jlayton/cifs-utils.git
5 years agocifs: use krb5_kt_default() to determine default keytab location master
Jeff Layton [Thu, 3 Apr 2014 00:57:37 +0000 (20:57 -0400)]
cifs: use krb5_kt_default() to determine default keytab location

...don't assume that it's in /etc/krb5.keytab.

Reported-by: Konstantin Lepikhov <klepikho@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: allow PAM security install directory to be configurable
Lars Müller [Wed, 2 Apr 2014 14:22:17 +0000 (10:22 -0400)]
autoconf: allow PAM security install directory to be configurable

Allow the pam module install directory to be set at build time.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set version to 6.3.1 for interim builds
Jeff Layton [Wed, 2 Apr 2014 14:21:10 +0000 (10:21 -0400)]
autoconf: set version to 6.3.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set version to 6.3
Jeff Layton [Thu, 9 Jan 2014 16:19:53 +0000 (11:19 -0500)]
autoconf: set version to 6.3

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agomanpage: add pam_cifscreds.8 man page
Orion Poplawski [Tue, 10 Dec 2013 21:09:26 +0000 (14:09 -0700)]
manpage: add pam_cifscreds.8 man page

Signed-off-by: Orion Poplawski <orion@nwra.com>
5 years agocifscreds: fix up some whitespace, typos and build warnings in pam_cifscreds.c
Jeff Layton [Sat, 7 Dec 2013 11:52:26 +0000 (06:52 -0500)]
cifscreds: fix up some whitespace, typos and build warnings in pam_cifscreds.c

gcc -g -O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -fpie -pie -Wl,-z,relro,-z,now  -shared -fpic -o pam_cifscreds.so pam_cifscreds.c cifskey.c resolve_host.c util.c -lpam -lkeyutils
pam_cifscreds.c: In function ‘cleanup_free_password’:
pam_cifscreds.c:143:38: warning: unused parameter ‘ph’ [-Wunused-parameter]
 cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
                                      ^
pam_cifscreds.c:143:58: warning: unused parameter ‘pam_end_status’ [-Wunused-parameter]
 cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
                                                          ^
pam_cifscreds.c: In function ‘cifscreds_pam_update’:
pam_cifscreds.c:271:8: warning: variable ‘addrs’ set but not used [-Wunused-but-set-variable]
  char *addrs[16];
        ^
pam_cifscreds.c: In function ‘pam_sm_authenticate’:
pam_cifscreds.c:359:58: warning: unused parameter ‘unused’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *ph, int unused, int argc, const char **argv)
                                                          ^
pam_cifscreds.c: In function ‘pam_sm_open_session’:
pam_cifscreds.c:414:58: warning: unused parameter ‘flags’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_open_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                          ^
pam_cifscreds.c: In function ‘pam_sm_close_session’:
pam_cifscreds.c:487:51: warning: unused parameter ‘ph’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                   ^
pam_cifscreds.c:487:59: warning: unused parameter ‘flags’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                           ^
pam_cifscreds.c:487:70: warning: unused parameter ‘argc’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                      ^
pam_cifscreds.c:487:89: warning: unused parameter ‘argv’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                                         ^
pam_cifscreds.c: In function ‘pam_sm_setcred’:
pam_cifscreds.c:501:45: warning: unused parameter ‘ph’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                             ^
pam_cifscreds.c:501:53: warning: unused parameter ‘flags’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                     ^
pam_cifscreds.c:501:64: warning: unused parameter ‘argc’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                ^
pam_cifscreds.c:501:83: warning: unused parameter ‘argv’ [-Wunused-parameter]
 PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
                                                                                   ^

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifscreds: create PAM module to insert credentials at login
Orion Poplawski [Wed, 13 Nov 2013 20:53:30 +0000 (13:53 -0700)]
cifscreds: create PAM module to insert credentials at login

Split out some of the cifscreds key handling routines into a separate
file, and then link that in to both cifscreds and the new PAM module.

Fix up autoconf to handle building this automatically.

Signed-off-by: Orion Poplawski <orion@nwra.com>
5 years agoautoconf: fix link of libwbclient
Jeff Layton [Sat, 7 Dec 2013 13:54:59 +0000 (08:54 -0500)]
autoconf: fix link of libwbclient

It's currently getting added to $LIBS and being linked into places that
we don't need it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoasn1: fix use-after-free in asn1_write
Jeff Layton [Mon, 14 Oct 2013 01:07:28 +0000 (21:07 -0400)]
asn1: fix use-after-free in asn1_write

If the talloc_realloc() fails, asn1_write calls talloc_free on the
context and then immediately dereferences the pointer.

