| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The code already checks arg->have and has no use for local 'have'
variable other than syslog() print. That variable is not initialized and
the intent is really to use arg->have instead.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
Switch from old-style MIT krb5 gss_nt_service_name principal type
constant name to the now preferred GSS_C_NT_HOSTBASED_SERVICE.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
|
|
Add ENVIRONMENT VARIABLES section with the usage of gssproxy as
a credential retrieval method.
Signed-off-by: Jacob Shivers <jshivers@redhat.com>
|
|
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
|
|
Add support for gssproxy usage through GSS-API. If no useable ticket cache or
keytab can be found, fall on through into credential handling anyway but then
divert into GSS routines. If no gssproxy is available this will still error out
silently because no ticket cache is available. With gssproxy enabled,
credentials can be retrieved from there and allow unattended access to shares
e.g. from batch jobs.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
|
|
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
|
|
When verbose logging is enabled, invalid credentials file lines may be
dumped to stderr. This may lead to information disclosure in particular
conditions when the credentials file given is sensitive and contains '='
signs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
|
|
Previous check was true whatever the length of the input string was,
leading to a buffer overflow in the subsequent strcpy call.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
|
|
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
|
|
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
|
|
* try new one first, fall back on old one otherwise => retrocompatible
* use better cipher descriptions
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
@mountpointp is initially set to a statically allocated string in
main(), and if we fail to update it in acquire_mountpoint(), make sure
to set it to NULL and avoid freeing it at mount_exit.
This fixes the following crash
$ mount.cifs //srv/share /mnt/foo/bar -o ...
Couldn't chdir to /mnt/foo/bar: No such file or directory
munmap_chunk(): invalid pointer
Aborted
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
|
|
The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use
container ipc/uts/net/pid/mnt/user namespaces") introduced a
regression for kerberos mounts when cifs-utils is built with
libcap-ng. It makes mount fail with ENOKEY "Required key not
available".
Current state:
mount.cifs
'---> mount() ---> kernel
negprot, session setup (need security blob for krb)
request_key("cifs.spnego", payload="pid=%d;username=...")
upcall
/sbin/request-key <--------------'
reads /etc/request-keys.conf
dispatch cifs.spnego request
calls /usr/sbin/cifs.upcall <key id>
- drop privileges (capabilities)
- fetch keyid
- parse payload
- switch to mount.cifs namespaces
- call krb5_xxx() funcs
- generate security blob
- set key value to security blob
'-----------------------------------> kernel
put blob in session setup packet
continue auth
open tcon
get share root
setup superblock
mount.cifs mount() returns <-----------'
By the time cifs.upcall tries to switch to namespaces, enough
capabilities have dropped in trim_capabilities() that it makes setns()
fail with EPERM.
setns() requires CAP_SYS_ADMIN.
With libcap trim_capabilities() is a no-op.
This fix:
- moves the namespace switch earlier so that operations like
setgroups(), setgid(), scanning of pid environment, ... happens in the
contained namespaces.
- moves trim_capabilities() after the namespace switch
- moves the string processing to decode the key request payload in a
child process with minimum capabilities. the decoded data is shared
with the parent process via shared memory obtained with mmap().
Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces")
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
This patch adds a new command to smbinfo which retrieves and displays
the list of alternate data streams for a file.
Signed-off-by: Juan Pablo González <disablez@gmail.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
|
|
Have added new option "-A" in setcifsacl utility to reorder ACEs in
preferred order.
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
In certain scenarios (e.g. kerberos multimount), when a process does
syscalls, the kernel sometimes has to query information or trigger
some actions in userspace. To do so it calls the cifs.upcall binary
with information on the process that triggered the syscall in the
first place.
ls(pid=10) ====> open("foo") ====> kernel
that user doesn't have an SMB
session, lets create one using his
kerberos credential cache
call cifs.upcall and ask for krb info
for whoever owns pid=10
|
cifs.upcall --pid 10 <=================+
...gather info...
return binary blob used
when establishing SMB session
===================> kernel
open SMB session, handle
open() syscall
ls <=================================== return open() result to ls
On a system using containers, the kernel is still calling the host
cifs.upcall and using the host configuration (for network, pid, etc).
