| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
If the first malloc fails, maj_stat is uninitialized and used as
the return value through the GSS_ERROR() macro. Use GSS_S_FAILURE to
indicate a miscellaneous error.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
|
|
The gssapi symbols are in gssapi_krb5 and gssapi in MIT and Heimdal
Kerberos, respectively. Including gssapi_generic.h is not necessary.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
|
|
The krb5_free_string function is not present in Heimdal and instead
krb5_xfree should be used for freeing the string allocation done by
krb5_cc_get_full_name. Heimdal documentation does specify that
krb5_xfree should be used here and krb5_unparse_name is freed with
just free.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
|
|
The code already checks arg->have and has no use for local 'have'
variable other than syslog() print. That variable is not initialized and
the intent is really to use arg->have instead.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
Switch from old-style MIT krb5 gss_nt_service_name principal type
constant name to the now preferred GSS_C_NT_HOSTBASED_SERVICE.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
|
|
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
|
|
Add support for gssproxy usage through GSS-API. If no useable ticket cache or
keytab can be found, fall on through into credential handling anyway but then
divert into GSS routines. If no gssproxy is available this will still error out
silently because no ticket cache is available. With gssproxy enabled,
credentials can be retrieved from there and allow unattended access to shares
e.g. from batch jobs.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
|
|
The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use
container ipc/uts/net/pid/mnt/user namespaces") introduced a
regression for kerberos mounts when cifs-utils is built with
libcap-ng. It makes mount fail with ENOKEY "Required key not
available".
Current state:
mount.cifs
'---> mount() ---> kernel
negprot, session setup (need security blob for krb)
request_key("cifs.spnego", payload="pid=%d;username=...")
upcall
/sbin/request-key <--------------'
reads /etc/request-keys.conf
dispatch cifs.spnego request
calls /usr/sbin/cifs.upcall <key id>
- drop privileges (capabilities)
- fetch keyid
- parse payload
- switch to mount.cifs namespaces
- call krb5_xxx() funcs
- generate security blob
- set key value to security blob
'-----------------------------------> kernel
put blob in session setup packet
continue auth
open tcon
get share root
setup superblock
mount.cifs mount() returns <-----------'
By the time cifs.upcall tries to switch to namespaces, enough
capabilities have dropped in trim_capabilities() that it makes setns()
fail with EPERM.
setns() requires CAP_SYS_ADMIN.
With libcap trim_capabilities() is a no-op.
This fix:
- moves the namespace switch earlier so that operations like
setgroups(), setgid(), scanning of pid environment, ... happens in the
contained namespaces.
- moves trim_capabilities() after the namespace switch
- moves the string processing to decode the key request payload in a
child process with minimum capabilities. the decoded data is shared
with the parent process via shared memory obtained with mmap().
Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces")
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
In certain scenarios (e.g. kerberos multimount), when a process does
syscalls, the kernel sometimes has to query information or trigger
some actions in userspace. To do so it calls the cifs.upcall binary
with information on the process that triggered the syscall in the
first place.
ls(pid=10) ====> open("foo") ====> kernel
that user doesn't have an SMB
session, lets create one using his
kerberos credential cache
call cifs.upcall and ask for krb info
for whoever owns pid=10
|
cifs.upcall --pid 10 <=================+
...gather info...
return binary blob used
when establishing SMB session
===================> kernel
open SMB session, handle
open() syscall
ls <=================================== return open() result to ls
On a system using containers, the kernel is still calling the host
cifs.upcall and using the host configuration (for network, pid, etc).
This patch changes the behaviour of cifs.upcall so that it uses the
calling process namespaces (ls in the example) when doing its
job.
Note that the kernel still calls the binary in the host, but the
binary will place itself the contexts of the calling process
namespaces.
This code makes use of (but shouldn't require) the following kernel
config options and syscall flags:
approx. year |
introduced | config/flags
---------------+----------------
2008 | CONFIG_NAMESPACES=y
2007 | CONFIG_UTS_NS=y
2020 | CONFIG_TIME_NS=y
2006 | CONFIG_IPC_NS=y
2007 | CONFIG_USER_NS
2008 | CONFIG_PID_NS=y
2007 | CONFIG_NET_NS=y
2007 | CONFIG_CGROUPS
2016 | CLONE_NEWCGROUP setns() flag
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
|
|
Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
only if CAP_SETCAP is present.
