| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
The parsing for values has been moved to its own function and is a bit
cleaner. Temporary buffers are zeroed out before being freed to ensure
passwords/credentials aren't left in released memory.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Remove magic numbers, redundant code and extra variables from open_cred_file().
Remove check for domain length since strlcpy is safe from buffer overflows.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
mount.cifs calls strchr on currentaddress, which may be a NULL pointer.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
It's possible that root won't have privileges to chdir or evaluate the
paths without that capability.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...some #defines are missing in that case. This fixes the build for
all possible libcap/libcap-ng availability scenarios.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
This patch makes the mount.cifs credentials file parameters consistent with
the command line parameters to remove ambiguity between the command line
parameter format and the credentials file format. That is, it parses for
both short and long form of the 'username', 'password', and 'domain'
parameters. This patch is against the current cifs-utils-4.2.
I'm also thinking of adding a second patch that allows for parsing a
"domain/user", "domain%user" and "domain/user%password" formats as allowed
from the command line.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
|
|
Only the parent process will ever need CAP_DAC_OVERRIDE. The child can
get by with CAP_DAC_READ_SEARCH.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...libcap-ng does this in a much easier fashion. If that's not
available, then we have to do it manually.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...in preference to libcap if it's available.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...it clears the capability set completely, which it shouldn't do. It
also doesn't call cap_set_proc to make the new capability set active.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
When dropping capabilities, drop CAP_DAC_OVERRIDE from the effective set
but not the permitted. When we need to open credential or password
files, make it effective again and drop it after the open completes.
This reduces CAP_DAC_OVERRIDE exposure.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...otherwise, root may not be able to read credential files. The ideal
thing would be to remove it from the effective set, and only turn it
on when needed, but for now this should fix the immediate problem.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
- fix URL's and email addresses
- update copyright notices
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Now that mount.cifs is safe(r) we don't need to disable setuid
capability by default.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
If mount.cifs is setuid root, then the unprivileged user who runs the
program can send the mount.cifs process a signal and kill it. This is
not a huge problem unless we happen to be updating the mtab at the
time, in which case the mtab lockfiles might not get cleaned up.
To remedy this, have the privileged mount.cifs process set its real
uid to the effective uid (usually, root). This prevents unprivileged
users from being able to signal the process.
While we're at it, also mask off signals while we're updating the
mtab. This leaves a SIGKILL by root as the only way to interrupt the
mtab update, but there's really nothing we can do about that.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Much of the mount option parsing and other activities can be done by an
unprivileged process. Allocate the parsed_mount_info struct as an
anonymous mmap() segment and then fork to do the actual mount option
parsing. The child can then drop root privileges before populating the
parsed_mount_info struct. The parent waits for the child to exit and
then continues the mount process based on the child's exit status.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...later, we'll want to introduce privilege separation so make this
a separate function to facilitate that.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...code cleanup
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
The mount.cifs command apparently tries to take a ton of command-line
options. Many of these will never be passed to mount.cifs by /bin/mount.
Others are more appropriately specified as mount options.
In both cases, there are a lot of options in the switch statement that
are not listed in the optstring, and there are characters in the
optstring that are not dealt with by the switch statement. Other options
are poorly wired to the rest of the code and don't actually do anything.
Clean it up by removing all but the ones that are likely to ever be
used.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Add a function to set and escape the password properly.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
This behavior is demonstrably unsafe and not something we want to support
going forward.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
The UNC is currently handled as a single string and mount.cifs will
just munge it whenever it needs to change the delimiter type or
uppercase it, etc. This is tricky to handle correctly and means that
we often need to keep track of what's already been changed. Instead
of doing this, just track the pieces of the UNC in separate fields
in the parsed_mount_info, and then use those pieces to build strings
as needed.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...and fill and use them accordingly.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...rather than a buffer pointed to by a global var
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Allocate a zeroed out parsed_mount_info struct and have parse_options
put its info into that instead. realloc() is no longer used here and
instead we just have the option parser carefully check that the result
will fit in the buffer before copying it.
We also no longer use snprintf to stuff info directly into the buffer.
It may not be possible given the other checks, but snprintf can leave a
non-NULL terminated string. Use strlcat everywhere instead to ensure
that doesn't occur.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Currently mount.cifs puts mount info into a disparate series of
dynamically sized buffers. Declate a new struct that holds a set of
fixed-size buffers. The option and UNC parsing routines can place their
results in this struct.
This should make it easier to implement privilege separation using
shared memory to pass data between processes.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Rather than passing the VERSION string to the kernel in the ver=
option, track the OPTIONS_VERSION separately and pass that to the
kernel. If we ever need to have different behavior in kernel for
different mount.cifs versions, we can bump this number.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...to help ensure that exit processing is handled appropriately.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Clean up error handling in main() so that cleanup tasks are completed
rather than assuming exit processing will handle it.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Now that we chdir() to the mountpoint, the checks in that function are
pointless. Just make it a noop for non-legacy setuid builds.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
They don't actually do anything.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Let getopt_long do the work of parsing options, then check what's left.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Get rid of a lot of unnecessary nesting.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...remove some unneeded junk.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Rather than using a hardcoded version string, use the VERSION macro
that autoconf provides. This will help make it clear what version
is actually being used in bug reports when someone runs
"mount.cifs -V" or "cifs.upcall --version".
Also, clean up AC_INIT and AM_INIT_AUTOMAKE macros.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
mount.cifs.c: In function 'main':
mount.cifs.c:1201: warning: 'dev_name' may be used uninitialized in this function
mount.cifs.c:1217: warning: 'addr6' may be used uninitialized in this function
asn1.c: In function 'ber_read_OID_String':
asn1.c:591: warning: 'bytes_eaten' may be used uninitialized in this function
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
