Jeff Layton [Fri, 24 Feb 2017 15:48:57 +0000 (10:48 -0500)]
cifs.upcall: use a MEMORY: ccache when instantiating from a keytab
Using a more permanent ccache is potentially problematic when we're
instantiating a new one. We might be operating under different creds
than expected. Just use a MEMORY: ccache since we don't need it to
last longer than the life of the upcall anyway.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 23 Feb 2017 21:50:43 +0000 (16:50 -0500)]
cifs.upcall: don't do env scraping when uid is 0
Setuid programs triggering upcalls could trick the program here. Also,
the d_automount method is done with credentials overridden so if you
can end up with mismatched creds and env vars due to that as well.
It's a hack, but the only recourse I can see is to avoid doing this
when the uid is 0. That means we can't rely on finding root credcaches
in alternate locations using $KRB5CCNAME, but I think that's the best
we can do.
Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 23 Feb 2017 23:28:24 +0000 (18:28 -0500)]
cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab
We don't want to trust $KRB5CCNAME when creating or updating a new
credcache since we could be operating under the wrong credentials.
Always create new credcaches in the default location instead.
Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 24 Feb 2017 00:14:07 +0000 (19:14 -0500)]
data_blob: Eliminate _PUBLIC_
It's defined to nothing anyway.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 24 Feb 2017 00:09:12 +0000 (19:09 -0500)]
treewide: Eliminate SAFE_FREE
It just frees and then zeroes out the pointer. That's of dubious
value in the places where it's currently being used. Just use
free() instead.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 24 Feb 2017 00:21:56 +0000 (19:21 -0500)]
replace.h: remove it
Nothing uses it now.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 23 Feb 2017 23:58:17 +0000 (18:58 -0500)]
cifs.upcall: remove need for replace.h
Take just what we need from replace.h and move it to cifs.upcall.c.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 24 Feb 2017 01:56:27 +0000 (20:56 -0500)]
spengo.c/asn1.c: remove need for replace.h
Just need stdbool.h instead.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 23 Feb 2017 23:49:59 +0000 (18:49 -0500)]
data_blob: remove need for replace.h
We only need ZERO_STRUCT there.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 16 Feb 2017 14:55:45 +0000 (09:55 -0500)]
cifs.upcall: trim even more capabilities
We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
only when we are going to probe the environ file.
Also, fix the non-libcap-ng trim_capabilities prototype.
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Sat, 11 Feb 2017 13:38:46 +0000 (08:38 -0500)]
cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
to that, cifs.upcall was able to find credcaches in non-default FILE:
locations, but with the rework of that code, that ability was lost.
Unfortunately, the krb5 library design doesn't really take into account
the fact that we might need to find a credcache in a process that isn't
descended from the session.
When the kernel does an upcall, it passes several bits of info about the
task that initiated the upcall. One of those things is the PID (the
tgid, in particular). We can use that info to reach into the
/proc/<pid>/environ file for the process, and grab whatever value of
$KRB5CCNAME is there.
Then, after switching credentials, set $KRB5CCNAME in the environment
to the same value before opening the credcache, to hint to the krb5
libs where they ought to look.
This new behavior is on by default, but can be disabled by having
request-key pass a '-E' flag to cifs.upcall.
Reported-by: Chad William Seys <cwseys@physics.wisc.edu>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 15 Feb 2017 15:00:45 +0000 (10:00 -0500)]
cifs.upcall: drop capabilities early in program
Much of cifs.upcall can and should be run without elevated privileges.
On entry into the program, drop as many capabilities as we can get away
with, and then always drop any remaining caps after calling setuid().
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 13 Feb 2017 13:33:02 +0000 (08:33 -0500)]
cifs.upcall: switch group IDs when handling an upcall
Currently, we leave the group ID alone, but in a later patch we'll be
changing cifs.upcall to scrape $KRB5CCNAME out of the originating
process. At that point, we want to be a little more careful with the
process credentials we'll be using.
