cifs-utils.git
2 weeks agocifs-utils: bump version to 6.9 master cifs-utils-6.9
Pavel Shilovsky [Fri, 5 Apr 2019 17:03:41 +0000 (10:03 -0700)]
cifs-utils: bump version to 6.9

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
2 weeks agosmbinfo: use constant for input buffer length
Pavel Shilovsky [Fri, 5 Apr 2019 17:01:48 +0000 (10:01 -0700)]
smbinfo: use constant for input buffer length

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
2 weeks agoFix authors and maintainers
Pavel Shilovsky [Fri, 5 Apr 2019 16:40:29 +0000 (09:40 -0700)]
Fix authors and maintainers

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
2 weeks agomount.cifs.rst: mention kernel version for snapshots
Pavel Shilovsky [Thu, 4 Apr 2019 16:25:30 +0000 (16:25 +0000)]
mount.cifs.rst: mention kernel version for snapshots

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agoUpdate man page for mount.cifs to add new options
Steve French [Thu, 4 Apr 2019 04:46:34 +0000 (23:46 -0500)]
Update man page for mount.cifs to add new options

Add description of "snapshot" and "handletimeout" mount
options and a security section noting that the use of
cifs is discouraged, and various minor updates.

Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agomount.cifs: detect GMT format of snapshot version
Pavel Shilovsky [Wed, 3 Apr 2019 22:42:10 +0000 (22:42 +0000)]
mount.cifs: detect GMT format of snapshot version

In order to provide an easy way to access snapshots a GMT
token string should be allowed as a "snapshot" mount option
argument, not SMB 100-nanoseconds time only. Detect if the
argument is in GMT format and convert it to SMB 100-nanoseconds
time before passing to the kernel.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agomount.cifs: add more options to help message
Pavel Shilovsky [Wed, 3 Apr 2019 19:24:33 +0000 (12:24 -0700)]
mount.cifs: add more options to help message

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agomount.cifs Add various missing parms from the help text
Steve French [Wed, 3 Apr 2019 02:18:27 +0000 (21:18 -0500)]
mount.cifs Add various missing parms from the help text

When you type mount.cifs --help there were more than 40 mount parms
missing. Add 12 of the more common ones to what is displayed by help.

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agosmbinfo: make argument order consistent
Pavel Shilovsky [Tue, 2 Apr 2019 18:40:40 +0000 (11:40 -0700)]
smbinfo: make argument order consistent

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agosmbinfo: Add ability to query snapshots (previous versions)
Steve French [Fri, 29 Mar 2019 08:05:55 +0000 (03:05 -0500)]
smbinfo: Add ability to query snapshots (previous versions)

 "smbinfo list-snapshots"

Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
2 weeks agosmbinfo: missing help for fsctl-getobjid
Steve French [Sat, 16 Mar 2019 20:42:40 +0000 (15:42 -0500)]
smbinfo: missing help for fsctl-getobjid

Add usage description for new option fsctl-getobjid

See section 2.1.3.1 of MS-FSCC

Signed-off-by: Steve French <stfrench@microsoft.com>
5 weeks agocifs.upcall: fix a compiler warning
Pavel Shilovsky [Sat, 16 Mar 2019 19:34:13 +0000 (12:34 -0700)]
cifs.upcall: fix a compiler warning

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
5 weeks agosmbinfo: add fsctl-getobjid support
Ronnie Sahlberg [Fri, 15 Mar 2019 06:22:15 +0000 (16:22 +1000)]
smbinfo: add fsctl-getobjid support

This will print the ObjectID buffer for the object.
This is an example on how to fetch FSCTL data for an object using
the passthrough API.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
6 weeks agosmbinfo: fix code style
Pavel Shilovsky [Sat, 9 Mar 2019 00:28:45 +0000 (16:28 -0800)]
smbinfo: fix code style

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
6 weeks agosetcifsacl: fix adding ACE when owner sid in unexpected location
Steve French [Sat, 2 Mar 2019 05:11:25 +0000 (23:11 -0600)]
setcifsacl: fix adding ACE when owner sid in unexpected location

If owner information is after the ACEs instead of before (e.g. Azure servers) in the ACL query
then we would get "invalid argument" returned on setcifsacl -a (adding an ACE).

This fixes that.

Signed-off-by: Steve French <stfrench@microsoft.com>
6 weeks agosmbinfo: decode the ACEs
Ronnie Sahlberg [Fri, 1 Mar 2019 02:05:58 +0000 (12:05 +1000)]
smbinfo: decode the ACEs

Decode the most common ACE types and provide a [-V]erbose option
to show the individual mask bits by name.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
6 weeks agogetcifsacl: Improve help usage and add -h option.
Kenneth D'souza [Thu, 21 Feb 2019 05:09:25 +0000 (10:39 +0530)]
getcifsacl: Improve help usage and add -h option.