Fix this by skipping the talloc_free here. Let the caller handle it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agomount.cifs: fix bad free() of string returned by dirname()
Jeff Layton [Fri, 11 Oct 2013 02:05:05 +0000 (22:05 -0400)]
mount.cifs: fix bad free() of string returned by dirname()

Coverity says:

  Error: CPPCHECK_WARNING: [#def10]
  cifs-utils-6.2/mount.cifs.c:1518: error[memleakOnRealloc]: Common realloc mistake: 'mtabdir' nulled but not freed upon failure

del_mtab has a number of bugs in handling of allocated memory:

a) the return value of strdup() is not checked

b) It calls realloc() on a pointer that wasn't returned by an allocation
   function (e.g. malloc, calloc, etc.)

c) If realloc() fails, it doesn't call free() on the original memory
   returned by strdup()

Fix all of these bugs and add newlines to the end of the error messages
in del_mtab.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agodata_blob: clean out unused functions
Jeff Layton [Wed, 9 Oct 2013 13:05:22 +0000 (09:05 -0400)]
data_blob: clean out unused functions

Cut another 6k or so out of the cifs.upcall binary.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoasn1: remove some usused functions
Jeff Layton [Wed, 9 Oct 2013 12:17:49 +0000 (08:17 -0400)]
asn1: remove some usused functions

This cuts 30k out of the cifs.upcall binary on my x86_64 box.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agogetcifsacl: remove some dead code
Jeff Layton [Wed, 9 Oct 2013 12:14:21 +0000 (08:14 -0400)]
getcifsacl: remove some dead code

Coverity says:

Error: DEADCODE (CWE-561): [#def5]
cifs-utils-6.2/getcifsacl.c:101: assignment: Assigning: "mflags" = "false".
cifs-utils-6.2/getcifsacl.c:109: const: At condition "mflags", the value of "mflags" must be equal to 0.
cifs-utils-6.2/getcifsacl.c:109: dead_error_condition: The condition "mflags" cannot be true.
cifs-utils-6.2/getcifsacl.c:110: dead_error_line: Execution cannot reach this statement "printf("|");".

Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoget/setcifsacl: fix bad bit-shifts
Jeff Layton [Wed, 9 Oct 2013 01:07:24 +0000 (21:07 -0400)]
get/setcifsacl: fix bad bit-shifts

A Coverity scan turned up this warning:

1. cifs-utils-6.2/setcifsacl.c:578:result_independent_of_operands – "(x & 0xff0000000000ULL) >> 48" is 0 regardless of the values of its operands. This occurs as the operand of assignment.

...which is entirely true. That shift should be 40 bits, not 48. Also
fix a similar bug in getcifsacl.c.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set release to 6.2.1 for interim builds
Jeff Layton [Wed, 9 Oct 2013 01:13:41 +0000 (21:13 -0400)]
autoconf: set release to 6.2.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set version to 6.2
Jeff Layton [Fri, 4 Oct 2013 10:56:41 +0000 (06:56 -0400)]
autoconf: set version to 6.2

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: update configure.ac a'la autoupdate
Jeff Layton [Fri, 4 Oct 2013 11:12:32 +0000 (07:12 -0400)]
autoconf: update configure.ac a'la autoupdate

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifs.upcall: try to use default credcache if we didn't find one
Jeff Layton [Tue, 17 Sep 2013 15:39:13 +0000 (11:39 -0400)]
cifs.upcall: try to use default credcache if we didn't find one

Fedora is in the process of moving to KEYRING: credcaches which are not
currently handled by cifs.upcall. We could try to detect when they're in
use, but it's simpler and more robust to just try to use the default
credcache whenever we don't find a FILE: or DIR: cache.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: add another suggested package name for krb5 headers
Steve French [Mon, 9 Sep 2013 14:55:46 +0000 (09:55 -0500)]
autoconf: add another suggested package name for krb5 headers

Added an alternate package name for krb5 headers.

Noticed the following suggestion asks for the wrong package (at least
wrong for FC17)

checking krb5.h presence... no
checking for krb5.h... no
checking krb5/krb5.h usability... no
checking krb5/krb5.h presence... no
checking for krb5/krb5.h... no
configure: WARNING: krb5.h not found, consider installing
krb5-libs-devel. Disabling cifs.upcall.

[sfrench@w500smf cifs-utils]$ sudo yum install krb5-libs-devel
Loaded plugins: langpacks, presto, refresh-packagekit
No package krb5-libs-devel available.
Error: Nothing to do
[sfrench@w500smf cifs-utils]$ sudo yum install krb5-devel

(installing krb5-devel worked, but not krb5-libs-devel for this version)

Signed-off-by: Steve French <smfrench@gmail.com>
5 years agoDo not rely on hardcoded path to systemd-ask-password.
Michał Górny [Tue, 30 Jul 2013 08:00:26 +0000 (10:00 +0200)]
Do not rely on hardcoded path to systemd-ask-password.

