| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The idmapwb plugin requires a usable wbcSidsToUnixIds() function. Check
to ensure that the wbclient library provides that symbol, and handle
it appropriately if it doesn't.
If someone were so inclined they probably could fix idmapwb to fall
back to the older mapping functions if that symbol doesn't exist,
but for now this patch just makes it refuse to build the plugin.
Reported-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Previously the code assumed that the ACE that was copied was of a
fixed size. Save off the return value from copy_ace and ensure that
we apply it correctly to the size and offset.
Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Jian pointed out that this loop can cycle infinitely when the string
contains a ','.
Also, fix typo in manpage that shows a trailing ',' in one example.
Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
commit 85d18a1ed introduced a regression when using a credentials file.
It set the username in the parsed mount info properly, but didn't set
the "got_user" flag in it.
Also, fix an incorrect strlcpy length specifier in open_cred_file.
Reported-by: "Mantas M." <grawity@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...typo and grammatical fixes, mostly.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
In commit 569cfcb3a, we added a warning of the removal for support for
username= options in the form of DOMAIN/username%password. This patch
removes that support as promised prior to the 5.9 release.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
It's actually OK to set this to BOTH.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...and clean up references to winbind in various tool manpages.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add routines for the various things that cifs.idmap needs and have it
call them.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
WBC_ID_TYPE_BOTH is a new addition (in Samba 4.0 only). Add a test for
its presence. Because it's an enum, we have to jump through some extra
hoops here...
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add str_to_sid() functionality to the plugin API and have setcifsacl
use it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Currently, the ACL-related tools in cifs-utils call into the wbclient
libs directly in order to do their bidding. The wbclient developers want
to get away from needing to configure winbind on the clients and instead
allow sssd to handle the mapping in most cases.
This patch represents an initial step in that direction. It adds a
plugin architecture for cifs-utils, adds wrappers around the calls into
libwbclient that find an idmap plugin library to use and then has it
call into that plugin to do the actual ID mapping.
The application will call into a set of routines that find the correct
plugin and dlopen() it. Currently the plugin is located in a well-known
location that is settable via autoconf. That location is intended to be
a symlink that points to the real plugin (generally under $pkglibdir).
The plugin will export a number of functions with well-known names. The
wrappers find those by using dlsym() and then call them.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
People who want to build a plugin for the idmapping routines will need a
header to describe the data types that they need. Add a cifsidmap.h file
and move the struct cifs_sid definition into it, along with the
constants needed to describe it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
setcifsacl doesn't use syslog, so no need to open a channel to it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
getcifsacl doesn't log to syslog, so there's no need to open a channel
to it. Also, remove the unneeded "prog" global variable since only
the usage() function needs it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...which is really only mount.cifs.
Cc: Björn Jacke <bj@sernet.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
This is safer since it also protects the GOT from getting clobbered.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
If we get a SID that contains more than 15 subauthorities, we'll end up
overrunning the struct wbcDomainSid. Just ignore any past 15.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Having them in the distro prevents autoreconf -i from installing the latest
copies.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
When certain options are passed to the mount helper, we want to turn
them into mountflags for the mount() syscall. There's no need to copy
them to the options string in that case though.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
number
Sergio Conrad reported a problem trying to set up an autofs map to do
a krb5 mount. In his environment, many users have usernames that are
comprised entirely of numbers. While that's a bit odd, POSIX apparently
allows for it.
The current code assumes that when a numeric argument is passed to one
of the above options, that it's a uid or gid. Instead, try to treat the
argument as a user or group name first, and only try to treat it as a
number if that fails.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
setcifsacl.c:833: warning: format '%ld' expects type 'long int', but
argument 3 has type 'ssize_t'
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Since they are not necessarily aligned the same and potentially store
their fields with different endianness. Copy from the wbcDomainSid
to the cifs_sid as appropriate.
Also rename the same function in cifs.idmap.c for consistency.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
While they are very similar, the cifs_sid is "packed" and the
wbcDomainSid isn't. There are also aliasing problems with gcc in
some cases. Instead of trying to cast and fix endianness in place,
make a separate copy instead.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The argv < 3 check could return true if you pass in some option flags.
If you don't provide any further arguments then you might just walk
off the end of the argv array. The values past the end aren't
guaranteed to be NULL in that case.
