From d652b86adc7e9c62ba71b315e91fdd24af0063d8 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@samba.org>
Date: Fri, 2 Apr 2010 16:02:37 -0400
Subject: mount.cifs: if real uid is 0, child must keep CAP_DAC_OVERRIDE

...otherwise, root may not be able to read credential files. The ideal
thing would be to remove it from the effective set, and only turn it
on when needed, but for now this should fix the immediate problem.

Signed-off-by: Jeff Layton <jlayton@samba.org>
---
 mount.cifs.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index ab155e3..7d1fa83 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1150,7 +1150,7 @@ add_mtab_exit:
 static int
 drop_capabilities(int parent)
 {
-	int rc = 0;
+	int rc = 0, ncap;
 	cap_t caps;
 	cap_value_t cap_list[2];
 
@@ -1168,17 +1168,20 @@ drop_capabilities(int parent)
 		goto free_caps;
 	}
 
-	/* parent needs to keep some capabilities */
-	if (parent) {
-		cap_list[0] = CAP_SYS_ADMIN;
-		cap_list[1] = CAP_DAC_OVERRIDE;
-		if (cap_set_flag(caps, CAP_PERMITTED, 2, cap_list, CAP_SET) == -1) {
+	if (parent || getuid() == 0) {
+		ncap = 1;
+		cap_list[0] = CAP_DAC_OVERRIDE;
+		if (parent) {
+			cap_list[1] = CAP_SYS_ADMIN;
+			++ncap;
+		}
+		if (cap_set_flag(caps, CAP_PERMITTED, ncap, cap_list, CAP_SET) == -1) {
 			fprintf(stderr, "Unable to set permitted capabilities: %s\n",
 				strerror(errno));
 			rc = EX_SYSERR;
 			goto free_caps;
 		}
-		if (cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_list, CAP_SET) == -1) {
+		if (cap_set_flag(caps, CAP_EFFECTIVE, ncap, cap_list, CAP_SET) == -1) {
 			fprintf(stderr, "Unable to set effective capabilities: %s\n",
 				strerror(errno));
 			rc = EX_SYSERR;
-- 
cgit v1.2.3