Pavel Shilovsky [Thu, 11 Aug 2022 20:40:15 +0000 (13:40 -0700)]
cifs-utils: bump version to 7.0
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
atheik [Sat, 30 Apr 2022 21:48:26 +0000 (00:48 +0300)]
cifs-utils: don't return uninitialized value in cifs_gss_get_req
If the first malloc fails, maj_stat is uninitialized and used as
the return value through the GSS_ERROR() macro. Use GSS_S_FAILURE to
indicate a miscellaneous error.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
atheik [Sat, 30 Apr 2022 21:47:54 +0000 (00:47 +0300)]
cifs-utils: make GSSAPI usage compatible with Heimdal
The gssapi symbols are in gssapi_krb5 and gssapi in MIT and Heimdal
Kerberos, respectively. Including gssapi_generic.h is not necessary.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
atheik [Fri, 4 Mar 2022 22:24:49 +0000 (00:24 +0200)]
cifs-utils: work around missing krb5_free_string in Heimdal
The krb5_free_string function is not present in Heimdal and instead
krb5_xfree should be used for freeing the string allocation done by
krb5_cc_get_full_name. Heimdal documentation does specify that
krb5_xfree should be used here and krb5_unparse_name is freed with
just free.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
Alexander Bokovoy [Wed, 16 Feb 2022 12:18:16 +0000 (14:18 +0200)]
fix warnings for -Waddress-of-packed-member
When structure members are packed, GCC will issue a warning that taking
an address of the packed structure member might cause an unaligned
access.
In all cases where this happen we simply can use a local variable
instead and then assign the result in a proper way.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Alexander Bokovoy [Wed, 16 Feb 2022 12:04:47 +0000 (14:04 +0200)]
setcifsacl: fix memory allocation for struct cifs_ace
We don't have 'struct cifs_aces' so the correct struct name is 'struct
cifs_ace'. The code only worked because 'struct unknown *' is compatible
with 'struct cifs_ace *'.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Alexander Bokovoy [Wed, 16 Feb 2022 11:58:24 +0000 (13:58 +0200)]
setcifsacl: fix comparison of actions reported by covscan
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Alexander Bokovoy [Wed, 16 Feb 2022 11:56:32 +0000 (13:56 +0200)]
cifs.upcall: remove unused variable and fix syslog message
The code already checks arg->have and has no use for local 'have'
variable other than syslog() print. That variable is not initialized and
the intent is really to use arg->have instead.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Michael Weiser [Tue, 26 Oct 2021 09:11:48 +0000 (11:11 +0200)]
cifs.upcall: Switch to RFC principal type naming
Switch from old-style MIT krb5 gss_nt_service_name principal type
constant name to the now preferred GSS_C_NT_HOSTBASED_SERVICE.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
Jacob Shivers [Tue, 26 Oct 2021 14:57:41 +0000 (10:57 -0400)]
man-pages: Update cifs.upcall to mention GSS_USE_PROXY
Add ENVIRONMENT VARIABLES section with the usage of gssproxy as
a credential retrieval method.
Signed-off-by: Jacob Shivers <jshivers@redhat.com>
Ronnie Sahlberg [Thu, 21 Oct 2021 23:41:24 +0000 (09:41 +1000)]
cifs.upcall: fix compiler warning
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Michael Weiser [Tue, 5 Jan 2021 16:08:30 +0000 (17:08 +0100)]
cifs.upcall: add gssproxy support
Add support for gssproxy usage through GSS-API. If no useable ticket cache or
keytab can be found, fall on through into credential handling anyway but then
divert into GSS routines. If no gssproxy is available this will still error out
silently because no ticket cache is available. With gssproxy enabled,
credentials can be retrieved from there and allow unattended access to shares
e.g. from batch jobs.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
Pavel Shilovsky [Fri, 29 Apr 2022 21:45:41 +0000 (14:45 -0700)]
cifs-utils: bump version to 6.15
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
Jeffrey Bencteux [Sat, 19 Mar 2022 17:41:15 +0000 (13:41 -0400)]
mount.cifs: fix verbose messages on option parsing
When verbose logging is enabled, invalid credentials file lines may be
dumped to stderr. This may lead to information disclosure in particular
conditions when the credentials file given is sensitive and contains '='
signs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15026
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Jeffrey Bencteux [Thu, 17 Mar 2022 16:58:52 +0000 (12:58 -0400)]
CVE-2022-27239: mount.cifs: fix length check for ip option parsing
Previous check was true whatever the length of the input string was,
leading to a buffer overflow in the subsequent strcpy call.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Pavel Shilovsky [Thu, 23 Sep 2021 23:48:45 +0000 (16:48 -0700)]
cifs-utils: bump version to 6.14
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
Pavel Shilovsky [Thu, 23 Sep 2021 23:30:57 +0000 (16:30 -0700)]
setcifsacl: fix formatting
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
Aurelien Aptel [Fri, 21 May 2021 15:29:40 +0000 (17:29 +0200)]
smbinfo: add support for new key dump ioctl
* try new one first, fall back on old one otherwise => retrocompatible
* use better cipher descriptions
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Paulo Alcantara [Thu, 6 May 2021 19:25:13 +0000 (16:25 -0300)]
mount.cifs: fix crash when mount point does not exist
@mountpointp is initially set to a statically allocated string in
main(), and if we fail to update it in acquire_mountpoint(), make sure
to set it to NULL and avoid freeing it at mount_exit.