Call getcifsacl_usage only for -h and default case.
For others error out with appropriate message.

Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
6 weeks agogetcifsacl: Do not go to parse_sec_desc if getxattr fails.
Kenneth D'souza [Tue, 19 Feb 2019 01:43:43 +0000 (07:13 +0530)]
getcifsacl: Do not go to parse_sec_desc if getxattr fails.

Add more to the error message by printing the filename and error.

Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Reviewed-by: Steve French <stfrench@microsoft.com>
2 months agomount.cifs.rst: update vers=3.1.1 option description
Pavel Shilovsky [Fri, 15 Feb 2019 20:03:44 +0000 (12:03 -0800)]
mount.cifs.rst: update vers=3.1.1 option description

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
2 months agoUpdate mount.cifs with vers=default mount option and SMBv3.0.2
Kenneth D'souza [Fri, 15 Feb 2019 02:22:48 +0000 (07:52 +0530)]
Update mount.cifs with vers=default mount option and SMBv3.0.2

Add vers=3.0.2 as a valid option for SMBv3.0.2 and explain behavior
of vers=default.

Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
2 months agoAdded rst2man.py to the search list.
Hank Leininger [Tue, 12 Feb 2019 01:42:51 +0000 (18:42 -0700)]
Added rst2man.py to the search list.

Gentoo Linux and (historically?) OSX install with the .py suffix.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
2 months agomount.cifs: be more verbose and helpful regarding mount errors
Aurelien Aptel [Thu, 14 Feb 2019 11:15:44 +0000 (12:15 +0100)]
mount.cifs: be more verbose and helpful regarding mount errors

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
2 months agocifs: Allow DNS resolver key to expire
Paulo Alcantara [Wed, 13 Feb 2019 18:09:41 +0000 (16:09 -0200)]
cifs: Allow DNS resolver key to expire

This patch introduces a new '--expire' option that allows the user to
set a timeout value for the dns resolver key -- which is typically
useful for hostnames that may get their ip addresses changed under
long running mounts.

The default timeout value is set to 10 minutes.

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
2 months agosmbinfo: add FileFsFullSizeInformation
Ronnie Sahlberg [Wed, 13 Feb 2019 05:47:37 +0000 (15:47 +1000)]
smbinfo: add FileFsFullSizeInformation

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
2 months agosmbinfo: Update the usage text with the new infolevels
Ronnie Sahlberg [Wed, 13 Feb 2019 05:47:36 +0000 (15:47 +1000)]
smbinfo: Update the usage text with the new infolevels

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
2 months agosmbinfo: update help text
Steve French [Tue, 29 Jan 2019 13:03:01 +0000 (07:03 -0600)]
smbinfo: update help text

Add description for fileallinfo query option.

Note that there are eight other recently added query options, but they
are mostly a subset a "fileallinfo" so could be of little value
(and may even be very confusing if we documented all nine in the
help text in smbinfo, instead of just this one).  The man page
has a full description of them.

Signed-off-by: Steve French <stfrench@microsoft.com>
2 months agosmbinfo: Add more File*Information classes
Ronnie Sahlberg [Tue, 29 Jan 2019 06:53:57 +0000 (16:53 +1000)]
smbinfo: Add more File*Information classes

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
2 months agosmbinfo.rst: document kernel version
Aurelien Aptel [Thu, 24 Jan 2019 17:13:56 +0000 (18:13 +0100)]
smbinfo.rst: document kernel version

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
5 months agosmbinfo: add a utility to display smb specific information about objects
Ronnie Sahlberg [Wed, 3 Oct 2018 00:42:03 +0000 (10:42 +1000)]
smbinfo: add a utility to display smb specific information about objects

For example
  smbinfo secdesc <file> will print the security descriptor
  smbinfo quota <file> will print the quotas for the volume

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
8 months agomount.cifs.rst: document vers=3.02 mount option
Pavel Shilovsky [Fri, 17 Aug 2018 18:13:45 +0000 (11:13 -0700)]
mount.cifs.rst: document vers=3.02 mount option

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
8 months agomount.cifs.rst: document vers=3 mount option
Pavel Shilovsky [Fri, 17 Aug 2018 18:08:58 +0000 (11:08 -0700)]
mount.cifs.rst: document vers=3 mount option

