mount.cifs: check access of credential files before opening

It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.

Check the access permissions of the file before opening it.

Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
(cherry picked from commit 87fe29ca3239492126a99e1562db673ea7ca208b)

diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c
index d05115b892d3d7aa207ad9df8dce7e53471ed9e5..cee9188f9f92ec1369c29dee21d735758056c64d 100644 (file)
--- a/source/client/mount.cifs.c
+++ b/source/client/mount.cifs.c
@@ -199,6 +199,11 @@ static int open_cred_file(char * file_name)
        char * temp_val;
        FILE * fs;
        int i, length;
+
+       i = access(file_name, R_OK);
+       if (i)
+               return i;
+
        fs = fopen(file_name,"r");
        if(fs == NULL)
                return errno;
@@ -321,6 +326,12 @@ static int get_password_from_file(int file_descript, char * filename)
        }
 
        if(filename != NULL) {
+               rc = access(filename, R_OK);
+               if (rc) {
+                       fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
+                                       filename, strerror(errno));
+                       exit(EX_SYSERR);
+               }
                file_descript = open(filename, O_RDONLY);
                if(file_descript < 0) {
                        printf("mount.cifs failed. %s attempting to open password file %s\n",