This fixes the following crash
$ mount.cifs //srv/share /mnt/foo/bar -o ...
Couldn't chdir to /mnt/foo/bar: No such file or directory
munmap_chunk(): invalid pointer
Aborted
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Aurelien Aptel [Wed, 21 Apr 2021 14:22:15 +0000 (16:22 +0200)]
cifs.upcall: fix regression in kerberos mount
The fix for CVE-2021-20208 in commit
e461afd ("cifs.upcall: try to use
container ipc/uts/net/pid/mnt/user namespaces") introduced a
regression for kerberos mounts when cifs-utils is built with
libcap-ng. It makes mount fail with ENOKEY "Required key not
available".
Current state:
mount.cifs
'---> mount() ---> kernel
negprot, session setup (need security blob for krb)
request_key("cifs.spnego", payload="pid=%d;username=...")
upcall
/sbin/request-key <--------------'
reads /etc/request-keys.conf
dispatch cifs.spnego request
calls /usr/sbin/cifs.upcall <key id>
- drop privileges (capabilities)
- fetch keyid
- parse payload
- switch to mount.cifs namespaces
- call krb5_xxx() funcs
- generate security blob
- set key value to security blob
'-----------------------------------> kernel
put blob in session setup packet
continue auth
open tcon
get share root
setup superblock
mount.cifs mount() returns <-----------'
By the time cifs.upcall tries to switch to namespaces, enough
capabilities have dropped in trim_capabilities() that it makes setns()
fail with EPERM.
setns() requires CAP_SYS_ADMIN.
With libcap trim_capabilities() is a no-op.
This fix:
- moves the namespace switch earlier so that operations like
setgroups(), setgid(), scanning of pid environment, ... happens in the
contained namespaces.
- moves trim_capabilities() after the namespace switch
- moves the string processing to decode the key request payload in a
child process with minimum capabilities. the decoded data is shared
with the parent process via shared memory obtained with mmap().
Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces")
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Juan Pablo González [Thu, 8 Apr 2021 10:02:20 +0000 (12:02 +0200)]
smbinfo: Add command for displaying alternate data streams
This patch adds a new command to smbinfo which retrieves and displays
the list of alternate data streams for a file.
Signed-off-by: Juan Pablo González <disablez@gmail.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Rohith Surabattula [Thu, 4 Feb 2021 18:08:31 +0000 (18:08 +0000)]
Reorder ACEs in preferred order during setcifsacl
Have added new option "-A" in setcifsacl utility to reorder ACEs in
preferred order.
Pavel Shilovsky [Mon, 12 Apr 2021 23:34:48 +0000 (16:34 -0700)]
cifs-utils: bump version to 6.13
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Alastair Houghton [Tue, 29 Dec 2020 14:02:39 +0000 (14:02 +0000)]
cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces
In certain scenarios (e.g. kerberos multimount), when a process does
syscalls, the kernel sometimes has to query information or trigger
some actions in userspace. To do so it calls the cifs.upcall binary
with information on the process that triggered the syscall in the
first place.
ls(pid=10) ====> open("foo") ====> kernel
that user doesn't have an SMB
session, lets create one using his
kerberos credential cache
call cifs.upcall and ask for krb info
for whoever owns pid=10
|
cifs.upcall --pid 10 <=================+
...gather info...
return binary blob used
when establishing SMB session
===================> kernel
open SMB session, handle
open() syscall
ls <=================================== return open() result to ls
On a system using containers, the kernel is still calling the host
cifs.upcall and using the host configuration (for network, pid, etc).