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
8 months agomount.cifs.rst: more cleanups
Aurelien Aptel [Wed, 8 Aug 2018 09:38:16 +0000 (11:38 +0200)]
mount.cifs.rst: more cleanups

* remove duplicates (netbiosname, rdma)
* remove snapshot
* document nostrictsync, domain, domainauto better
* point to vers= when talking about version requirements
* typos

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
8 months agocheckopts: report duplicated options in man page
Aurelien Aptel [Wed, 8 Aug 2018 09:38:15 +0000 (11:38 +0200)]
checkopts: report duplicated options in man page

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
8 months agocifs-utils: support rst2man-3
Alexander Bokovoy [Tue, 17 Jul 2018 10:12:44 +0000 (13:12 +0300)]
cifs-utils: support rst2man-3

Python3 version of rst2man is called rst2man-3

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
9 months agomount.cifs.rst: document missing options, correct wrong ones next
Aurélien Aptel [Tue, 10 Jul 2018 15:50:43 +0000 (17:50 +0200)]
mount.cifs.rst: document missing options, correct wrong ones

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
9 months agocheckopts: add python script to cross check mount options
Aurélien Aptel [Tue, 10 Jul 2018 15:50:42 +0000 (17:50 +0200)]
checkopts: add python script to cross check mount options

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
9 months agomanpage: update mount.cifs manpage with info about rdma option
Kenneth Dsouza [Fri, 13 Jul 2018 18:19:59 +0000 (23:49 +0530)]
manpage: update mount.cifs manpage with info about rdma option

Signed-off-by: Kenneth Dsouza <kdsouza@redhat.com>
9 months agomount.cifs.rst: document new (no)handlecache mount option
Aurelien Aptel [Tue, 15 May 2018 08:40:48 +0000 (10:40 +0200)]
mount.cifs.rst: document new (no)handlecache mount option

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Steve French <smfrench@gmail.com>
Reviewed-by: Pavel Shilovsky <piastryyy@gmail.com>
9 months agodocs: cleanup rst formating
Aurelien Aptel [Tue, 15 May 2018 08:12:32 +0000 (10:12 +0200)]
docs: cleanup rst formating

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Steve French <smfrench@gmail.com>
Reviewed-by: Pavel Shilovsky <piastryyy@gmail.com>
13 months agocifs-utils: bump version to 6.8 cifs-utils-6.8
Pavel Shilovsky [Fri, 9 Mar 2018 18:56:57 +0000 (10:56 -0800)]
cifs-utils: bump version to 6.8

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
13 months agoupdate mount.cifs manpage with info about echo_interval option.
Kenneth Dsouza [Mon, 29 Jan 2018 16:46:08 +0000 (22:16 +0530)]
update mount.cifs manpage with info about echo_interval option.

Adds information regarding reconnection time.

Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
13 months agocifscreds: check optind before accessing argv[optind]
Ronnie Sahlberg [Tue, 23 Jan 2018 00:48:01 +0000 (11:48 +1100)]
cifscreds: check optind before accessing argv[optind]

Redhat bugzilla: 1278543

This fixes a segfault for some incorrect usage, for example
   cifscreds -u test

Reviewed-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
13 months agomanpage: update mount.cifs manpage with info about incomplete options
Zhang Xianwei [Fri, 8 Dec 2017 07:11:45 +0000 (15:11 +0800)]
manpage: update mount.cifs manpage with info about incomplete options

This commit a1f3acd40b265f134a97a739a6898b3958d206b9 modified mount
parameters, but not updated mount.cifs manpage. Fix it.

Signed-off-by: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
17 months agomanpage: update mount.cifs manpage with info about default version being mounted
Jeff Layton [Sun, 29 Oct 2017 10:51:50 +0000 (06:51 -0400)]
manpage: update mount.cifs manpage with info about default version being mounted

Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
17 months agodoc: convert pod files to rst
Jeff Layton [Mon, 23 Oct 2017 17:46:33 +0000 (13:46 -0400)]
doc: convert pod files to rst

Aurelien did a big conversion of raw troff files into .pod docs in a
recent patch. That worked out pretty well, but I have some reservations
about using POD as a canonical format.

While it does make it pretty simple to write manpages, it's sort of an
obscure format, and is heavily associated with perl.  Meanwhile, the
kernel is slowly moving to using ReStructured Text as its documentation
format. Given the simplicity of the cifs-utils manpages, I think we're
better suited to using rst as a canonical format, rather than pod.

This patch converts all of the .pod files in the code to .rst files,
and fixes the Makefile and autoconf to use the correct tools to turn
those into manpages.