After we get the uid, do a getpwuid and grab the default gid for the
user. Then use setgid to set it before calling setuid.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Sun, 12 Feb 2017 14:36:12 +0000 (09:36 -0500)]
cifs.upcall: convert two flags from int to bool
Signed-off-by: Jeff Layton <jlayton@samba.org>
Sachin Prabhu [Wed, 4 Jan 2017 12:45:17 +0000 (07:45 -0500)]
manpage: document mfsymlinks in the mount.cifs man page
Information from the cifs README in the kernel sources is used.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Germano Percossi [Fri, 18 Nov 2016 18:54:52 +0000 (18:54 +0000)]
mount.cifs: Remove unneeded stdbool header include
Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
Germano Percossi [Fri, 18 Nov 2016 18:54:51 +0000 (18:54 +0000)]
mount.cifs: Fixed command line parsing and aligned with kernel
The way token matching was done was consuming the parameters namespace
quickly. For example, anything starting with "dom" was interpreted with
domain, while it could have been a completely different word. The same
is true even for "ro".
Moreover, many perfectly valid options like "addr" where not accepted.
The cifs kernel module is very strict when it comes to names: 'dom' and
'domain' are valid while 'domai' is not, so the userspace tool needs to
comply otherwise it becomes very difficult to come up with new names for
options.
Now, checking is strict and as close as possible to kernel. When it is
not, it is just to avoid breaking compatibility with some users.
However, workg has been removed because it is too lazy and undocumented.
The only variable left without strict checking is 'x-' because the
intent is to ignore anything starting in that way
Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
Germano Percossi [Fri, 18 Nov 2016 18:54:50 +0000 (18:54 +0000)]
mount.cifs: Accept empty domains on the command line
If we do not allow empty domains on the command line we are preventing
the kernel module from taking different actions if the domain has not
been specified at all or just passed empty.
In fact, with this fix the cifs module behaves differently once an empty
domain is passed: the find_domain_name function is not invoked when an
empty domain is passed.
It is possible to pass both 'domain=' or 'domain=""' even though the
kernel module will accept the former only when associated with the
sloppy option.
Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
Germano Percossi [Fri, 18 Nov 2016 18:54:49 +0000 (18:54 +0000)]
mount.cifs: Removed extra comma in front of domain
Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
Jeff Layton [Sun, 27 Nov 2016 11:28:29 +0000 (06:28 -0500)]
cifs-utils: bump version to 6.6.1 for pre-release builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 2 Sep 2016 01:06:33 +0000 (21:06 -0400)]
autoconf: set version to 6.6
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 24 Aug 2016 16:56:54 +0000 (12:56 -0400)]
cifs.upcall: stop passing around ccache name strings
Instead, get a ccache handle and pass that around. That way we can keep
the cache open until the program is complete as well.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 24 Aug 2016 15:41:53 +0000 (11:41 -0400)]
cifs.upcall: make get_tgt_time take a ccache arg
...instead of dealing with the ccname. Push resolution of the cache
into the caller.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 24 Aug 2016 15:39:06 +0000 (11:39 -0400)]
cifs.upcall: remove KRB5_TC_OPENCLOSE
The header file says that this is deprecated, and all of the info I've
seen about it mentioned that it was for performance more than
correctness. It dates back to the original code dump from Igor, so I
think we're safe to just drop it at this point.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 22 Aug 2016 11:34:21 +0000 (07:34 -0400)]
cifs.upcall: make the krb5_context a static global variable
There's no need to keep initing a new context for every function. Just
do it once and reuse as needed.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Sun, 21 Aug 2016 13:42:59 +0000 (09:42 -0400)]
cifs.upcall: use krb5 routines to get default ccname
Currently we end up groveling around in /tmp, trying to guess what the
credcache will be. Instead, just get the default ccname for the user,
and then see if it has a valid tgt. If it doesn't then we try to use
the keytab to init the credcache before proceeding.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 12 Jul 2016 20:53:25 +0000 (16:53 -0400)]
aclocal: fix typo in idmap.m4
We really don't want to do the same check twice.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 12 Jul 2016 20:54:04 +0000 (16:54 -0400)]
autoconf: set package version to 6.5.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 22 Feb 2016 15:31:25 +0000 (10:31 -0500)]
autoconf: set version to 6.5
Signed-off-by: Jeff Layton <jlayton@samba.org>
Sachin Prabhu [Fri, 8 Jan 2016 12:24:39 +0000 (17:54 +0530)]
autoconf: Use $(DEFS) when building idmapwb.so and pam_cifscreds.so
We should pass the macros defined in $(DEFS) when building idmapwb.so
and pam_cifscreds.so. The autoconf process sets the macro HAVE_CONFIG_H
using the $(DEFS) variable. This macro has to be defined to allow the
source files to include config.h
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Karel Zak [Thu, 7 Jan 2016 10:02:49 +0000 (11:02 +0100)]
mount.cifs: ignore x-* mount options
x-* prefix is used for userspace mount options and it's pretty
commonly used to extend fstab configuration in systemd world (e.g.
x-systemd.automount). These options is necessary to ignored.