Relying on hardcoded /bin/systemd-ask-password path breaks systemd that
install systemd-ask-password in /usr/bin. Since both paths are supposed
to be in ${PATH} and popen() passes the command to shell, just pass
'systemd-ask-password' and let the shell find it.

Fixes: https://bugzilla.samba.org/show_bug.cgi?id=10054
Signed-off-by: Michał Górny <mgorny@gentoo.org>
5 years agocifs-utils: Correct max string lengths v2
Scott Lovenberg [Sun, 21 Jul 2013 20:21:08 +0000 (16:21 -0400)]
cifs-utils: Correct max string lengths v2

The max size of the username, domain, and password strings are now
consistent with the kernel and Microsoft's documentation.

Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
5 years agocifs-utils: fix some sparse warnings
Jeff Layton [Thu, 18 Jul 2013 14:14:21 +0000 (10:14 -0400)]
cifs-utils: fix some sparse warnings

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agosetcifsacl: add fallback for when plugin can't be loaded
Jeff Layton [Thu, 18 Jul 2013 14:08:27 +0000 (10:08 -0400)]
setcifsacl: add fallback for when plugin can't be loaded

Allow setcifsacl to function even in the case where the plugin can't
be initialized. ID mapping of course won't work, but we can still allow
it to accept "raw" SID strings.

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agomanpage: fix nouser_xattr description
Jeff Layton [Mon, 8 Jul 2013 13:08:01 +0000 (09:08 -0400)]
manpage: fix nouser_xattr description

The manpage erroneously states that nouser_xattr is the default, when
it's actually the reverse.

Reported-by: Dome <domfe@tiscali.it>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agoautoconf: set version to 6.1.1 for interim builds
Jeff Layton [Mon, 8 Jul 2013 13:06:46 +0000 (09:06 -0400)]
autoconf: set version to 6.1.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifs-utils: set version to 6.1
Jeff Layton [Tue, 2 Jul 2013 19:13:33 +0000 (15:13 -0400)]
cifs-utils: set version to 6.1

Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifs.upcall: allow users to specify dedicated keytab on command-line
Jeff Layton [Wed, 29 May 2013 18:54:26 +0000 (14:54 -0400)]
cifs.upcall: allow users to specify dedicated keytab on command-line

Currently cifs.upcall only looks at the default system keytab
(/etc/krb5.keytab). It's often the case however that a dedicated keytab
is desirable. Allow administrators to set one on the command-line.

Reported-by: steve <steve@steve-ss.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
5 years agocifs.upcall: the exit code should be 0 when print version
Peng Haitao [Fri, 17 May 2013 09:27:02 +0000 (17:27 +0800)]
cifs.upcall: the exit code should be 0 when print version

When print version number, the exit code should be 0
and syslog() should not send "Negating key" to the system logger.

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
6 years agosetcifsacl.c: fix a bug of goto setcifsacl_facenum_ret
Peng Haitao [Fri, 12 Apr 2013 08:58:49 +0000 (16:58 +0800)]
setcifsacl.c: fix a bug of goto setcifsacl_facenum_ret

setcifsacl_facenum_ret: is called only if attrlen is equal to -1.

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
6 years agomount.cifs: Trivial comment fixes
Scott Lovenberg [Wed, 10 Apr 2013 17:16:52 +0000 (13:16 -0400)]
mount.cifs: Trivial comment fixes

Two trivial comment fixes.

Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
6 years agocifs-utils: set version to 6.0.1 for interim builds
Jeff Layton [Wed, 10 Apr 2013 17:24:50 +0000 (13:24 -0400)]
cifs-utils: set version to 6.0.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautoconf: set version to 6.0
Jeff Layton [Fri, 22 Mar 2013 10:18:19 +0000 (06:18 -0400)]
autoconf: set version to 6.0

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: remove support for "NFS syntax"
Jeff Layton [Fri, 22 Mar 2013 10:43:46 +0000 (06:43 -0400)]
mount.cifs: remove support for "NFS syntax"

...as promised for version 6.0.

Cc: Scott Lovenberg <scott.lovenberg@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomanpage: better document the default sec= mount option
Jeff Layton [Tue, 19 Mar 2013 15:00:49 +0000 (11:00 -0400)]
manpage: better document the default sec= mount option

The default changed in mainline kernel v3.8.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomanpage: document the mount.cifs vers= option
Jeff Layton [Sun, 17 Mar 2013 01:28:18 +0000 (21:28 -0400)]
manpage: document the mount.cifs vers= option

Thanks to Tom Talpey for clarifying some of the info here.