The conversion was done with the pod2rst script, with some by-hand
modifications at the end to clean up the formatting and add the manual
section numbers. It's not perfect and could probably use a second pass
to clean up the warts in the formatting, but the content is all intact
and it should be readable.

Finally, convert the makefile rules to use standard SUFFIX rules
instead of the non-portable GNU make % style extension rules. We don't
really expect anyone to use anything other than GNU make here, but
this silences an automake warning.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
18 months agoman: generate all man pages from POD files when buidling
Aurelien Aptel [Fri, 29 Sep 2017 14:03:03 +0000 (16:03 +0200)]
man: generate all man pages from POD files when buidling

Move all man pages to easily editable POD files and generate troff
source when building.

Previous .in troff file are still preprocessed before final generation
to use configured path (.pod.in -> .pod -> troff). All temporary
files (.pod.in and troff sources) are properly deleted on clean.

Remove all troff file, no need to keep generated copies under source
control.

This commit does not change the content of the man pages but makes
future editing easier.

Adds a new --enable-man/--disable-man configure option to control the
generation and installation of man pages. The option is automatically
enabled if the system supports it. Explicitly enabling it will make the
configure script fail if pod2man is not installed.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
19 months agocifs: setcifsacl - Send the actual (security descriptor) buffer size instead of the...
Shirish Pargaonkar [Wed, 30 Aug 2017 11:29:52 +0000 (06:29 -0500)]
cifs: setcifsacl - Send the actual (security descriptor) buffer size instead of the pre-allocated size

Some SMB servers such as HDS HNAS (Hitachi NAS) return error
NT Status: STATUS_INVALID_SECURITY_DESCR (0xc0000079)
during set cifs acl operation.

This happens due to mismatch in the size of actual security descriptor
being set versus the size of the security descriptor stated in the request.

Instead of sending allocated buffer size of a security descriptor,
send the actual size of the security descriptor during set cifs acl
operation.

Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
19 months agomount.cifs: add fallthrough comments on fmask/dmask option cases
Jeff Layton [Sun, 27 Aug 2017 10:01:12 +0000 (06:01 -0400)]
mount.cifs: add fallthrough comments on fmask/dmask option cases

...to silence a couple of compiler warnings.

Signed-off-by: Jeff Layton <jlayton@samba.org>
23 months agomount.cifs: document SMBv3.1.1 and new seal option
Aurelien Aptel [Fri, 21 Apr 2017 14:59:50 +0000 (16:59 +0200)]
mount.cifs: document SMBv3.1.1 and new seal option

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
2 years agomanpage: correct typos and spelling mistakes
Aurelien Aptel [Wed, 15 Feb 2017 17:10:09 +0000 (18:10 +0100)]
manpage: correct typos and spelling mistakes

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
2 years agomount.cifs: Remove data_blob.h include
Thomas Witt [Wed, 15 Mar 2017 20:20:44 +0000 (20:20 +0000)]
mount.cifs: Remove data_blob.h include

data_blob.h includes talloc.h from libtalloc, but that is only marked as
a dependency for cifs.upcall. No symbols from that header are used by
cifs.mount, so remove it to avoid the libtalloc dependency

Signed-off-by: Thomas Witt <pyromaniac@exherbo.org>
2 years agocifs-utils: bump version to 6.7 cifs-utils-6.7
Jeff Layton [Thu, 2 Mar 2017 16:51:05 +0000 (11:51 -0500)]
cifs-utils: bump version to 6.7

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: use a MEMORY: ccache when instantiating from a keytab
Jeff Layton [Fri, 24 Feb 2017 15:48:57 +0000 (10:48 -0500)]
cifs.upcall: use a MEMORY: ccache when instantiating from a keytab

Using a more permanent ccache is potentially problematic when we're
instantiating a new one. We might be operating under different creds
than expected. Just use a MEMORY: ccache since we don't need it to
last longer than the life of the upcall anyway.

Reported-and-Tested-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: don't do env scraping when uid is 0
Jeff Layton [Thu, 23 Feb 2017 21:50:43 +0000 (16:50 -0500)]
cifs.upcall: don't do env scraping when uid is 0

Setuid programs triggering upcalls could trick the program here. Also,
the d_automount method is done with credentials overridden so if you
can end up with mismatched creds and env vars due to that as well.

It's a hack, but the only recourse I can see is to avoid doing this
when the uid is 0. That means we can't rely on finding root credcaches
in alternate locations using $KRB5CCNAME, but I think that's the best
we can do.