This patch changes the behaviour of cifs.upcall so that it uses the
calling process namespaces (ls in the example) when doing its
job.
Note that the kernel still calls the binary in the host, but the
binary will place itself the contexts of the calling process
namespaces.
This code makes use of (but shouldn't require) the following kernel
config options and syscall flags:
approx. year |
introduced | config/flags
---------------+----------------
2008 | CONFIG_NAMESPACES=y
2007 | CONFIG_UTS_NS=y
2020 | CONFIG_TIME_NS=y
2006 | CONFIG_IPC_NS=y
2007 | CONFIG_USER_NS
2008 | CONFIG_PID_NS=y
2007 | CONFIG_NET_NS=y
2007 | CONFIG_CGROUPS
2016 | CLONE_NEWCGROUP setns() flag
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
Pavel Shilovsky [Thu, 31 Dec 2020 18:26:10 +0000 (10:26 -0800)]
cifs-utils: bump version to 6.12
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Tue, 29 Dec 2020 20:00:33 +0000 (12:00 -0800)]
smbinfo: fix fsctl-getobjid output
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Tue, 29 Dec 2020 19:43:26 +0000 (11:43 -0800)]
smbinfo: fix list-snapshots output and installation
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Alexander Koch [Wed, 16 Dec 2020 21:44:56 +0000 (22:44 +0100)]
cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given
Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
only if CAP_SETCAP is present.
This is an addendum to the patch recently provided in [1]. Without this
additional change, cifs.upcall can still fail while trying to mount a CIFS
network share with krb5:
kernel: CIFS: Attempting to mount //server.domain.lan/myshare
cifs.upcall[39484]: key description: cifs.spnego;0;0;
39010000;ver=0x2;host=server.domain.lan>
cifs.upcall[39484]: ver=2
cifs.upcall[39484]: host=server.domain.lan
cifs.upcall[39484]: ip=172.22.3.14
cifs.upcall[39484]: sec=1
cifs.upcall[39484]: uid=1000
cifs.upcall[39484]: creduid=1000
cifs.upcall[39484]: user=username
cifs.upcall[39484]: pid=39481
cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
cifs.upcall[39484]: Exit status 1
[1] https://marc.info/?l=linux-cifs&m=
160595758021261
Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Shyam Prasad N [Wed, 16 Sep 2020 07:18:44 +0000 (00:18 -0700)]
mount.cifs: use SUDO_UID env variable for cruid
In the current mount.cifs logic, when sudo is used for mount,
uid=0, so the mount command searches for cruid=0 unless explicitly
specified by the user. The user may already have cred cache populated
but mount.cifs would end up searching cred cache for uid=0.
mount.cifs can avoid this confusion by reading the cruid from SUDO_UID
environment variable. If it is set to non-zero, we can make cruid=$SUDO_UID.
However, to maintain backward compatibility, keeping this as a fallback option.
If mount fails with ENOKEY, then retry with this option.
To enable this fallback, I had to make a few minor changes in the flow.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Pavel Shilovsky [Wed, 9 Dec 2020 19:29:40 +0000 (11:29 -0800)]
mount.cifs: fix max buffer size when parsing snapshot option
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Simon Arlott [Thu, 26 Nov 2020 00:28:08 +0000 (00:28 +0000)]
Add missing position handling to mount parameters gid/backup_gid/snapshot
The code tries to optimise for the last parameter not needing to update
the position which means that every time a new one is added to the end
by copying and pasting, the string position is not updated.
That makes it impossible to use backup_uid=/backup_gid=/snapshot= after
gid= or snapshot= after backup_gid= because part of the string is
overwritten and contains invalid keys like "gbackup_uid".
Prepare for the next parameter to be added on the end by updating the
position for snapshot= even though it will be unused.
Jonas Witschel [Sat, 21 Nov 2020 11:11:45 +0000 (12:11 +0100)]
cifs.upcall: update the cap bounding set only when CAP_SETPCAP is given
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Jonas Witschel [Sat, 21 Nov 2020 11:11:44 +0000 (12:11 +0100)]
mount.cifs: update the cap bounding set only when CAP_SETPCAP is given
libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
of -4 when trying to update the capability bounding set without having the
CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
silently skipped updating the bounding set and only updated the normal
CAPNG_SELECT_CAPS capabilities instead.