The command mount(8) does not pass x-* mount options to mount.<type>
helpers, but in some use-cases it's possible that the cifs helper reads
mount options from fstab or users directly call mount.cifs and copy & past
mount options, etc.
This patch marks all options prefixed by "x-" as OPT_IGNORE to make
things more robust for end-users. We already uses the same concept for
_netdev.
Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Uri Simchoni [Thu, 19 Nov 2015 19:48:15 +0000 (21:48 +0200)]
manpage: clarify use of backupuid and backupgid in mount.cifs.8
Assert that backup intent shall only be attempted if the user matches
the backupuid or backupgid parameter.
Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Felix Janda [Fri, 5 Dec 2014 22:19:29 +0000 (23:19 +0100)]
mtab.c: include <paths.h> for _PATH_MOUNTED
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Jeff Layton [Mon, 8 Dec 2014 11:09:44 +0000 (06:09 -0500)]
autoconf: set version to 6.4.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 11 Jul 2014 15:14:06 +0000 (11:14 -0400)]
autoconf: set version to 6.4
Signed-off-by: Jeff Layton <jlayton@samba.org>
Guenter Kukkukk [Tue, 1 Jul 2014 15:43:55 +0000 (17:43 +0200)]
mount.cifs: on 2nd try mount.cifs must also uppercase "orig_dev"
Recent kernels now ignore "unc=..." mount option. mount.cifs, when
getting errno=ENXIO, retries the mount with uppercased hostname,
sharename and prefixpath in the "unc=..." mount option, which is ignored
now in the kernel. Used e.g. during OS/2 mounts, which fail now.
Also uppercase the now used "orig_dev" parameter.
Signed-off-by: Guenter Kukkukk <kukks@samba.org>
Jeff Layton [Mon, 21 Apr 2014 00:41:05 +0000 (20:41 -0400)]
cifscreds: better error handling for key_add
If the string buffers would have been overrun, set errno to EINVAL
before returning. Then, have the callers report the errors to
stderr or syslog as appropriate.
Cc: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 21 Apr 2014 00:41:05 +0000 (20:41 -0400)]
cifscreds: better error handling when key_search fails
If we ended up getting a bogus string that would have overflowed, then
make key_search set errno to EINVAL before returning. The callers can
then test to see if the returned error is what was expected or something
else and handle it appropriately.
Cc: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Sebastian Krahmer [Mon, 14 Apr 2014 09:39:41 +0000 (11:39 +0200)]
cifskey: better use snprintf()
Prefer snprintf() over sprintf() in cifskey.c
Projects that fork the code (pam_cifscreds) can't rely on
the max-size parameters.
[jlayton: removed unneeded initialization of "len" in key_add]
Signed-off-by: Sebastian Krahmer <krahmer@suse.de>
Jeff Layton [Mon, 7 Apr 2014 18:35:17 +0000 (14:35 -0400)]
cifs: use krb5_kt_default() to determine default keytab location
...don't assume that it's in /etc/krb5.keytab.