This is an addendum to the patch recently provided in [1]. Without this
additional change, cifs.upcall can still fail while trying to mount a CIFS
network share with krb5:
kernel: CIFS: Attempting to mount //server.domain.lan/myshare
cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
cifs.upcall[39484]: ver=2
cifs.upcall[39484]: host=server.domain.lan
cifs.upcall[39484]: ip=172.22.3.14
cifs.upcall[39484]: sec=1
cifs.upcall[39484]: uid=1000
cifs.upcall[39484]: creduid=1000
cifs.upcall[39484]: user=username
cifs.upcall[39484]: pid=39481
cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
cifs.upcall[39484]: Exit status 1
[1] https://marc.info/?l=linux-cifs&m=160595758021261
Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
|
|
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
This patch introduces a new '--expire' option that allows the user to
set a timeout value for the dns resolver key -- which is typically
useful for hostnames that may get their ip addresses changed under
long running mounts.
The default timeout value is set to 10 minutes.
Signed-off-by: Paulo Alcantara <palcantara@suse.de>
|
|
Using a more permanent ccache is potentially problematic when we're
instantiating a new one. We might be operating under different creds
than expected. Just use a MEMORY: ccache since we don't need it to
last longer than the life of the upcall anyway.
Reported-and-Tested-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Setuid programs triggering upcalls could trick the program here. Also,
the d_automount method is done with credentials overridden so if you
can end up with mismatched creds and env vars due to that as well.
It's a hack, but the only recourse I can see is to avoid doing this
when the uid is 0. That means we can't rely on finding root credcaches
in alternate locations using $KRB5CCNAME, but I think that's the best
we can do.
Reported-and-Tested-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
We don't want to trust $KRB5CCNAME when creating or updating a new
credcache since we could be operating under the wrong credentials.
Always create new credcaches in the default location instead.
Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
It just frees and then zeroes out the pointer. That's of dubious
value in the places where it's currently being used. Just use
free() instead.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Take just what we need from replace.h and move it to cifs.upcall.c.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
only when we are going to probe the environ file.
Also, fix the non-libcap-ng trim_capabilities prototype.
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
/proc/<pid>/environ file
Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
to that, cifs.upcall was able to find credcaches in non-default FILE:
locations, but with the rework of that code, that ability was lost.
Unfortunately, the krb5 library design doesn't really take into account
the fact that we might need to find a credcache in a process that isn't
descended from the session.
When the kernel does an upcall, it passes several bits of info about the
task that initiated the upcall. One of those things is the PID (the
tgid, in particular). We can use that info to reach into the
/proc/<pid>/environ file for the process, and grab whatever value of
$KRB5CCNAME is there.
Then, after switching credentials, set $KRB5CCNAME in the environment
to the same value before opening the credcache, to hint to the krb5
libs where they ought to look.
This new behavior is on by default, but can be disabled by having
request-key pass a '-E' flag to cifs.upcall.
Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Much of cifs.upcall can and should be run without elevated privileges.
On entry into the program, drop as many capabilities as we can get away
with, and then always drop any remaining caps after calling setuid().
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Currently, we leave the group ID alone, but in a later patch we'll be
changing cifs.upcall to scrape $KRB5CCNAME out of the originating
process. At that point, we want to be a little more careful with the
process credentials we'll be using.
After we get the uid, do a getpwuid and grab the default gid for the
user. Then use setgid to set it before calling setuid.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Instead, get a ccache handle and pass that around. That way we can keep
the cache open until the program is complete as well.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...instead of dealing with the ccname. Push resolution of the cache
into the caller.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The header file says that this is deprecated, and all of the info I've
seen about it mentioned that it was for performance more than
correctness. It dates back to the original code dump from Igor, so I
think we're safe to just drop it at this point.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
There's no need to keep initing a new context for every function. Just
do it once and reuse as needed.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Currently we end up groveling around in /tmp, trying to guess what the
credcache will be. Instead, just get the default ccname for the user,
and then see if it has a valid tgt. If it doesn't then we try to use
the keytab to init the credcache before proceeding.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...don't assume that it's in /etc/krb5.keytab.
