vfs_nfs4acl_xattr: do xattr ops as root

This ensures we can always fetch the ACL xattr blob when we wanted,
unrestricted of filesystem permissions or Linux xattr security namespace
restrictions.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/modules/vfs_nfs4acl_xattr.c b/source3/modules/vfs_nfs4acl_xattr.c
index 31b85aea13f312d2f20d1aeabab51e6153f7d968..2515d0c7987fc6fa3f46d053efda9586d8677340 100644 (file)
--- a/source3/modules/vfs_nfs4acl_xattr.c
+++ b/source3/modules/vfs_nfs4acl_xattr.c
@@ -72,12 +72,15 @@ static NTSTATUS nfs4acl_get_blob(struct vfs_handle_struct *handle,
        }
 
        do {
+               int saved_errno = 0;
+
                allocsize *= 4;
                ok = data_blob_realloc(mem_ctx, blob, allocsize);
                if (!ok) {
                        return NT_STATUS_NO_MEMORY;
                }
 
+               become_root();
                if (fsp != NULL && fsp->fh->fd != -1) {
                        length = SMB_VFS_NEXT_FGETXATTR(handle,
                                                        fsp,
@@ -91,6 +94,13 @@ static NTSTATUS nfs4acl_get_blob(struct vfs_handle_struct *handle,
                                                       blob->data,
                                                       blob->length);
                }
+               if (length == -1) {
+                       saved_errno = errno;
+               }
+               unbecome_root();
+               if (saved_errno != 0) {
+                       errno = saved_errno;
+               }
        } while (length == -1 && errno == ERANGE && allocsize <= 65536);
 
        if (length == -1) {
@@ -243,6 +253,7 @@ static bool nfs4acl_smb4acl_set_fn(vfs_handle_struct *handle,
        struct nfs4acl_config *config = NULL;
        DATA_BLOB blob;
        NTSTATUS status;
+       int saved_errno = 0;
        int ret;
 
        SMB_VFS_HANDLE_GET_DATA(handle, config,
@@ -262,6 +273,7 @@ static bool nfs4acl_smb4acl_set_fn(vfs_handle_struct *handle,
                return false;
        }
 
+       become_root();
        if (fsp->fh->fd != -1) {
                ret = SMB_VFS_NEXT_FSETXATTR(handle, fsp, config->xattr_name,
                                             blob.data, blob.length, 0);
@@ -270,7 +282,14 @@ static bool nfs4acl_smb4acl_set_fn(vfs_handle_struct *handle,
                                            config->xattr_name,
                                            blob.data, blob.length, 0);
        }
+       if (ret != 0) {
+               saved_errno = errno;
+       }
+       unbecome_root();
        data_blob_free(&blob);
+       if (saved_errno != 0) {
+               errno = saved_errno;
+       }
        if (ret != 0) {
                DBG_ERR("can't store acl in xattr: %s\n", strerror(errno));
                return false;