Cc: Tom Talpey <ttalpey@microsoft.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: add autoconf test to make sure that libwbclient is usable
Jeff Layton [Fri, 1 Feb 2013 17:41:57 +0000 (12:41 -0500)]
cifs-utils: add autoconf test to make sure that libwbclient is usable

The idmapwb plugin requires a usable wbcSidsToUnixIds() function. Check
to ensure that the wbclient library provides that symbol, and handle
it appropriately if it doesn't.

If someone were so inclined they probably could fix idmapwb to fall
back to the older mapping functions if that symbol doesn't exist,
but for now this patch just makes it refuse to build the plugin.

Reported-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix offset calculation in "set" code
Jeff Layton [Tue, 29 Jan 2013 12:08:48 +0000 (07:08 -0500)]
setcifsacl: fix offset calculation in "set" code

Previously the code assumed that the ACE that was copied was of a
fixed size. Save off the return value from copy_ace and ensure that
we apply it correctly to the size and offset.

Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix infinite loop in getnumcaces
Jeff Layton [Tue, 29 Jan 2013 02:38:12 +0000 (21:38 -0500)]
setcifsacl: fix infinite loop in getnumcaces

Jian pointed out that this loop can cycle infinitely when the string
contains a ','.

Also, fix typo in manpage that shows a trailing ',' in one example.

Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: set parsed_info->got_user when a cred file supplies a username
Jeff Layton [Sun, 13 Jan 2013 03:02:01 +0000 (22:02 -0500)]
mount.cifs: set parsed_info->got_user when a cred file supplies a username

commit 85d18a1ed introduced a regression when using a credentials file.
It set the username in the parsed mount info properly, but didn't set
the "got_user" flag in it.

Also, fix an incorrect strlcpy length specifier in open_cred_file.

Reported-by: "Mantas M." <grawity@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifsidmap: clean up comments on API description
Jeff Layton [Mon, 7 Jan 2013 15:25:30 +0000 (10:25 -0500)]
cifsidmap: clean up comments on API description

...typo and grammatical fixes, mostly.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautoconf: set release to 5.9.1 for interim builds
Jeff Layton [Mon, 7 Jan 2013 15:23:09 +0000 (10:23 -0500)]
autoconf: set release to 5.9.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautoconf: set version to 5.9
Jeff Layton [Mon, 7 Jan 2013 12:19:46 +0000 (07:19 -0500)]
autoconf: set version to 5.9

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: remove support for "complex" usernames from mount.cifs
Jeff Layton [Mon, 7 Jan 2013 12:19:46 +0000 (07:19 -0500)]
mount.cifs: remove support for "complex" usernames from mount.cifs

In commit 569cfcb3a, we added a warning of the removal for support for
username= options in the form of DOMAIN/username%password. This patch
removes that support as promised prior to the 5.9 release.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: fix cifsidmap.h comment
Jeff Layton [Wed, 2 Jan 2013 11:27:35 +0000 (06:27 -0500)]
cifs-utils: fix cifsidmap.h comment

It's actually OK to set this to BOTH.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: add a manpage for idmapwb
Jeff Layton [Mon, 17 Dec 2012 16:45:41 +0000 (11:45 -0500)]
cifs-utils: add a manpage for idmapwb

...and clean up references to winbind in various tool manpages.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: convert cifs.idmap to use plugin interface
Jeff Layton [Sun, 9 Dec 2012 02:28:08 +0000 (21:28 -0500)]
cifs-utils: convert cifs.idmap to use plugin interface

Add routines for the various things that cifs.idmap needs and have it
call them.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: add autoconf test for WBC_ID_TYPE_BOTH
Jeff Layton [Wed, 19 Dec 2012 19:52:42 +0000 (14:52 -0500)]
cifs-utils: add autoconf test for WBC_ID_TYPE_BOTH

WBC_ID_TYPE_BOTH is a new addition (in Samba 4.0 only). Add a test for
its presence. Because it's an enum, we have to jump through some extra
hoops here...

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: convert setcifsacl to use the plugin interface
Jeff Layton [Fri, 7 Dec 2012 17:17:03 +0000 (12:17 -0500)]
cifs-utils: convert setcifsacl to use the plugin interface

Add str_to_sid() functionality to the plugin API and have setcifsacl
use it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: new plugin architecture for ID mapping code
Jeff Layton [Mon, 3 Dec 2012 17:35:38 +0000 (12:35 -0500)]
cifs-utils: new plugin architecture for ID mapping code

Currently, the ACL-related tools in cifs-utils call into the wbclient
libs directly in order to do their bidding. The wbclient developers want
to get away from needing to configure winbind on the clients and instead
allow sssd to handle the mapping in most cases.

This patch represents an initial step in that direction. It adds a
plugin architecture for cifs-utils, adds wrappers around the calls into
libwbclient that find an idmap plugin library to use and then has it
call into that plugin to do the actual ID mapping.

