diff options
author | Jeff Layton <jlayton@redhat.com> | 2010-01-26 08:45:58 -0500 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2010-05-06 14:12:46 +0200 |
commit | 565f8e10c9828c4d998f494d6c1a280e9a8927d5 (patch) | |
tree | 3408ee8a00799c67b35d08dce7e8cba604b7e885 | |
parent | e1ce92a0927c89bfc5aa06a1bc616ca187745a90 (diff) | |
download | samba-565f8e10c9828c4d998f494d6c1a280e9a8927d5.tar.gz |
mount.cifs: don't allow it to be run as setuid root program
mount.cifs has been the subject of several "security" fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.
To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.
A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
The last 5 patches address bug #6853 (mount.cifs race that allows user to
replace mountpoint with a symlink).
(cherry picked from commit f94a377fb58f7b104aa633236f3391c9af6a7b12)
-rw-r--r-- | source3/client/mount.cifs.c | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c index 47d88fd39ad..92dd68f77db 100644 --- a/source3/client/mount.cifs.c +++ b/source3/client/mount.cifs.c @@ -43,7 +43,7 @@ #include "mount.h" #define MOUNT_CIFS_VERSION_MAJOR "1" -#define MOUNT_CIFS_VERSION_MINOR "13" +#define MOUNT_CIFS_VERSION_MINOR "14" #ifndef MOUNT_CIFS_VENDOR_SUFFIX #ifdef _SAMBA_BUILD_ @@ -89,6 +89,17 @@ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN /* + * mount.cifs has been the subject of many "security" bugs that have arisen + * because of users and distributions installing it as a setuid root program. + * mount.cifs has not been audited for security. Thus, we strongly recommend + * that it not be installed setuid root. To make that abundantly clear, + * mount.cifs now check whether it's running setuid root and exit with an + * error if it is. If you wish to disable this check, then set the following + * #define to 1, but please realize that you do so at your own peril. + */ +#define CIFS_DISABLE_SETUID_CHECK 0 + +/* * By default, mount.cifs follows the conventions set forth by /bin/mount * for user mounts. That is, it requires that the mount be listed in * /etc/fstab with the "user" option when run as an unprivileged user and @@ -213,6 +224,29 @@ check_mountpoint(const char *progname, char *mountpoint) return 0; } +#if CIFS_DISABLE_SETUID_CHECK +static int +check_setuid(void) +{ + return 0; +} +#else /* CIFS_DISABLE_SETUID_CHECK */ +static int +check_setuid(void) +{ + if (getuid() && !geteuid()) { + printf("This mount.cifs program has been built with the " + "ability to run as a setuid root program disabled.\n" + "mount.cifs has not been well audited for security " + "holes. Therefore the Samba team does not recommend " + "installing it as a setuid root program.\n"); + return 1; + } + + return 0; +} +#endif /* CIFS_DISABLE_SETUID_CHECK */ + #if CIFS_LEGACY_SETUID_CHECK static int check_fstab(const char *progname, char *mountpoint, char *devname, @@ -1192,6 +1226,9 @@ int main(int argc, char ** argv) struct sockaddr_in6 *addr6; FILE * pmntfile; + if (check_setuid()) + return EX_USAGE; + /* setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); */ |