILITY:
 #ifdef CAP_LEASE
                        cap_vals[num_cap_vals++] = CAP_LEASE;
+#endif
+                       break;
+               case KILL_CAPABILITY:
+#ifdef CAP_KILL
+                       cap_vals[num_cap_vals++] = CAP_KILL;
 #endif
                        break;
        }
@@ -772,16 +808,37 @@ static bool set_process_capability(enum smbd_capability capability,
                return True;
        }
 
-       cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
-               enable ? CAP_SET : CAP_CLEAR);
+       /*
+        * Ensure the capability is effective. We assume that as a root
+        * process it's always permitted.
+        */
+
+       if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
+                       enable ? CAP_SET : CAP_CLEAR) == -1) {
+               DEBUG(0, ("set_process_capability: cap_set_flag effective "
+                       "failed (%d): %s\n",
+                       (int)capability,
+                       strerror(errno)));
+               cap_free(cap);
+               return false;
+       }
 
        /* We never want to pass capabilities down to our children, so make
         * sure they are not inherited.
         */
-       cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR);
+       if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals,
+                       cap_vals, CAP_CLEAR) == -1) {
+               DEBUG(0, ("set_process_capability: cap_set_flag inheritable "
+                       "failed (%d): %s\n",
+                       (int)capability,
+                       strerror(errno)));
+               cap_free(cap);
+               return false;
+       }
 
        if (cap_set_proc(cap) == -1) {
-               DEBUG(0, ("set_process_capability: cap_set_proc failed: %s\n",
+               DEBUG(0, ("set_process_capability: cap_set_flag (%d) failed: %s\n",
+                       (int)capability,
                        strerror(errno)));
                cap_free(cap);
                return False;

diff --git a/source/smbd/server.c b/source/smbd/server.c
index 5129484730708bb569cf12c54370822f478f6ca8..23c8c12a62574de13992bf21784c181152915487 100644 (file)
--- a/source/smbd/server.c
+++ b/source/smbd/server.c
@@ -1240,6 +1240,14 @@ extern void build_options(bool screen);
        gain_root_privilege();
        gain_root_group_privilege();
 
+       /*
+        * Ensure we have CAP_KILL capability set on Linux,
+        * where we need this to communicate with threads.
+        * This is inherited by new threads, but not by new
+        * processes across exec().
+        */
+       set_effective_capability(KILL_CAPABILITY);
+
        fault_setup((void (*)(void *))exit_server_fault);
        dump_core_setup("smbd");