| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Fix bug #7315 (mount.cifs segfaults after upgrade to 2.6.33).
(cherry picked from commit 78a6eb582d28d92db5ffab6ded40785be54cf540)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mount.cifs has been the subject of several "security" fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.
To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.
A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
The last 3 patches address bug #6853 (mount.cifs race that allows user to
replace mountpoint with a symlink).
(cherry picked from commit e6c856ac84ee18a192edc3e8a6547e2e9387a1b5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It's apparently possible to corrupt the mtab if you pass embedded
newlines to addmntent. Apparently tabs are also a problem with certain
earlier glibc versions. Backslashes are also a minor issue apparently,
but we can't reasonably filter those.
Make sure that neither the devname or mountpoint contain any problematic
characters before allowing the mount to proceed.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit ae24005a5a2c165dfd9b859bf1c02b5f7e967be5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.
To guard against this, chdir to the mountpoint very early, and only deal
with it as "." from then on out.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit a60afceaa71c0c9b53b2ec1014db5d09d777803d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cifs.upcall calls smb_krb5_unparse_name with a NULL talloc context.
Older versions of this function though will conditionally use
SMB_REALLOC instead of TALLOC_REALLOC when a NULL context is passed
in. To make it more consistent, just spawn a talloc context that
we can pass into this function.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=565446
https://bugzilla.samba.org/show_bug.cgi?id=6868
Reported-by: Ludek Finstrle <luf@seznam.cz>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit a8cc2fa09ed43a167f62711bef363a5ac335dc78)
Fix bug #6868 (make bin/cifs.upcall fails).
(cherry picked from commit 01750852c1e9983b9d59a73d412101b4e0eb81a1)
|
| |
|
|
|
|
|
|
|
| |
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.
Guenther
(cherry picked from commit 04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15)
(cherry picked from commit da926c1249705b95344730539c64111876955151)
|
| |
|
|
|
|
|
|
| |
well as with MIT.
Guenther
(cherry picked from commit 660ee2e74523194e5f6b2b6428d76628beb74717)
(cherry picked from commit 9e2f7070cf0eaf74297d565892edf5089756b124)
|
| |
|
|
|
|
| |
Guenther
(cherry picked from commit b29eed492f1c056adb0b53510be10e738276ca11)
(cherry picked from commit 1230faabf8d836b900cdb9848de9fc12a79155f3)
|
| |
|
|
|
|
| |
Guenther
(cherry picked from commit 60bf0eb60788a5d4dc5de24997c5efda64f2bd73)
(cherry picked from commit ae4175e8a13e88fe7495af745d384b48f4f02784)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
(cherry picked from commit 54de6ac85eb81aecc8b44a500f374edb95bf6a3d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
(cherry picked from commit 0293057abd8cdfc7c690cf5c8dd20b8a626d52ca)
|
| |
|
|
|
|
|
|
|
| |
When a mount fails, mount.cifs often prints an error message. In most
cases, this error goes to stdout instead of stderr like it should. Fix
it to print errors to stderr instead.
Reported-by: Jan Engelhardt <jengelh@gmx.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few weeks ago, I added some code to cifs.upcall to take the pid sent
by the kernel and use that to get the value of the $KRB5CCNAME
environment var for the process. That works fine on the initial mount,
but could be problematic on reconnect.
There's no guarantee on a reconnect that the process that initiates the
upcall will have $KRB5CCNAME pointed at the correct credcache. Because
of this, the current scheme isn't going to be reliable enough and we
need to use something different.
This patch replaces that scheme with one very similar to the one used by
rpc.gssd in nfs-utils. It searches the credcache dir (currently
hardcoded to /tmp) for a valid credcache for the given uid. If it finds
one then it uses that as the credentials cache. If it finds more than
one, it uses the one with the latest TGT expiration.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).
That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
| |
...to allow long option names.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
| |
Current kernels don't send IPv6 addresses with the colon delimiters, add
a routine to add them when they're not present.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
| |
Instead of using the hostname given by the upcall to get the server's
principal, take the IP address given in the upcall and reverse resolve
it to a hostname.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a new stack var to hold the flags returned by the decoder routine
so that we don't need to worry so much about preserving "rc".
With this, we can drop privs before trying to find the location of
the credcache.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.
Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
| |
The argument list for the decoder is becoming rather long. Declare an
args structure and use that for holding the args. This also simplifies
pointer handling a bit.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
| |
Clean up some unneeded curly braces, and fix some indentation.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.
Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
| |
If /etc/mtab is a symbolic link to e.g. /proc/mounts, do not update it.
This is a fix for a bug reported in 4675 on samba bugzilla
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
If the kernel sends the upcall a pid of the requesting process, we can
open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME
value out of it.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
| |
/bin/mount strips off the ro/rw options after setting the MS_RDONLY
flag appropriately. Make mount.cifs do the same thing.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
| |
|
|
|
|
|
|
|
| |
When getaddrinfo returns an IPv6 address with a non-zero scope_id, send
that to the kernel appended to the address with a '%' delimiter. This
allows people to mount servers via their link-local IPv6 addresses
(given a kernel that understands this address format, of course).
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
| |
If we get a non-AF_INET(6) address, then just skip it and try the next
one in the list.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(try#3)
This is the third attempt to clean up the checks when a setuid
mount.cifs is run by an unprivileged user. The main difference in this
patch from the last one is that it fixes a bug where the mount might
have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.
When mount.cifs is installed setuid root and run as an unprivileged
user, it does some checks to limit how the mount is used. It checks that
the mountpoint is owned by the user doing the mount.
These checks however do not match those that /bin/mount does when it is
called by an unprivileged user. When /bin/mount is called by an
unprivileged user to do a mount, it checks that the mount in question is
in /etc/fstab, that it has the "user" option set, etc.
This means that it's currently not possible to set up user mounts the
standard way (by the admin, in /etc/fstab) and simultaneously protect
from an unprivileged user calling mount.cifs directly to mount a share
on any directory that that user owns.
Fix this by making the checks in mount.cifs match those of /bin/mount
itself. This is a necessary step to make mount.cifs safe to be installed
as a setuid binary, but not sufficient. For that, we'd need to give
mount.cifs a proper security audit.
Since some users may be depending on the legacy behavior, this patch
also adds the ability to build mount.cifs with the older behavior.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
|
in Samba 4.
|