This patch changes the behaviour of cifs.upcall so that it uses the
calling process namespaces (ls in the example) when doing its
job.
Note that the kernel still calls the binary in the host, but the
binary will place itself the contexts of the calling process
namespaces.
This code makes use of (but shouldn't require) the following kernel
config options and syscall flags:
approx. year |
introduced | config/flags
---------------+----------------
2008 | CONFIG_NAMESPACES=y
2007 | CONFIG_UTS_NS=y
2020 | CONFIG_TIME_NS=y
2006 | CONFIG_IPC_NS=y
2007 | CONFIG_USER_NS
2008 | CONFIG_PID_NS=y
2007 | CONFIG_NET_NS=y
2007 | CONFIG_CGROUPS
2016 | CLONE_NEWCGROUP setns() flag
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
only if CAP_SETCAP is present.
This is an addendum to the patch recently provided in [1]. Without this
additional change, cifs.upcall can still fail while trying to mount a CIFS
network share with krb5:
kernel: CIFS: Attempting to mount //server.domain.lan/myshare
cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
cifs.upcall[39484]: ver=2
cifs.upcall[39484]: host=server.domain.lan
cifs.upcall[39484]: ip=172.22.3.14
cifs.upcall[39484]: sec=1
cifs.upcall[39484]: uid=1000
cifs.upcall[39484]: creduid=1000
cifs.upcall[39484]: user=username
cifs.upcall[39484]: pid=39481
cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
cifs.upcall[39484]: Exit status 1
[1] https://marc.info/?l=linux-cifs&m=160595758021261
Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
|
|
In the current mount.cifs logic, when sudo is used for mount,
uid=0, so the mount command searches for cruid=0 unless explicitly
specified by the user. The user may already have cred cache populated
but mount.cifs would end up searching cred cache for uid=0.
mount.cifs can avoid this confusion by reading the cruid from SUDO_UID
environment variable. If it is set to non-zero, we can make cruid=$SUDO_UID.
However, to maintain backward compatibility, keeping this as a fallback option.
If mount fails with ENOKEY, then retry with this option.
To enable this fallback, I had to make a few minor changes in the flow.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
The code tries to optimise for the last parameter not needing to update
the position which means that every time a new one is added to the end
by copying and pasting, the string position is not updated.
That makes it impossible to use backup_uid=/backup_gid=/snapshot= after
gid= or snapshot= after backup_gid= because part of the string is
overwritten and contains invalid keys like "gbackup_uid".
Prepare for the next parameter to be added on the end by updating the
position for snapshot= even though it will be unused.
|
|
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
|
|
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
|
|
Extend getcifsacl/setcifsacl utilities to handle System ACLs (SACLs)
in addition to Discretionary ACLs (DACLs). The SACL extensions depend
on CIFS client support for system.cifs_ntsd_full extended attribute.
Signed-off-by: Boris Protopopov <pboris@amazon.com>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
|
|
mount.cifs currently complains about the "comment" option:
CIFS: Unknown mount option "comment=foo"
mount(8) on Linux says:
The command mount does not pass the mount options unbindable,
runbindable, private, rprivate, slave, rslave, shared, rshared,
auto, noauto, comment, x-*, loop, offset and sizelimit to the
mount.<suffix> helpers.
So if mount.cifs decides to re-read /etc/fstab it should ignore the
comment option.
A lot of online posts say to use comment=x-gvfs-show as an option to
have a Linux file manager display a mountpoint for a user mountable
filesystem. While the "comment=" part is superfluous when combined
with an x-* option, the problem is still difficult to debug.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
|
|
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
|
|
According to lexgrog(1), when a manpage refers to multiple programs
their names should be separated using a comma and a whitespace. This
helps silence a lintian warning when building cifs-utils on Debian.
Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
|
|
When we compile cifs-utils, we may probabilistic
encounter install error like:
cd ***/sbin && ln -sf mount.cifs mount.smb3
***/sbin: No such file or directory
The reason of this problem is that if we compile
cifs-utils using multithreading, target
'install-sbinPROGRAMS' may be built after
target 'install-exec-hook' of the main Makefile.
Target 'install-sbinPROGRAMS' will copy the
executable file 'mount.cifs' to the $(ROOTSBINDIR),
which target 'install-exec-hook' will do the
'ln' command on.
This patch add the dependency of target
'install-exec-hook' to ensure the correct order
of the compiling.
Signed-off-by: lizhe <lizhe67@huawei.com>
|
|
|
|
When make install is run during package building, DESTDIR parameter is passed, e.g.:
$ rpm --eval %makeinstall_std
make DESTDIR=/root/rpmbuild/BUILDROOT/%{name}-%{version}-%{release}-rosa2016.1.x86_64-buildroot install
Without DESTDIR build scripts tried to create symlinks outside of the build root:
make[3]: Entering directory '/tmp/abf/rpmbuild/BUILD/cifs-utils-6.10'
(cd /sbin && ln -sf mount.cifs mount.smb3)
ln: failed to create symbolic link 'mount.smb3': Permission denied
The same fix was introduced in Arch Linux package when updating from 6.9 to 6.10:
https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/cifs-utils&id=c75b246a762ea9b90db404dfebc6d35d5b16972f
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
Extend setcifsacl utility to allow setting owner and group SIDs
in the security descriptor in addition to setting ACLs. This is
a user-friendly intefrace for setting owner and group SIDs that
takes advantage of the recent extensions in the CIFS kernel
client, and it complements setting raw values via setfattr.
Signed-off-by: Boris Protopopov <boris.v.protopopov@gmail.com>
|
|
Convert owner and group SID offsets to LE format
when writing to ntsd
Signed-off-by: Boris Protopopov <boris.v.protopopov@gmail.com>
|
|
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
|
|
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
A bug has been reported recently for the mount.cifs utility which is
part of the cifs-utils package. The tool has a shell injection issue
where one can embed shell commands via the username mount option. Those
commands will be run via popen() in the context of the user calling
mount.
The bug requires cifs-utils to be built with --with-systemd (enabled
by default if supported).
A quick test to check if the mount.cifs binary is vulnerable is to look
for popen() calls like so:
$ nm mount.cifs | grep popen
U popen@@GLIBC_2.2.5
If the user is allowed to run mount.cifs via sudo, he can obtain a root
shell.
sudo mount.cifs -o username='`sh`' //1 /mnt
If mount.cifs has the setuid bit, the command will still be run as the
calling user (no privilege escalation).
The bug was introduced in June 2012 with commit 4e264031d0da7d3f2
("mount.cifs: Use systemd's mechanism for getting password, if
present.").
Affected versions:
cifs-utils-5.6
cifs-utils-5.7
cifs-utils-5.8
cifs-utils-5.9
cifs-utils-6.0
cifs-utils-6.1
cifs-utils-6.2
cifs-utils-6.3
cifs-utils-6.4
cifs-utils-6.5
cifs-utils-6.6
cifs-utils-6.7
cifs-utils-6.8
cifs-utils-6.9
cifs-utils-6.10
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14442
Reported-by: Vadim Lebedev <vadim@mbdsys.com>
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
|
|
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
|
|
This patch changes the program name from smb2quota to
smb2-quota and uses a simple code logic for quota entries.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Ronnie Sahlberg <lsahlberg@redhat.com>
|
|
As we are supporting mount.smb3 to be invoked, the error output
should contain the called program and not mount.cifs
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
|
|
As we will slowly move towards smb3 filesystem,
supporting through "mount -t smb3" is important.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
|
|
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