Fix the check to just look at whether there are 2 more arguments after
the getopt processing is done.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
They need endianness conversion too...
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Get rid of some unused variables, and fix a strict-aliasing problem by
copying the SID data to a new place instead of converting the
endianness in-place.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The size must also be kept in little-endian.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Change verify_ace_mask to just attempt to convert the argument to an
unsigned long first. If that fails, then try to treat it as a symbolic
mask string.
Also, clean up ace_mask_value. There's no need to walk the string
twice. Walk it once and turn the single-char mask checks into a switch
statement instead of if/else clauses.
Finally, fix the endianness of the resulting value. It must be in LE.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
getcifsacl must convert the access_req field from little endian. Also,
we should ensure that the "size" field in the ACE is reachable before
trying to access it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Pavel Raiskup found the following defect in setcifsacl with Coverity:
"segfault may occur also in cifs-utils-4.8.1/setcifsacl.c|644| because
of casesptr dereferencing. When you look e.g. at the line 605, in this
time any part of 'caseptr' may be yet uninitialized and program is going
through 'goto' to freeing -> and there you are freeing the 'caseptr[i]'
address."
The analysis there seems a little off, but is basically correct. The
freeing loop counts down from the current value of i to free the
secondary allocations here.
There is one situation though where this could go badly. If the strtok
parsing near the beginning of the loop fails, then we could end up
trying to free an uninitialized pointer.
Fix this by changing the cacesptr allocation to use calloc(), and stop
trying to be clever with the freeing loop. Just have it walk the
entire array and attempt to free each slot.
Reported-by: Pavel Raiskup <praiskup@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Pavel Raiskup reported the following defects that he found with Coverity:
"If the variable 'facesptr' on line cifs-utils-4.8.1/setcifsacl.c|365|
has not enough memory to be allocated, program 'setcifsacl' will fail
with segfault on line 365 (dereferencing facesptr)."
"you may return freed pointer here. There is some kind of return code
('rc') which should be transferred to >NULL< when is rc nonzero (and
returned)"
There are also a couple of other bugs here:
malloc doesn't necessarily set errno to anything when an allocation
fails, so having the error handling rely on that is wrong.
Fix all of these bugs by reorganzing this function to fix up the error
handling.
Reported-by: Pavel Raiskup <praiskup@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...instead of open-coding it thrice.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The current routine prints multiple authority values as different
numbers instead of combining them, which is wrong.
Print the SID according to the rules in MS-DTYP.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Use our own cifs_sid instead and cast it to a wbcDomainSid before
handing it off to winbind.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
winbind expects SIDs to be expressed in host-endian. Convert them
from little-endian before asking winbind to convert them to names.
Also use the WBC_ERROR_IS_OK() macro to check the return code.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The current method of trying to convert a name to a password struct and
then back to a SID is just weird. It also doesn't seem to work correctly.
Instead, look for a '\\' in the string. If there isn't one then try to
convert it directly to a SID.
If there is a '\\' or the direct-to-SID conversion didn't work, then
use wbcLookupName to do the conversion directly to a SID instead.
Also, fix the error handling. These routines return a wbcErr, so we
should use their macros to check whether it worked or not.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
One of the reasons to use "goto" in an error condition is to eliminate
unnecessary indentation. Fix that here by revering some error checks
end getting rid of some unneeded "else" cases.
After using strstr() to find "ACL:", there's no need to then use
strchr() to find ':'. We know where it is -- it's 3 bytes past the
current position.
Finally, there's no need to copy these strings into new buffers,
just set the pointers in the array to their original values.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
No need to walk the string twice or to hand-roll our own version of
strchr(). Also, move the check for no argument out into main().
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Don't use htole32 when you really want le32toh. Also, when copying or
comparing ACEs, it's incorrect to convert the endianness of these
fields. Let's just keep things simple and declare that multibyte fields
in all of these structs are always kept in little-endian.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Winbind keeps wbcDomainSids in host-endian format. They must be
converted to little-endian before we can ship them off to the
kernel.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Winbind keeps SID fields in host-endian format, but setcifsacl doesn't
currently account for that. Make sure that when we get a valid SID
from wbc that we convert the subauth fields to little-endian, which
the server will expect. The other fields are single bytes and don't
need conversion.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
