diff options
| author | Jeff Layton <jlayton@samba.org> | 2017-02-23 16:50:43 -0500 |
|---|---|---|
| committer | Jeff Layton <jlayton@samba.org> | 2017-02-24 09:18:12 -0500 |
| commit | 9eaa21ed37126d1bfcb998b4c8f6115ac77e9b5f (patch) | |
| tree | cb465828f9b7812e4471b698e1ccf4f7083aa1a1 /cifs.upcall.c | |
| parent | 2dcecd21262513a0866c321643fc33d3d0135915 (diff) | |
| download | cifs-utils-9eaa21ed37126d1bfcb998b4c8f6115ac77e9b5f.tar.gz cifs-utils-9eaa21ed37126d1bfcb998b4c8f6115ac77e9b5f.tar.bz2 cifs-utils-9eaa21ed37126d1bfcb998b4c8f6115ac77e9b5f.zip | |
cifs.upcall: don't do env scraping when uid is 0
Setuid programs triggering upcalls could trick the program here. Also,
the d_automount method is done with credentials overridden so if you
can end up with mismatched creds and env vars due to that as well.
It's a hack, but the only recourse I can see is to avoid doing this
when the uid is 0. That means we can't rely on finding root credcaches
in alternate locations using $KRB5CCNAME, but I think that's the best
we can do.
Reported-and-Tested-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Diffstat (limited to 'cifs.upcall.c')
| -rw-r--r-- | cifs.upcall.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/cifs.upcall.c b/cifs.upcall.c index 0c89d7c..e0d3724 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -1038,11 +1038,19 @@ int main(const int argc, char *const argv[]) } /* + * We can't reasonably do this for root. When mounting a DFS share, + * for instance we can end up with creds being overridden, but the env + * variable left intact. + */ + if (uid == 0) + env_probe = false; + + /* * Must do this before setuid, as we need elevated capabilities to * look at the environ file. */ env_cachename = - get_cachename_from_process_env(env_probe ? arg.pid : 0); + get_cachename_from_process_env(env_probe ? arg.pid : 0); rc = setuid(uid); if (rc == -1) { |