The application will call into a set of routines that find the correct
plugin and dlopen() it. Currently the plugin is located in a well-known
location that is settable via autoconf. That location is intended to be
a symlink that points to the real plugin (generally under $pkglibdir).

The plugin will export a number of functions with well-known names. The
wrappers find those by using dlsym() and then call them.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: struct cifs_sid definition to new cifsidmap.h header
Jeff Layton [Thu, 13 Dec 2012 13:58:54 +0000 (08:58 -0500)]
cifs-utils: struct cifs_sid definition to new cifsidmap.h header

People who want to build a plugin for the idmapping routines will need a
header to describe the data types that they need. Add a cifsidmap.h file
and move the struct cifs_sid definition into it, along with the
constants needed to describe it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: remove syslog goop
Jeff Layton [Fri, 7 Dec 2012 17:07:23 +0000 (12:07 -0500)]
setcifsacl: remove syslog goop

setcifsacl doesn't use syslog, so no need to open a channel to it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: remove unneeded openlog() call
Jeff Layton [Fri, 7 Dec 2012 13:39:16 +0000 (08:39 -0500)]
getcifsacl: remove unneeded openlog() call

getcifsacl doesn't log to syslog, so there's no need to open a channel
to it. Also, remove the unneeded "prog" global variable since only
the usage() function needs it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs-utils: only link in -lrt to binaries that need it
Jeff Layton [Thu, 6 Dec 2012 12:17:17 +0000 (07:17 -0500)]
cifs-utils: only link in -lrt to binaries that need it

...which is really only mount.cifs.

Cc: Björn Jacke <bj@sernet.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautoconf: enable full RELRO in cifs-utils binaries
Jeff Layton [Thu, 6 Dec 2012 11:45:57 +0000 (06:45 -0500)]
autoconf: enable full RELRO in cifs-utils binaries

This is safer since it also protects the GOT from getting clobbered.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: ensure that we don't overrun the wbcDomainSid when converting
Jeff Layton [Tue, 4 Dec 2012 11:21:06 +0000 (06:21 -0500)]
getcifsacl: ensure that we don't overrun the wbcDomainSid when converting

If we get a SID that contains more than 15 subauthorities, we'll end up
overrunning the struct wbcDomainSid. Just ignore any past 15.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: free strings returned by wbcLookupSid
Jeff Layton [Tue, 4 Dec 2012 11:12:13 +0000 (06:12 -0500)]
getcifsacl: free strings returned by wbcLookupSid

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: use "size" instead of reconverting original field to host endian
Jeff Layton [Mon, 3 Dec 2012 18:41:12 +0000 (13:41 -0500)]
getcifsacl: use "size" instead of reconverting original field to host endian

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautotools: remove unnecessary files from distro
Jeff Layton [Mon, 3 Dec 2012 16:03:19 +0000 (11:03 -0500)]
autotools: remove unnecessary files from distro

Having them in the distro prevents autoreconf -i from installing the latest
copies.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: don't pass "flag" options to the kernel
Jeff Layton [Wed, 28 Nov 2012 20:17:44 +0000 (15:17 -0500)]
mount.cifs: don't pass "flag" options to the kernel

When certain options are passed to the mount helper, we want to turn
them into mountflags for the mount() syscall. There's no need to copy
them to the options string in that case though.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: treat uid=,gid=,cruid= options as name before assuming they're a number
Jeff Layton [Mon, 19 Nov 2012 01:38:38 +0000 (20:38 -0500)]
mount.cifs: treat uid=,gid=,cruid= options as name before assuming they're a number

Sergio Conrad reported a problem trying to set up an autofs map to do
a krb5 mount. In his environment, many users have usernames that are
comprised entirely of numbers. While that's a bit odd, POSIX apparently
allows for it.

The current code assumes that when a numeric argument is passed to one
of the above options, that it's a uid or gid. Instead, try to treat the
argument as a user or group name first, and only try to treat it as a
number if that fails.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautoconf: set version to 5.8.1 for interim builds
Jeff Layton [Thu, 15 Nov 2012 20:22:13 +0000 (15:22 -0500)]
autoconf: set version to 5.8.1 for interim builds

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoautoconf: set version to 5.8
Jeff Layton [Sun, 11 Nov 2012 11:09:23 +0000 (06:09 -0500)]
autoconf: set version to 5.8

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix format specifier in error message
Jeff Layton [Fri, 9 Nov 2012 12:49:43 +0000 (07:49 -0500)]
setcifsacl: fix format specifier in error message

setcifsacl.c:833: warning: format '%ld' expects type 'long int', but
argument 3 has type 'ssize_t'

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: don't freely cast between wbcDomainSid and cifs_sid
Jeff Layton [Fri, 9 Nov 2012 11:40:14 +0000 (06:40 -0500)]
setcifsacl: don't freely cast between wbcDomainSid and cifs_sid

Since they are not necessarily aligned the same and potentially store
their fields with different endianness. Copy from the wbcDomainSid
to the cifs_sid as appropriate.