Reported-and-Tested-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab
Jeff Layton [Thu, 23 Feb 2017 23:28:24 +0000 (18:28 -0500)]
cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab

We don't want to trust $KRB5CCNAME when creating or updating a new
credcache since we could be operating under the wrong credentials.
Always create new credcaches in the default location instead.

Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agodata_blob: Eliminate _PUBLIC_
Jeff Layton [Fri, 24 Feb 2017 00:14:07 +0000 (19:14 -0500)]
data_blob: Eliminate _PUBLIC_

It's defined to nothing anyway.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agotreewide: Eliminate SAFE_FREE
Jeff Layton [Fri, 24 Feb 2017 00:09:12 +0000 (19:09 -0500)]
treewide: Eliminate SAFE_FREE

It just frees and then zeroes out the pointer. That's of dubious
value in the places where it's currently being used. Just use
free() instead.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agoreplace.h: remove it
Jeff Layton [Fri, 24 Feb 2017 00:21:56 +0000 (19:21 -0500)]
replace.h: remove it

Nothing uses it now.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: remove need for replace.h
Jeff Layton [Thu, 23 Feb 2017 23:58:17 +0000 (18:58 -0500)]
cifs.upcall: remove need for replace.h

Take just what we need from replace.h and move it to cifs.upcall.c.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agospengo.c/asn1.c: remove need for replace.h
Jeff Layton [Fri, 24 Feb 2017 01:56:27 +0000 (20:56 -0500)]
spengo.c/asn1.c: remove need for replace.h

Just need stdbool.h instead.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agodata_blob: remove need for replace.h
Jeff Layton [Thu, 23 Feb 2017 23:49:59 +0000 (18:49 -0500)]
data_blob: remove need for replace.h

We only need ZERO_STRUCT there.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: trim even more capabilities
Jeff Layton [Thu, 16 Feb 2017 14:55:45 +0000 (09:55 -0500)]
cifs.upcall: trim even more capabilities

We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
only when we are going to probe the environ file.

Also, fix the non-libcap-ng trim_capabilities prototype.

Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/enviro...
Jeff Layton [Sat, 11 Feb 2017 13:38:46 +0000 (08:38 -0500)]
cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file

Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
to that, cifs.upcall was able to find credcaches in non-default FILE:
locations, but with the rework of that code, that ability was lost.

Unfortunately, the krb5 library design doesn't really take into account
the fact that we might need to find a credcache in a process that isn't
descended from the session.

When the kernel does an upcall, it passes several bits of info about the
task that initiated the upcall. One of those things is the PID (the
tgid, in particular). We can use that info to reach into the
/proc/<pid>/environ file for the process, and grab whatever value of
$KRB5CCNAME is there.

Then, after switching credentials, set $KRB5CCNAME in the environment
to the same value before opening the credcache, to hint to the krb5
libs where they ought to look.

This new behavior is on by default, but can be disabled by having
request-key pass a '-E' flag to cifs.upcall.

Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: drop capabilities early in program
Jeff Layton [Wed, 15 Feb 2017 15:00:45 +0000 (10:00 -0500)]
cifs.upcall: drop capabilities early in program

Much of cifs.upcall can and should be run without elevated privileges.
On entry into the program, drop as many capabilities as we can get away
with, and then always drop any remaining caps after calling setuid().

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: switch group IDs when handling an upcall
Jeff Layton [Mon, 13 Feb 2017 13:33:02 +0000 (08:33 -0500)]
cifs.upcall: switch group IDs when handling an upcall

Currently, we leave the group ID alone, but in a later patch we'll be
changing cifs.upcall to scrape $KRB5CCNAME out of the originating
process. At that point, we want to be a little more careful with the
process credentials we'll be using.

After we get the uid, do a getpwuid and grab the default gid for the
user. Then use setgid to set it before calling setuid.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: convert two flags from int to bool
Jeff Layton [Sun, 12 Feb 2017 14:36:12 +0000 (09:36 -0500)]
cifs.upcall: convert two flags from int to bool

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agomanpage: document mfsymlinks in the mount.cifs man page
Sachin Prabhu [Wed, 4 Jan 2017 12:45:17 +0000 (07:45 -0500)]
manpage: document mfsymlinks in the mount.cifs man page

Information from the cifs README in the kernel sources is used.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
2 years agomount.cifs: Remove unneeded stdbool header include
Germano Percossi [Fri, 18 Nov 2016 18:54:52 +0000 (18:54 +0000)]
mount.cifs: Remove unneeded stdbool header include

Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
2 years agomount.cifs: Fixed command line parsing and aligned with kernel
Germano Percossi [Fri, 18 Nov 2016 18:54:51 +0000 (18:54 +0000)]
mount.cifs: Fixed command line parsing and aligned with kernel

The way token matching was done was consuming the parameters namespace
quickly.  For example, anything starting with "dom" was interpreted with
domain, while it could have been a completely different word.  The same
is true even for "ro".

