| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Luk Claes <luk@debian.org>
|
|
krb5 < 1.7
products coming with MIT krb5 < 1.7 (like SUSE Linux Enterprise 11 SP 1
or SP 2) suffer from the same issue as described by
https://bugzilla.samba.org/show_bug.cgi?id=6918
The declaration of krb5_auth_con_set_req_cksumtype is missing.
Inspiration: https://bugzilla.samba.org/show_bug.cgi?id=6918
Acked-by: Suresh Jayaraman <sjayaraman@suse.com>
Signed-off-by: Lars Mueller <lmuelle@suse.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Use the pkgconfig file that's included with wbclient to perform the test
for wbclient usability, and to set the correct CFLAGS and LDADD.
This is particularly necessary on recent Fedora with samba4 since it
puts the wbclient.h file in a different directory than before.
Also, remove a redundant test for wbclient.h from configure.ac.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
can't chdir
If mount.cifs is installed as a setuid root program, then a user can
use it to gather information about files and directories to which he
does not have access.
One of the first things that mount.cifs does is to chdir() into the
mountpoint and then proceeds to perform the mount onto ".". A malicious
user could exploit this fact to determine information about directories
to which he does not have access. Specifically, whether the dentry in
question is a file or directory and whether it exists at all.
This patch fixes this by making the program switch the fsuid to the
real uid for unprivileged users when mounting.
Note that this is a behavior change. mount.cifs has in the past allowed
users to mount onto any directory as long as it's listed in /etc/fstab
as a user mount. With this change, the user must also be able to chdir
into the mountpoint without needing special privileges. Hopefully not
many people have such a pathological configuration.
This patch should fix CVE-2012-1586.
Reported-by: Jesus Olmos <jesus.olmos@blueliv.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...via the $ROOTSBINDIR environment variable, and AC_ARG_VAR macro.
The default is to use /sbin for this value, which only currently
affects the installation location of mount.cifs.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...and fix the URL for cifs-utils.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...but either error out or disable it if keyutils.h isn't present.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add a contrib directory, a set of sample /etc/request-key.d files and
a README that explains what they're for. This version sets the path
to the upcall programs based on the configure options.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Some versions of wbclient.h have function declarations with bool type
args, but they don't include stdbool.h themselves. Make sure that
we can deal with that by telling the autoconf test to include stdbool.h
explicitly. In order to do that properly we need to move some of the
standard header and type tests up in the file.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add configure directives for option cifsacl. The default action is
to enable cifsacl option.
cifsacl option is enabled or disabled in a similar way to cifs.idmap
in the same function. In addition, for cifsacl, check for sys/xattr.h
is done in the smae .m4 file.
Add directives to build getcifsacl in Makefile.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
It currently says "no" is the default, but it should be "yes".
Reported-by: Elias Pipping <pipping@lavabit.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Create man pages for program cifs.idmap
Enable cifs.idmap config option by default.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Handle cifs.idmap type of key. Extract a SID string from the description
and map it to either an uid or gid using winbind APIs.
If that fails (e.g. because winbind is not installed/running or winbind
returns an error), kernel assigns uid and gid (from mount superblock).
Enable including winbind header files and idmapping code conditional
to winbind devel rpms (header and library).
An entry such as this
create cifs.idmap * * /usr/sbin/cifs.idmap %k
is needed in the file /etc/request-key.conf.
[Note: Modified to not build new tool by default, and to fix up some
whitespace munging]
Modified-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The 4.8 release had mis-generated autoconf files (they didn't include
the libcap-ng autoconf goop). 4.8.1 will have that fixed.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
checksum (bug #7890)
Some closed source SMB servers doesn't support all checksum types,
so we should try to match windows clients.
This is almost the same logic which is used by Samba.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Currently the manpages (particularly cifs.upcall.8) have hardcoded
paths in them that need to be manually adjusted. Replace those
paths with @sbindir@ and add a makefile target that will use sed
to replace those paths with the ones set by autoconf.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
|
|
It is a userspace part of a new infrastructure for stashing passwords
in kernel keyring per user basis. The patch adds the "cifscreds"
utility for management keys with credentials. Assembling of the utility
from the distribution is possible with --enable-cifscreds=yes option of
configure script.
Signed-off-by: Igor Druzhinin <jaxbrigs@gmail.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...to distinguish interim builds from official releases.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
It's possible that root won't have privileges to chdir or evaluate the
paths without that capability.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...it's already checked in AC_LIBCAP
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...libcap-ng does this in a much easier fashion. If that's not
available, then we have to do it manually.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...in preference to libcap if it's available.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
mount.cifs is being linked against the krb5 library. Fix it so that
that doesn't happen.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
- fix URL's and email addresses
- update copyright notices
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Torsten Kurbad <torsten@tk-webart.de>
|
|
Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