Also rename the same function in cifs.idmap.c for consistency.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: don't freely cast between wbcDomainSid and cifs_sid
Jeff Layton [Fri, 9 Nov 2012 11:33:48 +0000 (06:33 -0500)]
getcifsacl: don't freely cast between wbcDomainSid and cifs_sid

While they are very similar, the cifs_sid is "packed" and the
wbcDomainSid isn't. There are also aliasing problems with gcc in
some cases. Instead of trying to cast and fix endianness in place,
make a separate copy instead.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: fix argument count check
Jeff Layton [Fri, 9 Nov 2012 11:08:38 +0000 (06:08 -0500)]
mount.cifs: fix argument count check

The argv < 3 check could return true if you pass in some option flags.
If you don't provide any further arguments then you might just walk
off the end of the argv array. The values past the end aren't
guaranteed to be NULL in that case.

Fix the check to just look at whether there are 2 more arguments after
the getopt processing is done.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: fix up printing of REVISION: and CONTROL: fields
Jeff Layton [Wed, 7 Nov 2012 15:20:46 +0000 (10:20 -0500)]
getcifsacl: fix up printing of REVISION: and CONTROL: fields

They need endianness conversion too...

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: fix up some compile-time warnings
Jeff Layton [Wed, 7 Nov 2012 15:19:20 +0000 (10:19 -0500)]
cifs.idmap: fix up some compile-time warnings

Get rid of some unused variables, and fix a strict-aliasing problem by
copying the SID data to a new place instead of converting the
endianness in-place.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix some build warnings
Jeff Layton [Wed, 7 Nov 2012 15:19:20 +0000 (10:19 -0500)]
setcifsacl: fix some build warnings

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix endianness of ->size in build_cmdline_aces
Jeff Layton [Wed, 7 Nov 2012 15:19:20 +0000 (10:19 -0500)]
setcifsacl: fix endianness of ->size in build_cmdline_aces

The size must also be kept in little-endian.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix up ACE mask handling
Jeff Layton [Wed, 7 Nov 2012 15:19:19 +0000 (10:19 -0500)]
setcifsacl: fix up ACE mask handling

Change verify_ace_mask to just attempt to convert the argument to an
unsigned long first. If that fails, then try to treat it as a symbolic
mask string.

Also, clean up ace_mask_value. There's no need to walk the string
twice. Walk it once and turn the single-char mask checks into a switch
statement instead of if/else clauses.

Finally, fix the endianness of the resulting value. It must be in LE.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: fix endianness bug in getcifsacl and add better bounds checks
Jeff Layton [Wed, 7 Nov 2012 15:19:19 +0000 (10:19 -0500)]
getcifsacl: fix endianness bug in getcifsacl and add better bounds checks

getcifsacl must convert the access_req field from little endian. Also,
we should ensure that the "size" field in the ACE is reachable before
trying to access it.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix some bugs in build_cmdline_aces
Jeff Layton [Wed, 7 Nov 2012 15:19:19 +0000 (10:19 -0500)]
setcifsacl: fix some bugs in build_cmdline_aces

Pavel Raiskup found the following defect in setcifsacl with Coverity:

"segfault may occur also in cifs-utils-4.8.1/setcifsacl.c|644| because
of casesptr dereferencing.  When you look e.g. at the line 605, in this
time any part of 'caseptr' may be yet uninitialized and program is going
through 'goto' to freeing -> and there you are freeing the 'caseptr[i]'
address."

The analysis there seems a little off, but is basically correct. The
freeing loop counts down from the current value of i to free the
secondary allocations here.

There is one situation though where this could go badly. If the strtok
parsing near the beginning of the loop fails, then we could end up
trying to free an uninitialized pointer.

Fix this by changing the cacesptr allocation to use calloc(), and stop
trying to be clever with the freeing loop. Just have it walk the
entire array and attempt to free each slot.

Reported-by: Pavel Raiskup <praiskup@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix some bugs in build_fetched_aces
Jeff Layton [Wed, 7 Nov 2012 15:19:19 +0000 (10:19 -0500)]
setcifsacl: fix some bugs in build_fetched_aces

Pavel Raiskup reported the following defects that he found with Coverity:

"If the variable 'facesptr' on line cifs-utils-4.8.1/setcifsacl.c|365|
has not enough memory to be allocated, program 'setcifsacl' will fail
with segfault on line 365 (dereferencing facesptr)."

"you may return freed pointer here. There is some kind of return code
('rc') which should be transferred to >NULL< when is rc nonzero (and
returned)"

There are also a couple of other bugs here:

malloc doesn't necessarily set errno to anything when an allocation
fails, so having the error handling rely on that is wrong.