Moreover, many perfectly valid options like "addr" where not accepted.

The cifs  kernel module is very strict when it comes to names: 'dom' and
'domain' are valid while 'domai' is not, so the userspace tool needs to
comply otherwise it becomes very difficult to come up with new names for
options.

Now, checking is strict and as close as possible to kernel.  When it is
not, it is just to avoid breaking compatibility with some users.
However, workg has been removed because it is too lazy and undocumented.

The only variable left without strict checking is 'x-' because the
intent is to ignore anything starting in that way

Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
2 years agomount.cifs: Accept empty domains on the command line
Germano Percossi [Fri, 18 Nov 2016 18:54:50 +0000 (18:54 +0000)]
mount.cifs: Accept empty domains on the command line

If we do not allow empty domains on the command line we are preventing
the kernel module from taking different actions if the domain has not
been specified at all or just passed empty.

In fact, with this fix the cifs module behaves differently once an empty
domain is passed: the find_domain_name function is not invoked when an
empty domain is passed.

It is possible to pass both 'domain=' or 'domain=""' even though the
kernel module will accept the former only when associated with the
sloppy option.

Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
2 years agomount.cifs: Removed extra comma in front of domain
Germano Percossi [Fri, 18 Nov 2016 18:54:49 +0000 (18:54 +0000)]
mount.cifs: Removed extra comma in front of domain

Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
2 years agocifs-utils: bump version to 6.6.1 for pre-release builds
Jeff Layton [Sun, 27 Nov 2016 11:28:29 +0000 (06:28 -0500)]
cifs-utils: bump version to 6.6.1 for pre-release builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agoautoconf: set version to 6.6 cifs-utils-6.6
Jeff Layton [Fri, 2 Sep 2016 01:06:33 +0000 (21:06 -0400)]
autoconf: set version to 6.6

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: stop passing around ccache name strings
Jeff Layton [Wed, 24 Aug 2016 16:56:54 +0000 (12:56 -0400)]
cifs.upcall: stop passing around ccache name strings

Instead, get a ccache handle and pass that around. That way we can keep
the cache open until the program is complete as well.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: make get_tgt_time take a ccache arg
Jeff Layton [Wed, 24 Aug 2016 15:41:53 +0000 (11:41 -0400)]
cifs.upcall: make get_tgt_time take a ccache arg

...instead of dealing with the ccname. Push resolution of the cache
into the caller.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: remove KRB5_TC_OPENCLOSE
Jeff Layton [Wed, 24 Aug 2016 15:39:06 +0000 (11:39 -0400)]
cifs.upcall: remove KRB5_TC_OPENCLOSE

The header file says that this is deprecated, and all of the info I've
seen about it mentioned that it was for performance more than
correctness. It dates back to the original code dump from Igor, so I
think we're safe to just drop it at this point.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: make the krb5_context a static global variable
Jeff Layton [Mon, 22 Aug 2016 11:34:21 +0000 (07:34 -0400)]
cifs.upcall: make the krb5_context a static global variable

There's no need to keep initing a new context for every function. Just
do it once and reuse as needed.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agocifs.upcall: use krb5 routines to get default ccname
Jeff Layton [Sun, 21 Aug 2016 13:42:59 +0000 (09:42 -0400)]
cifs.upcall: use krb5 routines to get default ccname

Currently we end up groveling around in /tmp, trying to guess what the
credcache will be. Instead, just get the default ccname for the user,
and then see if it has a valid tgt. If it doesn't then we try to use
the keytab to init the credcache before proceeding.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agoaclocal: fix typo in idmap.m4
Jeff Layton [Tue, 12 Jul 2016 20:53:25 +0000 (16:53 -0400)]
aclocal: fix typo in idmap.m4

We really don't want to do the same check twice.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2 years agoautoconf: set package version to 6.5.1 for interim builds
Jeff Layton [Tue, 12 Jul 2016 20:54:04 +0000 (16:54 -0400)]
autoconf: set package version to 6.5.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
3 years agoautoconf: set version to 6.5 cifs-utils-6.5
Jeff Layton [Mon, 22 Feb 2016 15:31:25 +0000 (10:31 -0500)]
autoconf: set version to 6.5