Check beforehand whether we have CAP_SETPCAP, in which case we can use
CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
Otherwise, we can at least update the normal capabilities, but refrain from
trying to update the bounding set to avoid getting an error.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Boris Protopopov [Thu, 19 Nov 2020 21:40:42 +0000 (21:40 +0000)]
Extend cifs acl utilities to handle SACLs
Extend getcifsacl/setcifsacl utilities to handle System ACLs (SACLs)
in addition to Discretionary ACLs (DACLs). The SACL extensions depend
on CIFS client support for system.cifs_ntsd_full extended attribute.
Signed-off-by: Boris Protopopov <pboris@amazon.com>
Pavel Shilovsky [Mon, 9 Nov 2020 23:27:51 +0000 (15:27 -0800)]
getcifsacl: return error if input path doesn't exist
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Rohith Surabattula [Fri, 6 Nov 2020 10:19:59 +0000 (10:19 +0000)]
Fix mount error when mount point has an extra trailing slash.
Martin Schwenke [Fri, 25 Sep 2020 01:16:39 +0000 (11:16 +1000)]
mount.cifs: ignore comment mount option
mount.cifs currently complains about the "comment" option:
CIFS: Unknown mount option "comment=foo"
mount(8) on Linux says:
The command mount does not pass the mount options unbindable,
runbindable, private, rprivate, slave, rslave, shared, rshared,
auto, noauto, comment, x-*, loop, offset and sizelimit to the
mount.<suffix> helpers.
So if mount.cifs decides to re-read /etc/fstab it should ignore the
comment option.
A lot of online posts say to use comment=x-gvfs-show as an option to
have a Linux file manager display a mountpoint for a user mountable
filesystem. While the "comment=" part is superfluous when combined
with an x-* option, the problem is still difficult to debug.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Bjoern Jacke [Mon, 1 Jun 2020 17:23:51 +0000 (19:23 +0200)]
setcifsacl: fix quoting of backslash in man page
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Sergio Durigan Junior [Tue, 9 Jun 2020 18:00:44 +0000 (14:00 -0400)]
Separate binary names using comma in mount.cifs.rst
According to lexgrog(1), when a manpage refers to multiple programs
their names should be separated using a comma and a whitespace. This
helps silence a lintian warning when building cifs-utils on Debian.
Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
lizhe [Tue, 26 May 2020 03:54:11 +0000 (11:54 +0800)]
cifs-utils: fix probabilistic compiling error
When we compile cifs-utils, we may probabilistic
encounter install error like:
cd ***/sbin && ln -sf mount.cifs mount.smb3
***/sbin: No such file or directory
The reason of this problem is that if we compile
cifs-utils using multithreading, target
'install-sbinPROGRAMS' may be built after
target 'install-exec-hook' of the main Makefile.
Target 'install-sbinPROGRAMS' will copy the
executable file 'mount.cifs' to the $(ROOTSBINDIR),
which target 'install-exec-hook' will do the
'ln' command on.
This patch add the dependency of target
'install-exec-hook' to ensure the correct order
of the compiling.
Signed-off-by: lizhe <lizhe67@huawei.com>
Mikhail Novosyolov [Fri, 24 Jan 2020 22:12:31 +0000 (01:12 +0300)]
cifs-utils: Don't create symlinks for mans if mans are disabled
Mikhail Novosyolov [Fri, 24 Jan 2020 22:11:12 +0000 (01:11 +0300)]
cifs-utils: Respect DESTDIR when installing smb3 stuff
When make install is run during package building, DESTDIR parameter is passed, e.g.:
$ rpm --eval %makeinstall_std
make DESTDIR=/root/rpmbuild/BUILDROOT/%{name}-%{version}-%{release}-rosa2016.1.x86_64-buildroot install
Without DESTDIR build scripts tried to create symlinks outside of the build root:
make[3]: Entering directory '/tmp/abf/rpmbuild/BUILD/cifs-utils-6.10'
(cd /sbin && ln -sf mount.cifs mount.smb3)
ln: failed to create symbolic link 'mount.smb3': Permission denied
The same fix was introduced in Arch Linux package when updating from 6.9 to 6.10:
https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/cifs-utils&id=
c75b246a762ea9b90db404dfebc6d35d5b16972f
Pavel Shilovsky [Tue, 25 Feb 2020 19:15:06 +0000 (11:15 -0800)]
mount.cifs.rst: add nolease mount option
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Boris Protopopov [Mon, 6 Jan 2020 16:31:19 +0000 (16:31 +0000)]
Add support for setting owner and group in ntsd
Extend setcifsacl utility to allow setting owner and group SIDs
in the security descriptor in addition to setting ACLs. This is
a user-friendly intefrace for setting owner and group SIDs that
takes advantage of the recent extensions in the CIFS kernel
client, and it complements setting raw values via setfattr.