Fix all of these bugs by reorganzing this function to fix up the error
handling.

Reported-by: Pavel Raiskup <praiskup@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: consolidate SID copying routines
Jeff Layton [Wed, 7 Nov 2012 15:19:18 +0000 (10:19 -0500)]
setcifsacl: consolidate SID copying routines

...instead of open-coding it thrice.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: fix raw SID printing routine
Jeff Layton [Wed, 7 Nov 2012 15:19:18 +0000 (10:19 -0500)]
getcifsacl: fix raw SID printing routine

The current routine prints multiple authority values as different
numbers instead of combining them, which is wrong.

Print the SID according to the rules in MS-DTYP.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: don't use wbcDomainSid internally
Jeff Layton [Wed, 7 Nov 2012 15:19:18 +0000 (10:19 -0500)]
getcifsacl: don't use wbcDomainSid internally

Use our own cifs_sid instead and cast it to a wbcDomainSid before
handing it off to winbind.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: fix endianness before handing off SID to winbind
Jeff Layton [Wed, 7 Nov 2012 15:19:18 +0000 (10:19 -0500)]
getcifsacl: fix endianness before handing off SID to winbind

winbind expects SIDs to be expressed in host-endian. Convert them
from little-endian before asking winbind to convert them to names.

Also use the WBC_ERROR_IS_OK() macro to check the return code.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agogetcifsacl: clarify magic number if print_ace
Jeff Layton [Wed, 7 Nov 2012 15:19:17 +0000 (10:19 -0500)]
getcifsacl: clarify magic number if print_ace

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix verify_ace_sid
Jeff Layton [Wed, 7 Nov 2012 15:19:17 +0000 (10:19 -0500)]
setcifsacl: fix verify_ace_sid

The current method of trying to convert a name to a password struct and
then back to a SID is just weird. It also doesn't seem to work correctly.

Instead, look for a '\\' in the string. If there isn't one then try to
convert it directly to a SID.

If there is a '\\' or the direct-to-SID conversion didn't work, then
use wbcLookupName to do the conversion directly to a SID instead.

Also, fix the error handling. These routines return a wbcErr, so we
should use their macros to check whether it worked or not.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: clean up parse_cmdline_aces
Jeff Layton [Wed, 7 Nov 2012 15:19:17 +0000 (10:19 -0500)]
setcifsacl: clean up parse_cmdline_aces

One of the reasons to use "goto" in an error condition is to eliminate
unnecessary indentation. Fix that here by revering some error checks
end getting rid of some unneeded "else" cases.

After using strstr() to find "ACL:", there's no need to then use
strchr() to find ':'. We know where it is -- it's 3 bytes past the
current position.

Finally, there's no need to copy these strings into new buffers,
just set the pointers in the array to their original values.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: clean up get_numcaces
Jeff Layton [Wed, 7 Nov 2012 15:19:17 +0000 (10:19 -0500)]
setcifsacl: clean up get_numcaces

No need to walk the string twice or to hand-roll our own version of
strchr(). Also, move the check for no argument out into main().

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix up endianness conversions
Jeff Layton [Wed, 7 Nov 2012 15:19:16 +0000 (10:19 -0500)]
setcifsacl: fix up endianness conversions

Don't use htole32 when you really want le32toh. Also, when copying or
comparing ACEs, it's incorrect to convert the endianness of these
fields. Let's just keep things simple and declare that multibyte fields
in all of these structs are always kept in little-endian.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: fix endianness on SIDs before sending to kernel
Jeff Layton [Wed, 7 Nov 2012 15:19:16 +0000 (10:19 -0500)]
cifs.idmap: fix endianness on SIDs before sending to kernel

Winbind keeps wbcDomainSids in host-endian format. They must be
converted to little-endian before we can ship them off to the
kernel.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix endianness on SIDs provided by winbind routines
Jeff Layton [Wed, 7 Nov 2012 15:19:16 +0000 (10:19 -0500)]
setcifsacl: fix endianness on SIDs provided by winbind routines

Winbind keeps SID fields in host-endian format, but setcifsacl doesn't
currently account for that. Make sure that when we get a valid SID
from wbc that we convert the subauth fields to little-endian, which
the server will expect. The other fields are single bytes and don't
need conversion.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifsacl: header file cleanup
Jeff Layton [Wed, 7 Nov 2012 15:19:16 +0000 (10:19 -0500)]
cifsacl: header file cleanup

Remove the unused ace_action enum, and express mask values by or'ing
what they represent. Add a comment about the endianness of these values
in the packed structs too.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix up getopt() usage
Jeff Layton [Wed, 7 Nov 2012 15:19:15 +0000 (10:19 -0500)]
setcifsacl: fix up getopt() usage

'?' has a special meaning in getopt(). It means that the option
character was not recognized. You can override that behavior by making
':' the first character of the optstring, but that wasn't done here. I'm
not sure what the effect of having '?' in the actual optstring is in
this case, but it's probably best not to put it in there.