Signed-off-by: Jeff Layton <jlayton@samba.org>
3 years agoautoconf: Use $(DEFS) when building idmapwb.so and pam_cifscreds.so
Sachin Prabhu [Fri, 8 Jan 2016 12:24:39 +0000 (17:54 +0530)]
autoconf: Use $(DEFS) when building idmapwb.so and pam_cifscreds.so

We should pass the macros defined in $(DEFS) when building idmapwb.so
and pam_cifscreds.so. The autoconf process sets the macro HAVE_CONFIG_H
using the $(DEFS) variable. This macro has to be defined to allow the
source files to include config.h

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
3 years agomount.cifs: ignore x-* mount options
Karel Zak [Thu, 7 Jan 2016 10:02:49 +0000 (11:02 +0100)]
mount.cifs: ignore x-* mount options

x-* prefix is used for userspace mount options and it's pretty
commonly used to extend fstab configuration in systemd world (e.g.
x-systemd.automount). These options is necessary to ignored.

The command mount(8) does not pass x-* mount options to mount.<type>
helpers, but in some use-cases it's possible that the cifs helper reads
mount options from fstab or users directly call mount.cifs and copy & past
mount options, etc.

This patch marks all options prefixed by "x-" as OPT_IGNORE to make
things more robust for end-users. We already uses the same concept for
_netdev.

Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
3 years agomanpage: clarify use of backupuid and backupgid in mount.cifs.8
Uri Simchoni [Thu, 19 Nov 2015 19:48:15 +0000 (21:48 +0200)]
manpage: clarify use of backupuid and backupgid in mount.cifs.8

Assert that backup intent shall only be attempted if the user matches
the backupuid or backupgid parameter.

Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Jeff Layton <jlayton@samba.org>
4 years agomtab.c: include <paths.h> for _PATH_MOUNTED
Felix Janda [Fri, 5 Dec 2014 22:19:29 +0000 (23:19 +0100)]
mtab.c: include <paths.h> for _PATH_MOUNTED

Signed-off-by: Felix Janda <felix.janda@posteo.de>
4 years agoautoconf: set version to 6.4.1 for interim builds
Jeff Layton [Mon, 8 Dec 2014 11:09:44 +0000 (06:09 -0500)]
autoconf: set version to 6.4.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
4 years agoautoconf: set version to 6.4 cifs-utils-6.4
Jeff Layton [Fri, 11 Jul 2014 15:14:06 +0000 (11:14 -0400)]
autoconf: set version to 6.4

Signed-off-by: Jeff Layton <jlayton@samba.org>
4 years agomount.cifs: on 2nd try mount.cifs must also uppercase "orig_dev"
Guenter Kukkukk [Tue, 1 Jul 2014 15:43:55 +0000 (17:43 +0200)]
mount.cifs: on 2nd try mount.cifs must also uppercase "orig_dev"

Recent kernels now ignore "unc=..." mount option. mount.cifs, when
getting errno=ENXIO, retries the mount with uppercased hostname,
sharename and prefixpath in the "unc=..." mount option, which is ignored
now in the kernel. Used e.g. during OS/2 mounts, which fail now.

Also uppercase the now used "orig_dev" parameter.

Signed-off-by: Guenter Kukkukk <kukks@samba.org>
5 years agocifscreds: better error handling for key_add
Jeff Layton [Mon, 21 Apr 2014 00:41:05 +0000 (20:41 -0400)]
cifscreds: better error handling for key_add

If the string buffers would have been overrun, set errno to EINVAL
before returning. Then, have the callers report the errors to
stderr or syslog as appropriate.

Cc: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifscreds: better error handling when key_search fails
Jeff Layton [Mon, 21 Apr 2014 00:41:05 +0000 (20:41 -0400)]
cifscreds: better error handling when key_search fails

If we ended up getting a bogus string that would have overflowed, then
make key_search set errno to EINVAL before returning. The callers can
then test to see if the returned error is what was expected or something
else and handle it appropriately.

Cc: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifskey: better use snprintf()
Sebastian Krahmer [Mon, 14 Apr 2014 09:39:41 +0000 (11:39 +0200)]
cifskey: better use snprintf()

Prefer snprintf() over sprintf() in cifskey.c
Projects that fork the code (pam_cifscreds) can't rely on
the max-size parameters.

[jlayton: removed unneeded initialization of "len" in key_add]

Signed-off-by: Sebastian Krahmer <krahmer@suse.de>
5 years agocifs: use krb5_kt_default() to determine default keytab location
Jeff Layton [Mon, 7 Apr 2014 18:35:17 +0000 (14:35 -0400)]
cifs: use krb5_kt_default() to determine default keytab location

...don't assume that it's in /etc/krb5.keytab.