Signed-off-by: Boris Protopopov <boris.v.protopopov@gmail.com>
Boris Protopopov [Mon, 6 Jan 2020 16:31:18 +0000 (16:31 +0000)]
Convert owner and group SID offsets to LE format
Convert owner and group SID offsets to LE format
when writing to ntsd
Signed-off-by: Boris Protopopov <boris.v.protopopov@gmail.com>
Ronnie Sahlberg [Fri, 20 Dec 2019 00:58:48 +0000 (10:58 +1000)]
smbinfo: remove invalid arguments to ioctl method
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Aurelien Aptel [Mon, 14 Oct 2019 17:07:38 +0000 (19:07 +0200)]
smbinfo: rewrite in python
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Pavel Shilovsky [Thu, 3 Sep 2020 16:58:46 +0000 (09:58 -0700)]
cifs-utils: bump version to 6.11
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Aurelien Aptel [Mon, 27 Jul 2020 08:34:44 +0000 (10:34 +0200)]
CVE-2020-14342: mount.cifs: fix shell command injection
A bug has been reported recently for the mount.cifs utility which is
part of the cifs-utils package. The tool has a shell injection issue
where one can embed shell commands via the username mount option. Those
commands will be run via popen() in the context of the user calling
mount.
The bug requires cifs-utils to be built with --with-systemd (enabled
by default if supported).
A quick test to check if the mount.cifs binary is vulnerable is to look
for popen() calls like so:
$ nm mount.cifs | grep popen
U popen@@GLIBC_2.2.5
If the user is allowed to run mount.cifs via sudo, he can obtain a root
shell.
sudo mount.cifs -o username='`sh`' //1 /mnt
If mount.cifs has the setuid bit, the command will still be run as the
calling user (no privilege escalation).
The bug was introduced in June 2012 with commit
4e264031d0da7d3f2
("mount.cifs: Use systemd's mechanism for getting password, if
present.").
Affected versions:
cifs-utils-5.6
cifs-utils-5.7
cifs-utils-5.8
cifs-utils-5.9
cifs-utils-6.0
cifs-utils-6.1
cifs-utils-6.2
cifs-utils-6.3
cifs-utils-6.4
cifs-utils-6.5
cifs-utils-6.6
cifs-utils-6.7
cifs-utils-6.8
cifs-utils-6.9
cifs-utils-6.10
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14442
Reported-by: Vadim Lebedev <vadim@mbdsys.com>
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Pavel Shilovsky [Mon, 16 Dec 2019 23:34:56 +0000 (15:34 -0800)]
cifs-utils: bump version to 6.10
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Mon, 16 Dec 2019 23:20:28 +0000 (15:20 -0800)]
Rename secdesc-ui.py to smb2-secdesc
Pavel Shilovsky [Sat, 14 Dec 2019 00:52:53 +0000 (16:52 -0800)]
Properly install mount.smb3 helper files
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Ronnie Sahlberg [Fri, 13 Dec 2019 00:30:00 +0000 (10:30 +1000)]
Install smb2-quota and its manpage
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Kenneth D'souza [Thu, 21 Nov 2019 15:10:56 +0000 (20:40 +0530)]
smb2-quota: Simplify code logic for quota entries.
This patch changes the program name from smb2quota to
smb2-quota and uses a simple code logic for quota entries.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Ronnie Sahlberg <lsahlberg@redhat.com>
Kenneth D'souza [Thu, 14 Nov 2019 17:55:51 +0000 (23:25 +0530)]
Add program name to error output instead of static mount.cifs
As we are supporting mount.smb3 to be invoked, the error output
should contain the called program and not mount.cifs
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Kenneth D'souza [Wed, 13 Nov 2019 17:01:26 +0000 (22:31 +0530)]
Add support for smb3 alias/fstype in mount.cifs.c
As we will slowly move towards smb3 filesystem,
supporting through "mount -t smb3" is important.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Aurelien Aptel [Mon, 14 Oct 2019 17:06:25 +0000 (19:06 +0200)]
smbinfo.rst: document new `keys` command
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Kenneth D'souza [Wed, 9 Oct 2019 06:01:51 +0000 (11:31 +0530)]
mount.cifs.rst: remove prefixpath mount option.
