| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
It's possible that the user is trying to mount onto a directory to which
he doesn't have execute perms. If that's the case then the mount will
currently fail. Fix this by reenabling CAP_DAC_READ_SEARCH before
calling mount(2). That will ensure that the kernel's permissions check
for this is bypassed.
Reported-by: Erik Logtenberg <erik@logtenberg.eu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Steve French <sfrench@us.ibm.com>
|
|
It's possible to "goto return_i" in this function at several points
before line_buf is set. At that point, the NULL pointer check won't
work correctly and we can end up with a SIGSEGV.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Some distros replace /etc/mtab with a symlink to /proc/mounts. In that
situation, mount.cifs will hang for a while trying to lock the mtab.
/bin/mount checks to see if the mtab is a symlink. If it is or if a
stat() call on it fails, it doesn't try to to update the mtab. Have
mount.cifs do the same.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Allow admins to pass in a username for the cruid= mount option.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
The handling of these options is quite convoluted. Change it so that
these options are stored as numbers and then appended to the option
strings.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
The manpage says:
ip=arg
sets the destination IP address. This option is set automatically
if the server name portion of the requested UNC name can be
resolved so rarely needs to be specified by the user.
...but recent changes have made it not work anymore as an override if
someone specifies an ip= option as part of the mount options. Reinstate
that behavior by copying the ip= option verbatim into the addrlist of
the parsed options struct and then skipping the name resolution. That
should allow the ip= option to pass unadulterated to the kernel.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The resolve_host routine from mount.cifs is carried out in
separate file and appropriate corrections are made.
Signed-off-by: Igor Druzhinin <jaxbrigs@gmail.com>
|
|
Avoid setting error code twice by moving error handling out of add_mtab_exit
block. We already set error code and report error in other places.
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
|
|
Add 'fsc' mount option to the 'Less commonly used options' section of
mount.cifs usage help text. As with the previous patch, this one too could be
queued and considered once the local caching patches gets merged upstream.
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
|
|
These are filesystem-independent mount options that get passed to
mount.cifs too. Handle them appropriately by enabling and disabling
MS_MANDLOCK and not handing them off to the kernel.
Also, don't set MS_MANDLOCK by default. There's no reason to ask the
kernel to enforce mandatory locking by default. This also matches
up better with the way that "mand" is set in the mtab.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
This mount options is used to clue in init scripts that the filesystem
shouldn't be mounted until networking is available. /bin/mount also passes
that option to the filesystem however, and cifs currently chokes on it.
mount.nfs ignores this option -- have mount.cifs do the same.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The code currently uses fstab.h and _PATH_FSTAB, but uClibc apparently
doesn't have that header. It does have paths.h and _PATH_MNTTAB however
and so does glibc, so use that instead.
Fixes samba bug #7539.
Reported-and-Tested-by: Armin Kuster <linux@kama-aina.net>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
We don't want to alter the device name in any way for the mtab as
/bin/umount depends on the string being identical for user mounts.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The option parsing function now accepts all values for 'dir_mode' that
are supported by the kernel side code.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
When the mount option parsing was cleaned up recently, the detection of
the "cred=" option was dropped.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Align CRED_ macro values to keep style consistent with last patch.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
Moved option string parsing to function parse_opt_token(char*). Main
loop in parse_options(const char*, struct parsed_mount_info*)
transplanted to a switch block.
The parsing function folds common options to a single macro:
1.) 'unc','target', and 'path' -> 'OPT_UNC'
2.) 'dom*' and 'workg*' -> 'OPT_DOM'
3.) 'nobrl' and 'nolock' -> 'OPT_NO_LOCK'
Kept 'fmask' and 'dmask' (OPT_FMASK, OPT_DMASK), which fall through to
'file_mode' and 'dir_mode' in the main loop.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
mount.smb2 has different help (many fewer mount options) and different
fsname, but otherwise can reuse all of the good work Jeff did on
mount.cifs. This patch allow mount.cifs to detect if run as mount.smb2
(to display different help and fsname).