Reported-by: Konstantin Lepikhov <klepikho@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: allow PAM security install directory to be configurable
Lars Müller [Mon, 7 Apr 2014 18:35:10 +0000 (14:35 -0400)]
autoconf: allow PAM security install directory to be configurable

Allow the pam module install directory to be set at build time.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set version to 6.3.1 for interim builds
Jeff Layton [Wed, 2 Apr 2014 14:21:10 +0000 (10:21 -0400)]
autoconf: set version to 6.3.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set version to 6.3 cifs-utils-6.3
Jeff Layton [Thu, 9 Jan 2014 16:19:53 +0000 (11:19 -0500)]
autoconf: set version to 6.3

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agomanpage: add pam_cifscreds.8 man page
Orion Poplawski [Tue, 10 Dec 2013 21:09:26 +0000 (14:09 -0700)]
manpage: add pam_cifscreds.8 man page

Signed-off-by: Orion Poplawski <orion@nwra.com>
5 years agocifscreds: fix up some whitespace, typos and build warnings in pam_cifscreds.c
Jeff Layton [Sat, 7 Dec 2013 11:52:26 +0000 (06:52 -0500)]
cifscreds: fix up some whitespace, typos and build warnings in pam_cifscreds.c

gcc -g -O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -fpie -pie -Wl,-z,relro,-z,now  -shared -fpic -o pam_cifscreds.so pam_cifscreds.c cifskey.c resolve_host.c util.c -lpam -lkeyutils
pam_cifscreds.c: In function ‘cleanup_free_password’:
pam_cifscreds.c:143:38: warning: unused parameter ‘ph’ [-Wunused-parameter]
 cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
                                      ^
pam_cifscreds.c:143:58: warning: unused parameter ‘pam_end_status’ [-Wunused-parameter]
 cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
                                                          ^
pam_cifscreds.c: In function ‘cifscreds_pam_update’:
pam_cifscreds.c:271:8: warning: variable ‘addrs’ set but not used [-Wunused-but-set-variable]
  char *addrs[16];
        ^
pam_cifscreds.c: In function ‘pam_sm_authenticate’:
pam_cifscreds.c:359:58: warning: unused parameter ‘unused’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *ph, int unused, int argc, const char **argv)
                                                          ^
pam_cifscreds.c: In function ‘pam_sm_open_session’:
pam_cifscreds.c:414:58: warning: unused parameter ‘flags’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_open_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                          ^
pam_cifscreds.c: In function ‘pam_sm_close_session’:
pam_cifscreds.c:487:51: warning: unused parameter ‘ph’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                   ^
pam_cifscreds.c:487:59: warning: unused parameter ‘flags’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                           ^
pam_cifscreds.c:487:70: warning: unused parameter ‘argc’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                      ^
pam_cifscreds.c:487:89: warning: unused parameter ‘argv’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                                         ^
pam_cifscreds.c: In function ‘pam_sm_setcred’:
pam_cifscreds.c:501:45: warning: unused parameter ‘ph’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                             ^
pam_cifscreds.c:501:53: warning: unused parameter ‘flags’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                     ^
pam_cifscreds.c:501:64: warning: unused parameter ‘argc’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                ^
pam_cifscreds.c:501:83: warning: unused parameter ‘argv’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                                   ^

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifscreds: create PAM module to insert credentials at login
Orion Poplawski [Wed, 13 Nov 2013 20:53:30 +0000 (13:53 -0700)]
cifscreds: create PAM module to insert credentials at login

Split out some of the cifscreds key handling routines into a separate
file, and then link that in to both cifscreds and the new PAM module.

Fix up autoconf to handle building this automatically.

Signed-off-by: Orion Poplawski <orion@nwra.com>
5 years agoautoconf: fix link of libwbclient
Jeff Layton [Sat, 7 Dec 2013 13:54:59 +0000 (08:54 -0500)]
autoconf: fix link of libwbclient

It's currently getting added to $LIBS and being linked into places that
we don't need it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoasn1: fix use-after-free in asn1_write
Jeff Layton [Mon, 14 Oct 2013 01:07:28 +0000 (21:07 -0400)]
asn1: fix use-after-free in asn1_write

If the talloc_realloc() fails, asn1_write calls talloc_free on the
context and then immediately dereferences the pointer.

Fix this by skipping the talloc_free here. Let the caller handle it.

Signed-off-by: Jeff Layton <jlayton@samba.org>