This option is deprecated and currently ignored since
kernel v3.10
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Kenneth D'souza [Tue, 24 Sep 2019 05:01:39 +0000 (10:31 +0530)]
smb2quota.rst: Add man page for smb2quota.py
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Kenneth D'souza [Tue, 24 Sep 2019 04:56:11 +0000 (10:26 +0530)]
smb2quota.py: Userspace helper to display quota information
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Fri, 4 Oct 2019 00:29:00 +0000 (17:29 -0700)]
smbinfo: add bash completion support for setcompression
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Ronnie Sahlberg [Thu, 3 Oct 2019 23:29:02 +0000 (09:29 +1000)]
smbinfo: Add SETCOMPRESSION support
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Steve French [Thu, 19 Sep 2019 09:21:16 +0000 (04:21 -0500)]
smbinfo: print the security information needed to decrypt wireshark trace
CCM encryption
Session Id: e2 3e ea ae 00 00 00 00
Session Key: 65 7e 0e d5 3c 06 5a 06 50 a3 ef 96 c1 64 3d 1f
Server Encryption Key: 5e 42 a7 b5 57 75 d6 56 4a 5d 33 97 e6 45 07 76
Server Decryption Key: 1f 64 db a3 0f 24 e3 4d b6 31 00 ab 9a af 22 47
Signed-off-by: Steve French <stfrench@microsoft.com>
Paulo Alcantara (SUSE) [Thu, 19 Sep 2019 12:12:26 +0000 (09:12 -0300)]
mount.cifs: Fix invalid free
When attemping to chdir into non-existing directories, mount.cifs
crashes.
This patch fixes the following ASAN report:
$ ./mount.cifs //localhost/foo /mnt/invalid-dir -o ...
/mnt/bar -o username=foo,password=foo,vers=1.0
Couldn't chdir to /mnt/bar: No such file or directory
=================================================================
==11846==ERROR: AddressSanitizer: attempting free on address which was
not malloc()-ed: 0x7ffd86332e97 in thread T0
#0 0x7f0860ca01e7 in
__interceptor_free (/usr/lib64/libasan.so.5+0x10a1e7)
#1 0x557edece9ccb in
acquire_mountpoint (/home/paulo/src/cifs-utils/mount.cifs+0xeccb)
#2 0x557edecea63d in
main (/home/paulo/src/cifs-utils/mount.cifs+0xf63d)
#3 0x7f08609f0bca in __libc_start_main (/lib64/libc.so.6+0x26bca)
#4 0x557edece27d9 in
_start (/home/paulo/src/cifs-utils/mount.cifs+0x77d9)
Address 0x7ffd86332e97 is located in stack of thread T0 at offset 8951
in frame
#0 0x557edece9ce0 in
main (/home/paulo/src/cifs-utils/mount.cifs+0xece0)
This frame has 2 object(s):
[48, 52) 'rc' (line 1959)
[64, 72) 'mountpoint' (line 1955) <== Memory access at offset 8951
overflows this variable
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: bad-free (/usr/lib64/libasan.so.5+0x10a1e7)
in __interceptor_free
==11846==ABORTING
Fixes: bf7f48f4c7dc ("mount.cifs.c: fix memory leaks in main func")
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: David Mulder <dmulder@suse.com>
Paulo Alcantara (SUSE) [Thu, 5 Sep 2019 18:49:35 +0000 (15:49 -0300)]
mount.cifs: Fix double-free issue when mounting with setuid root
It can be easily reproduced with the following:
# chmod +s `which mount.cifs`
# echo "//localhost/share /mnt cifs \
users,username=foo,password=XXXX" >> /etc/fstab
# su - foo
$ mount /mnt
free(): double free detected in tcache 2
Child process terminated abnormally.
The problem was that check_fstab() already freed orgoptions pointer
and then we freed it again in main() function.