Signed-off-by: Steve French <smfrench@gmail.com>
|
|
Replaced max username in parse_options with the sum of its potential
parts for "domain/user%password" formatted values. Note that forward
slashes still expand to a double back slash in the parse_username
function, though.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
...the kernel doesn't expect to see it and it causes a regression
when mounting some UNCs.
Reported-by: Ales Zelinka <azelinka@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The parsing for values has been moved to its own function and is a bit
cleaner. Temporary buffers are zeroed out before being freed to ensure
passwords/credentials aren't left in released memory.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Remove magic numbers, redundant code and extra variables from open_cred_file().
Remove check for domain length since strlcpy is safe from buffer overflows.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
mount.cifs calls strchr on currentaddress, which may be a NULL pointer.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
It's possible that root won't have privileges to chdir or evaluate the
paths without that capability.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...some #defines are missing in that case. This fixes the build for
all possible libcap/libcap-ng availability scenarios.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
This patch makes the mount.cifs credentials file parameters consistent with
the command line parameters to remove ambiguity between the command line
parameter format and the credentials file format. That is, it parses for
both short and long form of the 'username', 'password', and 'domain'
parameters. This patch is against the current cifs-utils-4.2.
I'm also thinking of adding a second patch that allows for parsing a
"domain/user", "domain%user" and "domain/user%password" formats as allowed
from the command line.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
Only the parent process will ever need CAP_DAC_OVERRIDE. The child can
get by with CAP_DAC_READ_SEARCH.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...libcap-ng does this in a much easier fashion. If that's not
available, then we have to do it manually.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...in preference to libcap if it's available.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...it clears the capability set completely, which it shouldn't do. It
also doesn't call cap_set_proc to make the new capability set active.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
When dropping capabilities, drop CAP_DAC_OVERRIDE from the effective set
but not the permitted. When we need to open credential or password
files, make it effective again and drop it after the open completes.
This reduces CAP_DAC_OVERRIDE exposure.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...otherwise, root may not be able to read credential files. The ideal
thing would be to remove it from the effective set, and only turn it
on when needed, but for now this should fix the immediate problem.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
- fix URL's and email addresses
- update copyright notices
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Now that mount.cifs is safe(r) we don't need to disable setuid
capability by default.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
If mount.cifs is setuid root, then the unprivileged user who runs the
program can send the mount.cifs process a signal and kill it. This is
not a huge problem unless we happen to be updating the mtab at the
time, in which case the mtab lockfiles might not get cleaned up.
To remedy this, have the privileged mount.cifs process set its real
uid to the effective uid (usually, root). This prevents unprivileged
users from being able to signal the process.
While we're at it, also mask off signals while we're updating the
mtab. This leaves a SIGKILL by root as the only way to interrupt the
mtab update, but there's really nothing we can do about that.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Much of the mount option parsing and other activities can be done by an
unprivileged process. Allocate the parsed_mount_info struct as an
anonymous mmap() segment and then fork to do the actual mount option
parsing. The child can then drop root privileges before populating the
parsed_mount_info struct. The parent waits for the child to exit and
then continues the mount process based on the child's exit status.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...later, we'll want to introduce privilege separation so make this
a separate function to facilitate that.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...code cleanup
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
The mount.cifs command apparently tries to take a ton of command-line
options. Many of these will never be passed to mount.cifs by /bin/mount.
Others are more appropriately specified as mount options.
In both cases, there are a lot of options in the switch statement that
are not listed in the optstring, and there are characters in the
optstring that are not dealt with by the switch statement. Other options
are poorly wired to the rest of the code and don't actually do anything.
Clean it up by removing all but the ones that are likely to ever be
used.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Add a function to set and escape the password properly.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
This behavior is demonstrably unsafe and not something we want to support
going forward.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
The UNC is currently handled as a single string and mount.cifs will
just munge it whenever it needs to change the delimiter type or
uppercase it, etc. This is tricky to handle correctly and means that
we often need to keep track of what's already been changed. Instead
of doing this, just track the pieces of the UNC in separate fields
in the parsed_mount_info, and then use those pieces to build strings
as needed.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