Reported-by: Konstantin Lepikhov <klepikho@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Lars Müller [Mon, 7 Apr 2014 18:35:10 +0000 (14:35 -0400)]
autoconf: allow PAM security install directory to be configurable
Allow the pam module install directory to be set at build time.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 2 Apr 2014 14:21:10 +0000 (10:21 -0400)]
autoconf: set version to 6.3.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 9 Jan 2014 16:19:53 +0000 (11:19 -0500)]
autoconf: set version to 6.3
Signed-off-by: Jeff Layton <jlayton@samba.org>
Orion Poplawski [Tue, 10 Dec 2013 21:09:26 +0000 (14:09 -0700)]
manpage: add pam_cifscreds.8 man page
Signed-off-by: Orion Poplawski <orion@nwra.com>
Jeff Layton [Sat, 7 Dec 2013 11:52:26 +0000 (06:52 -0500)]
cifscreds: fix up some whitespace, typos and build warnings in pam_cifscreds.c
gcc -g -O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -fpie -pie -Wl,-z,relro,-z,now -shared -fpic -o pam_cifscreds.so pam_cifscreds.c cifskey.c resolve_host.c util.c -lpam -lkeyutils
pam_cifscreds.c: In function ‘cleanup_free_password’:
pam_cifscreds.c:143:38: warning: unused parameter ‘ph’ [-Wunused-parameter]
cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
^
pam_cifscreds.c:143:58: warning: unused parameter ‘pam_end_status’ [-Wunused-parameter]
cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
^
pam_cifscreds.c: In function ‘cifscreds_pam_update’:
pam_cifscreds.c:271:8: warning: variable ‘addrs’ set but not used [-Wunused-but-set-variable]
char *addrs[16];
^
pam_cifscreds.c: In function ‘pam_sm_authenticate’:
pam_cifscreds.c:359:58: warning: unused parameter ‘unused’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *ph, int unused, int argc, const char **argv)
^
pam_cifscreds.c: In function ‘pam_sm_open_session’:
pam_cifscreds.c:414:58: warning: unused parameter ‘flags’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_open_session(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c: In function ‘pam_sm_close_session’:
pam_cifscreds.c:487:51: warning: unused parameter ‘ph’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c:487:59: warning: unused parameter ‘flags’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c:487:70: warning: unused parameter ‘argc’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c:487:89: warning: unused parameter ‘argv’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_close_session(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c: In function ‘pam_sm_setcred’:
pam_cifscreds.c:501:45: warning: unused parameter ‘ph’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c:501:53: warning: unused parameter ‘flags’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c:501:64: warning: unused parameter ‘argc’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
^
pam_cifscreds.c:501:83: warning: unused parameter ‘argv’ [-Wunused-parameter]
PAM_EXTERN int pam_sm_setcred(pam_handle_t *ph, int flags, int argc, const char **argv)
^
Signed-off-by: Jeff Layton <jlayton@samba.org>
Orion Poplawski [Wed, 13 Nov 2013 20:53:30 +0000 (13:53 -0700)]
cifscreds: create PAM module to insert credentials at login
Split out some of the cifscreds key handling routines into a separate
file, and then link that in to both cifscreds and the new PAM module.
Fix up autoconf to handle building this automatically.
Signed-off-by: Orion Poplawski <orion@nwra.com>
Jeff Layton [Sat, 7 Dec 2013 13:54:59 +0000 (08:54 -0500)]
autoconf: fix link of libwbclient
It's currently getting added to $LIBS and being linked into places that
we don't need it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 14 Oct 2013 01:07:28 +0000 (21:07 -0400)]
asn1: fix use-after-free in asn1_write
If the talloc_realloc() fails, asn1_write calls talloc_free on the
context and then immediately dereferences the pointer.
Fix this by skipping the talloc_free here. Let the caller handle it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 11 Oct 2013 02:05:05 +0000 (22:05 -0400)]
mount.cifs: fix bad free() of string returned by dirname()
Coverity says:
Error: CPPCHECK_WARNING: [#def10]
cifs-utils-6.2/mount.cifs.c:1518: error[memleakOnRealloc]: Common realloc mistake: 'mtabdir' nulled but not freed upon failure
del_mtab has a number of bugs in handling of allocated memory:
a) the return value of strdup() is not checked
b) It calls realloc() on a pointer that wasn't returned by an allocation
function (e.g. malloc, calloc, etc.)
c) If realloc() fails, it doesn't call free() on the original memory
returned by strdup()
Fix all of these bugs and add newlines to the end of the error messages
in del_mtab.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 9 Oct 2013 13:05:22 +0000 (09:05 -0400)]
data_blob: clean out unused functions
Cut another 6k or so out of the cifs.upcall binary.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 9 Oct 2013 12:17:49 +0000 (08:17 -0400)]
asn1: remove some usused functions
This cuts 30k out of the cifs.upcall binary on my x86_64 box.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 9 Oct 2013 12:14:21 +0000 (08:14 -0400)]
getcifsacl: remove some dead code
Coverity says:
Error: DEADCODE (CWE-561): [#def5]
cifs-utils-6.2/getcifsacl.c:101: assignment: Assigning: "mflags" = "false".
cifs-utils-6.2/getcifsacl.c:109: const: At condition "mflags", the value of "mflags" must be equal to 0.
cifs-utils-6.2/getcifsacl.c:109: dead_error_condition: The condition "mflags" cannot be true.
cifs-utils-6.2/getcifsacl.c:110: dead_error_line: Execution cannot reach this statement "printf("|");".
Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 9 Oct 2013 01:07:24 +0000 (21:07 -0400)]
get/setcifsacl: fix bad bit-shifts
A Coverity scan turned up this warning:
1. cifs-utils-6.2/setcifsacl.c:578:result_independent_of_operands – "(x & 0xff0000000000ULL) >> 48" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
...which is entirely true. That shift should be 40 bits, not 48. Also
fix a similar bug in getcifsacl.c.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 9 Oct 2013 01:13:41 +0000 (21:13 -0400)]
autoconf: set release to 6.2.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 4 Oct 2013 10:56:41 +0000 (06:56 -0400)]
autoconf: set version to 6.2
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 4 Oct 2013 11:12:32 +0000 (07:12 -0400)]
autoconf: update configure.ac a'la autoupdate
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 17 Sep 2013 15:39:13 +0000 (11:39 -0400)]
cifs.upcall: try to use default credcache if we didn't find one
Fedora is in the process of moving to KEYRING: credcaches which are not
currently handled by cifs.upcall. We could try to detect when they're in
use, but it's simpler and more robust to just try to use the default
credcache whenever we don't find a FILE: or DIR: cache.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Steve French [Mon, 9 Sep 2013 14:55:46 +0000 (09:55 -0500)]
autoconf: add another suggested package name for krb5 headers
Added an alternate package name for krb5 headers.
Noticed the following suggestion asks for the wrong package (at least
wrong for FC17)
checking krb5.h presence... no
checking for krb5.h... no
checking krb5/krb5.h usability... no
checking krb5/krb5.h presence... no
checking for krb5/krb5.h... no
configure: WARNING: krb5.h not found, consider installing
krb5-libs-devel. Disabling cifs.upcall.
[sfrench@w500smf cifs-utils]$ sudo yum install krb5-libs-devel
Loaded plugins: langpacks, presto, refresh-packagekit
No package krb5-libs-devel available.
Error: Nothing to do
[sfrench@w500smf cifs-utils]$ sudo yum install krb5-devel
(installing krb5-devel worked, but not krb5-libs-devel for this version)
Signed-off-by: Steve French <smfrench@gmail.com>
Michał Górny [Tue, 30 Jul 2013 08:00:26 +0000 (10:00 +0200)]
Do not rely on hardcoded path to systemd-ask-password.
Relying on hardcoded /bin/systemd-ask-password path breaks systemd that
install systemd-ask-password in /usr/bin. Since both paths are supposed
to be in ${PATH} and popen() passes the command to shell, just pass
'systemd-ask-password' and let the shell find it.
Fixes: https://bugzilla.samba.org/show_bug.cgi?id=10054
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Scott Lovenberg [Sun, 21 Jul 2013 20:21:08 +0000 (16:21 -0400)]
cifs-utils: Correct max string lengths v2
The max size of the username, domain, and password strings are now
consistent with the kernel and Microsoft's documentation.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Jeff Layton [Thu, 18 Jul 2013 14:14:21 +0000 (10:14 -0400)]
cifs-utils: fix some sparse warnings
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 18 Jul 2013 14:08:27 +0000 (10:08 -0400)]
setcifsacl: add fallback for when plugin can't be loaded
Allow setcifsacl to function even in the case where the plugin can't
be initialized. ID mapping of course won't work, but we can still allow
it to accept "raw" SID strings.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 8 Jul 2013 13:08:01 +0000 (09:08 -0400)]
manpage: fix nouser_xattr description
The manpage erroneously states that nouser_xattr is the default, when
it's actually the reverse.
Reported-by: Dome <domfe@tiscali.it>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 8 Jul 2013 13:06:46 +0000 (09:06 -0400)]
autoconf: set version to 6.1.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 2 Jul 2013 19:13:33 +0000 (15:13 -0400)]
cifs-utils: set version to 6.1
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 29 May 2013 18:54:26 +0000 (14:54 -0400)]
cifs.upcall: allow users to specify dedicated keytab on command-line
Currently cifs.upcall only looks at the default system keytab
(/etc/krb5.keytab). It's often the case however that a dedicated keytab
is desirable. Allow administrators to set one on the command-line.