Fixes: bf7f48f4c7dc ("mount.cifs.c: fix memory leaks in main func")
Signed-off-by: Paulo Alcantara (SUSE) <paulo@paulo.ac>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
misku [Wed, 31 Jul 2019 11:12:24 +0000 (13:12 +0200)]
Zero fill the allocated memory for new `struct cifs_ntsd`
Fixes a bug where `sacloffset` may not be set at all later on and therefore it
can contain the original memory contents == trash.
misku [Wed, 31 Jul 2019 11:11:18 +0000 (13:11 +0200)]
Zero fill the allocated memory for a new ACE
Fixes a bug inside a call to `verify_ace_flag`. When a flag string (char*)
passed as a first parameter is "0x0", the final flag value (the second
parameter - the value of a pointer to uint8_t) is not modified at all
and contains the original memory contents == trash.
Jiawen Liu [Tue, 6 Aug 2019 02:35:29 +0000 (10:35 +0800)]
mount.cifs.c: fix memory leaks in main func
In mount.cifs module, orgoptions and mountpoint in the main func
point to the memory allocated by func realpath and strndup respectively.
However, they are not freed before the main func returns so that the
memory leaks occurred.
The memory leak problem is reported by LeakSanitizer tool.
LeakSanitizer url: "https://github.com/google/sanitizers"
Here I free the pointers orgoptions and mountpoint before main
func returns.
Fixes:
7549ad5e7126 ("memory leaks: caused by func realpath and strndup")
Signed-off-by: Jiawen Liu <liujiawen10@huawei.com>
Reported-by: Jin Du <dujin1@huawei.com>
Reviewed-by: Saisai Zhang <zhangsaisai@huawei.com>
Reviewed-by: Aurélien Aptel <aaptel@suse.com>
Pavel Shilovsky [Tue, 7 May 2019 22:52:30 +0000 (15:52 -0700)]
smbinfo: add bash completion support for getcompression
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Kenneth D'souza [Mon, 22 Apr 2019 05:53:41 +0000 (11:23 +0530)]
getcifsacl: Add support for -R(recursive) option.
Add support for -R option so we can list the ACLs of all files and
directories recursively.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Ronnie Sahlberg [Thu, 11 Apr 2019 02:23:06 +0000 (12:23 +1000)]
smbinfo: add GETCOMPRESSION support
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Pavel Shilovsky [Thu, 18 Apr 2019 19:32:02 +0000 (12:32 -0700)]
getcifsacl: Fix usage message to include multiple files
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Kenneth D'souza [Wed, 17 Apr 2019 11:27:05 +0000 (16:57 +0530)]
smbinfo: Add bash completion support for smbinfo.
This help us better populate options using <tab> <tab>.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Kenneth D'souza [Wed, 17 Apr 2019 17:19:09 +0000 (22:49 +0530)]
getcifsacl: Add support to accept more paths
Accept more than one path on the getcifsacl command line.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Kenneth D'souza [Wed, 17 Apr 2019 10:06:46 +0000 (15:36 +0530)]
smbinfo: Improve help usage and add -h option.
Call usage only for -h case. This avoids cluttering the screen with long
help output.
As we are adding more options to the utility, the end error is just hidden.
Call short_usage wherever necessary.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Ronnie Sahlberg [Tue, 9 Apr 2019 02:39:29 +0000 (12:39 +1000)]
secdesc-ui.py: a UI to view the security descriptors on SMB2+ shares
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Pavel Shilovsky [Tue, 9 Apr 2019 00:21:17 +0000 (17:21 -0700)]
Update authors list
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Fri, 5 Apr 2019 17:03:41 +0000 (10:03 -0700)]
cifs-utils: bump version to 6.9
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Fri, 5 Apr 2019 17:01:48 +0000 (10:01 -0700)]
smbinfo: use constant for input buffer length
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Fri, 5 Apr 2019 16:40:29 +0000 (09:40 -0700)]
Fix authors and maintainers
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Pavel Shilovsky [Thu, 4 Apr 2019 16:25:30 +0000 (16:25 +0000)]
mount.cifs.rst: mention kernel version for snapshots
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Steve French [Thu, 4 Apr 2019 04:46:34 +0000 (23:46 -0500)]
Update man page for mount.cifs to add new options
Add description of "snapshot" and "handletimeout" mount
options and a security section noting that the use of
cifs is discouraged, and various minor updates.