Reported-by: Konstantin Lepikhov <klepikho@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Fedora is in the process of moving to KEYRING: credcaches which are not
currently handled by cifs.upcall. We could try to detect when they're in
use, but it's simpler and more robust to just try to use the default
credcache whenever we don't find a FILE: or DIR: cache.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Currently cifs.upcall only looks at the default system keytab
(/etc/krb5.keytab). It's often the case however that a dedicated keytab
is desirable. Allow administrators to set one on the command-line.
Reported-by: steve <steve@steve-ss.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
When print version number, the exit code should be 0
and syslog() should not send "Negating key" to the system logger.
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
|
|
We want to require that the filename begins with the correct string,
not just that it contains it somewhere.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
When scanning for credential caches, check the user's directory under
/run/user first, then fall back to /tmp as we have previously. Because
we now call find_krb5_cc() twice (once for each directory), we move its
state to be outside of the function. We also add a substitution
mechanism to make the process of resolving the location of the user's
home directory before searching it a bit more explicable.
|
|
If we encounter a subdirectory while scanning a directory for a user's
ccache, check if it's a "DIR" ccache. Otherwise, continue as before,
checking if it's a "FILE" ccache if it looks like a regular file.
|
|
While helping to track down a configuration problem, I found this
little bit of extra debug logging to be helpful. Might as well
make it part of the stock binary.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
krb5 < 1.7
products coming with MIT krb5 < 1.7 (like SUSE Linux Enterprise 11 SP 1
or SP 2) suffer from the same issue as described by
https://bugzilla.samba.org/show_bug.cgi?id=6918
The declaration of krb5_auth_con_set_req_cksumtype is missing.
Inspiration: https://bugzilla.samba.org/show_bug.cgi?id=6918
Acked-by: Suresh Jayaraman <sjayaraman@suse.com>
Signed-off-by: Lars Mueller <lmuelle@suse.com>
|
|
Currently, we build the string by hand then then construct the
principal name with krb5_parse_name. That bypasses the domain_realm
section in krb5.conf however.
Switch the code to use krb5_sname_to_principal instead which is more
suited to this task. In order for that to work, we change a couple of
calling functions to pass down a hostname instead of a principal
name, and then pass in "cifs" as the service name.
Reported-and-Tested-by: Nirupama Karandikar <nkarandi@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
This was actually requested by the Red Hat QA group, who sometimes work
with multiple krb5.conf files when testing.
Requested-by: Marko Myllynen <myllynen@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Resolve the unqualified hostname and set AI_CANONNAME to make sure that
field is populated. Scan forward to the first '.' in ai_canonname, and
append that value onto the unqualified hostname to get a FQDN. Then
prepend that value with "cifs/" and try to get a service ticket for
that principal.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Andrew Bartlett suggests the heuristic supplied in the comments.
For now, we don't try to guess the domainname when the hostname is not
qualified, but add a comment with what needs to be done in order to
support that.
Also, with this change we no longer need util.o to be linked in.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Most KDCs are case-sensitive (the notable exception being AD), but DNS
is case-insensitive. To prevent admins from having to put in all
possible case combinations of a principal, lowercase the hostname prior
to trying to get a principal.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...and check to see if provided hostname will exceed it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
cifs.upcall.c: In function ‘cifs_krb5_principal_get_realm’:
cifs.upcall.c:80:57: warning: unused parameter ‘context’ [-Wunused-parameter]
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Based on a patch from a few years ago by Igor Mammedov. This patch
adds the ability for cifs.upcall to establish a TGT using the
system-default keytab.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Acked-by: Igor Mammedov <niallain@gmail.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
Acked-by: Igor Mammedov <niallain@gmail.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
Acked-by: Igor Mammedov <niallain@gmail.com>
|
|
...and switch the code to using strndup. Check for allocation errors as
well, and fix some off-by-one bugs in the ones that decode strings.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Acked-by: Igor Mammedov <niallain@gmail.com>
|