Remove '?' from the optstring and replace it 'h'. Also add '-h' as a
valid option to the manpage.

'-v' doesn't require an argument, so fix the optstring to reflect that.

Finally declare a new variable to hold optarg. Currently we only call
getopt() once, which is a little odd. Eventually we may want to make it
call it more than once, in which case we'll need some way to store the
optarg on each pass.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: declare an enum for the action values
Jeff Layton [Wed, 7 Nov 2012 15:19:15 +0000 (10:19 -0500)]
setcifsacl: declare an enum for the action values

...instead of relying on magic values of an int.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agoget/setcifsacl: set "prog" via basename(argv[0])
Jeff Layton [Wed, 7 Nov 2012 15:19:15 +0000 (10:19 -0500)]
get/setcifsacl: set "prog" via basename(argv[0])

This saves a tiny bit of memory, and doesn't make the program assume
that the binary is named something in particular.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: clean up get_numfaces
Jeff Layton [Wed, 7 Nov 2012 15:19:15 +0000 (10:19 -0500)]
setcifsacl: clean up get_numfaces

pntsd is never NULL here, and get rid of extra "else" that adds some
unneeded indentation.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: fix overrun of subauths array when copying SIDs
Jeff Layton [Wed, 7 Nov 2012 15:19:14 +0000 (10:19 -0500)]
setcifsacl: fix overrun of subauths array when copying SIDs

copy_sec_desc() copies the owner and group SIDs from one security
descriptor to another. Unfortunately, it doesn't take into account the
fact that these are variable length and routinely overruns the SID
structure when doing this copy and scribbles over the destination ACL.

This wasn't noticed before the change in the maximum number of subauths
because the code either overwrote the damage afterward, or the overrun
part was the same between source and destination anyway. Now that the
max number of subauths is 15, it's more noticable.

Fix it to only copy the number of subauths that claimed in the buffer
instead.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agosetcifsacl: clean up sizing of cifs_sid
Jeff Layton [Mon, 29 Oct 2012 20:04:11 +0000 (16:04 -0400)]
setcifsacl: clean up sizing of cifs_sid

The max number of subauthorities on windows and in winbind is generally
15, not 5. If winbind sends more than 5, then this code may end up
overrunning the buffer. Also, define some preprocessor constants and
use those instead of hardcoding '5' and '6' all over the place.

Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: add a --help option for cifs.idmap
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: add a --help option for cifs.idmap

To make it print the usage message and exit.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: set a timeout on keys that it instantiates
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: set a timeout on keys that it instantiates

...and add a command-line option to allow the admin to tune that value.
I think this is a better way to handle this instead of trying to set the
timeouts in kernel space.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: don't use atoi to convert unsigned int to number
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: don't use atoi to convert unsigned int to number

atoi() is for signed integers, and is deprecated in any case. Use
strtoul() instead and check the result carefully before using it.

Also add a log message when the string(s) can't be converted and
fix the signedness of the types in other log messages.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: clean up strget and avoid memory allocation
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: clean up strget and avoid memory allocation

Don't do a strlen() call if strstr() isn't going to match anyway.

There's no need to duplicate the string here. None of the callers modify
it, so just return a pointer into the original string.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: add an options struct to handle long options
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: add an options struct to handle long options

...since the manpage advertises them.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: get rid of useless strcmp prior to idmapping
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: get rid of useless strcmp prior to idmapping

The code copies off the key description and then ensures that it's
prefixed with "cifs.idmap". What's the point of that?

Presumably request-key would never have called this otherwise. There's
little harm in going ahead and doing the idmapping if this is called
with the wrong string.

Also, the error handling here is wrong. If the prefix doesn't match
the code will exit 0 without doing any mapping. Just remove it.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agocifs.idmap: make sure cifsacl structs are packed
Jeff Layton [Mon, 29 Oct 2012 19:45:37 +0000 (15:45 -0400)]
cifs.idmap: make sure cifsacl structs are packed

The kernel equivalent definitions are defined with
__attribute__((packed)), and the code seems to assume the userspace and
kernel ones will be properly aligned. Fix the userspace definitions in a
similar fashion.

Given the way these structs are, there is probably not any padding
between fields on most arches, but it's best to be safe here.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
6 years agomount.cifs: add warning that NFS syntax is deprecated and will be
Scott Lovenberg [Tue, 23 Oct 2012 19:37:03 +0000 (15:37 -0400)]
mount.cifs: add warning that NFS syntax is deprecated and will be
removed in cifs-utils-6.0.

[jlayton: Added newline to end of warning]
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>