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Pavel Shilovsky [Wed, 3 Apr 2019 22:42:10 +0000 (22:42 +0000)]
mount.cifs: detect GMT format of snapshot version
In order to provide an easy way to access snapshots a GMT
token string should be allowed as a "snapshot" mount option
argument, not SMB 100-nanoseconds time only. Detect if the
argument is in GMT format and convert it to SMB 100-nanoseconds
time before passing to the kernel.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Pavel Shilovsky [Wed, 3 Apr 2019 19:24:33 +0000 (12:24 -0700)]
mount.cifs: add more options to help message
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Steve French [Wed, 3 Apr 2019 02:18:27 +0000 (21:18 -0500)]
mount.cifs Add various missing parms from the help text
When you type mount.cifs --help there were more than 40 mount parms
missing. Add 12 of the more common ones to what is displayed by help.
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Pavel Shilovsky [Tue, 2 Apr 2019 18:40:40 +0000 (11:40 -0700)]
smbinfo: make argument order consistent
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Steve French [Fri, 29 Mar 2019 08:05:55 +0000 (03:05 -0500)]
smbinfo: Add ability to query snapshots (previous versions)
"smbinfo list-snapshots"
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Steve French [Sat, 16 Mar 2019 20:42:40 +0000 (15:42 -0500)]
smbinfo: missing help for fsctl-getobjid
Add usage description for new option fsctl-getobjid
See section 2.1.3.1 of MS-FSCC
Signed-off-by: Steve French <stfrench@microsoft.com>
Pavel Shilovsky [Sat, 16 Mar 2019 19:34:13 +0000 (12:34 -0700)]
cifs.upcall: fix a compiler warning
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Ronnie Sahlberg [Fri, 15 Mar 2019 06:22:15 +0000 (16:22 +1000)]
smbinfo: add fsctl-getobjid support
This will print the ObjectID buffer for the object.
This is an example on how to fetch FSCTL data for an object using
the passthrough API.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Pavel Shilovsky [Sat, 9 Mar 2019 00:28:45 +0000 (16:28 -0800)]
smbinfo: fix code style
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Steve French [Sat, 2 Mar 2019 05:11:25 +0000 (23:11 -0600)]
setcifsacl: fix adding ACE when owner sid in unexpected location
If owner information is after the ACEs instead of before (e.g. Azure servers) in the ACL query
then we would get "invalid argument" returned on setcifsacl -a (adding an ACE).
This fixes that.
Signed-off-by: Steve French <stfrench@microsoft.com>
Ronnie Sahlberg [Fri, 1 Mar 2019 02:05:58 +0000 (12:05 +1000)]
smbinfo: decode the ACEs
Decode the most common ACE types and provide a [-V]erbose option
to show the individual mask bits by name.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Kenneth D'souza [Thu, 21 Feb 2019 05:09:25 +0000 (10:39 +0530)]
getcifsacl: Improve help usage and add -h option.
Call getcifsacl_usage only for -h and default case.
For others error out with appropriate message.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Kenneth D'souza [Tue, 19 Feb 2019 01:43:43 +0000 (07:13 +0530)]
getcifsacl: Do not go to parse_sec_desc if getxattr fails.
Add more to the error message by printing the filename and error.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Reviewed-by: Steve French <stfrench@microsoft.com>
Pavel Shilovsky [Fri, 15 Feb 2019 20:03:44 +0000 (12:03 -0800)]
mount.cifs.rst: update vers=3.1.1 option description
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Kenneth D'souza [Fri, 15 Feb 2019 02:22:48 +0000 (07:52 +0530)]
Update mount.cifs with vers=default mount option and SMBv3.0.2
Add vers=3.0.2 as a valid option for SMBv3.0.2 and explain behavior
of vers=default.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Hank Leininger [Tue, 12 Feb 2019 01:42:51 +0000 (18:42 -0700)]
Added rst2man.py to the search list.
Gentoo Linux and (historically?) OSX install with the .py suffix.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Aurelien Aptel [Thu, 14 Feb 2019 11:15:44 +0000 (12:15 +0100)]
mount.cifs: be more verbose and helpful regarding mount errors
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Paulo Alcantara [Wed, 13 Feb 2019 18:09:41 +0000 (16:09 -0200)]
cifs: Allow DNS resolver key to expire
This patch introduces a new '--expire' option that allows the user to
set a timeout value for the dns resolver key -- which is typically
useful for hostnames that may get their ip addresses changed under
long running mounts.
The default timeout value is set to 10 minutes.
Signed-off-by: Paulo Alcantara <palcantara@suse.de>