Reported-by: steve <steve@steve-ss.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Peng Haitao [Fri, 17 May 2013 09:27:02 +0000 (17:27 +0800)]
cifs.upcall: the exit code should be 0 when print version
When print version number, the exit code should be 0
and syslog() should not send "Negating key" to the system logger.
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
Peng Haitao [Fri, 12 Apr 2013 08:58:49 +0000 (16:58 +0800)]
setcifsacl.c: fix a bug of goto setcifsacl_facenum_ret
setcifsacl_facenum_ret: is called only if attrlen is equal to -1.
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
Scott Lovenberg [Wed, 10 Apr 2013 17:16:52 +0000 (13:16 -0400)]
mount.cifs: Trivial comment fixes
Two trivial comment fixes.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Jeff Layton [Wed, 10 Apr 2013 17:24:50 +0000 (13:24 -0400)]
cifs-utils: set version to 6.0.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 22 Mar 2013 10:18:19 +0000 (06:18 -0400)]
autoconf: set version to 6.0
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 22 Mar 2013 10:43:46 +0000 (06:43 -0400)]
mount.cifs: remove support for "NFS syntax"
...as promised for version 6.0.
Cc: Scott Lovenberg <scott.lovenberg@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 19 Mar 2013 15:00:49 +0000 (11:00 -0400)]
manpage: better document the default sec= mount option
The default changed in mainline kernel v3.8.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Sun, 17 Mar 2013 01:28:18 +0000 (21:28 -0400)]
manpage: document the mount.cifs vers= option
Thanks to Tom Talpey for clarifying some of the info here.
Cc: Tom Talpey <ttalpey@microsoft.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 1 Feb 2013 17:41:57 +0000 (12:41 -0500)]
cifs-utils: add autoconf test to make sure that libwbclient is usable
The idmapwb plugin requires a usable wbcSidsToUnixIds() function. Check
to ensure that the wbclient library provides that symbol, and handle
it appropriately if it doesn't.
If someone were so inclined they probably could fix idmapwb to fall
back to the older mapping functions if that symbol doesn't exist,
but for now this patch just makes it refuse to build the plugin.
Reported-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 29 Jan 2013 12:08:48 +0000 (07:08 -0500)]
setcifsacl: fix offset calculation in "set" code
Previously the code assumed that the ACE that was copied was of a
fixed size. Save off the return value from copy_ace and ensure that
we apply it correctly to the size and offset.
Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 29 Jan 2013 02:38:12 +0000 (21:38 -0500)]
setcifsacl: fix infinite loop in getnumcaces
Jian pointed out that this loop can cycle infinitely when the string
contains a ','.
Also, fix typo in manpage that shows a trailing ',' in one example.
Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Sun, 13 Jan 2013 03:02:01 +0000 (22:02 -0500)]
mount.cifs: set parsed_info->got_user when a cred file supplies a username
commit
85d18a1ed introduced a regression when using a credentials file.
It set the username in the parsed mount info properly, but didn't set
the "got_user" flag in it.
Also, fix an incorrect strlcpy length specifier in open_cred_file.
Reported-by: "Mantas M." <grawity@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 7 Jan 2013 15:25:30 +0000 (10:25 -0500)]
cifsidmap: clean up comments on API description
...typo and grammatical fixes, mostly.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 7 Jan 2013 15:23:09 +0000 (10:23 -0500)]
autoconf: set release to 5.9.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 7 Jan 2013 12:19:46 +0000 (07:19 -0500)]
autoconf: set version to 5.9
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 7 Jan 2013 12:19:46 +0000 (07:19 -0500)]
mount.cifs: remove support for "complex" usernames from mount.cifs
In commit
569cfcb3a, we added a warning of the removal for support for
username= options in the form of DOMAIN/username%password. This patch
removes that support as promised prior to the 5.9 release.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 2 Jan 2013 11:27:35 +0000 (06:27 -0500)]
cifs-utils: fix cifsidmap.h comment
It's actually OK to set this to BOTH.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 17 Dec 2012 16:45:41 +0000 (11:45 -0500)]
cifs-utils: add a manpage for idmapwb
...and clean up references to winbind in various tool manpages.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Sun, 9 Dec 2012 02:28:08 +0000 (21:28 -0500)]
cifs-utils: convert cifs.idmap to use plugin interface
Add routines for the various things that cifs.idmap needs and have it
call them.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 19 Dec 2012 19:52:42 +0000 (14:52 -0500)]
cifs-utils: add autoconf test for WBC_ID_TYPE_BOTH
WBC_ID_TYPE_BOTH is a new addition (in Samba 4.0 only). Add a test for
its presence. Because it's an enum, we have to jump through some extra
hoops here...
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 7 Dec 2012 17:17:03 +0000 (12:17 -0500)]
cifs-utils: convert setcifsacl to use the plugin interface
Add str_to_sid() functionality to the plugin API and have setcifsacl
use it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 3 Dec 2012 17:35:38 +0000 (12:35 -0500)]
cifs-utils: new plugin architecture for ID mapping code
Currently, the ACL-related tools in cifs-utils call into the wbclient
libs directly in order to do their bidding. The wbclient developers want
to get away from needing to configure winbind on the clients and instead
allow sssd to handle the mapping in most cases.
This patch represents an initial step in that direction. It adds a
plugin architecture for cifs-utils, adds wrappers around the calls into
libwbclient that find an idmap plugin library to use and then has it
call into that plugin to do the actual ID mapping.
The application will call into a set of routines that find the correct
plugin and dlopen() it. Currently the plugin is located in a well-known
location that is settable via autoconf. That location is intended to be
a symlink that points to the real plugin (generally under $pkglibdir).
The plugin will export a number of functions with well-known names. The
wrappers find those by using dlsym() and then call them.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 13 Dec 2012 13:58:54 +0000 (08:58 -0500)]
cifs-utils: struct cifs_sid definition to new cifsidmap.h header
People who want to build a plugin for the idmapping routines will need a
header to describe the data types that they need. Add a cifsidmap.h file
and move the struct cifs_sid definition into it, along with the
constants needed to describe it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 7 Dec 2012 17:07:23 +0000 (12:07 -0500)]
setcifsacl: remove syslog goop
setcifsacl doesn't use syslog, so no need to open a channel to it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Fri, 7 Dec 2012 13:39:16 +0000 (08:39 -0500)]
getcifsacl: remove unneeded openlog() call
getcifsacl doesn't log to syslog, so there's no need to open a channel
to it. Also, remove the unneeded "prog" global variable since only
the usage() function needs it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 6 Dec 2012 12:17:17 +0000 (07:17 -0500)]
cifs-utils: only link in -lrt to binaries that need it
...which is really only mount.cifs.
Cc: Björn Jacke <bj@sernet.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 6 Dec 2012 11:45:57 +0000 (06:45 -0500)]
autoconf: enable full RELRO in cifs-utils binaries
This is safer since it also protects the GOT from getting clobbered.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 4 Dec 2012 11:21:06 +0000 (06:21 -0500)]
getcifsacl: ensure that we don't overrun the wbcDomainSid when converting
If we get a SID that contains more than 15 subauthorities, we'll end up
overrunning the struct wbcDomainSid. Just ignore any past 15.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Tue, 4 Dec 2012 11:12:13 +0000 (06:12 -0500)]
getcifsacl: free strings returned by wbcLookupSid
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 3 Dec 2012 18:41:12 +0000 (13:41 -0500)]
getcifsacl: use "size" instead of reconverting original field to host endian
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 3 Dec 2012 16:03:19 +0000 (11:03 -0500)]
autotools: remove unnecessary files from distro
Having them in the distro prevents autoreconf -i from installing the latest
copies.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Wed, 28 Nov 2012 20:17:44 +0000 (15:17 -0500)]
mount.cifs: don't pass "flag" options to the kernel
When certain options are passed to the mount helper, we want to turn
them into mountflags for the mount() syscall. There's no need to copy
them to the options string in that case though.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Mon, 19 Nov 2012 01:38:38 +0000 (20:38 -0500)]
mount.cifs: treat uid=,gid=,cruid= options as name before assuming they're a number
Sergio Conrad reported a problem trying to set up an autofs map to do
a krb5 mount. In his environment, many users have usernames that are
comprised entirely of numbers. While that's a bit odd, POSIX apparently
allows for it.
The current code assumes that when a numeric argument is passed to one
of the above options, that it's a uid or gid. Instead, try to treat the
argument as a user or group name first, and only try to treat it as a
number if that fails.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Jeff Layton [Thu, 15 Nov 2012 20:22:13 +0000 (15:22 -0500)]
autoconf: set version to 5.8.1 for interim builds
Signed-off-by: Jeff Layton <jlayton@samba.org>