diff options
| author | Jeff Layton <jlayton@redhat.com> | 2010-01-26 08:15:41 -0500 |
|---|---|---|
| committer | Jeff Layton <jlayton@redhat.com> | 2010-01-26 08:15:41 -0500 |
| commit | a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5 (patch) | |
| tree | 8aa76af962d01d047870b718bcbe5b1a07bc3c0f /client | |
| parent | a065c177dfc8f968775593ba00dffafeebb2e054 (diff) | |
| download | samba-a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5.tar.gz samba-a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5.tar.bz2 samba-a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5.zip | |
mount.cifs: don't allow it to be run as setuid root program
mount.cifs has been the subject of several "security" fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.
To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.
A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Diffstat (limited to 'client')
| -rw-r--r-- | client/mount.cifs.c | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/client/mount.cifs.c b/client/mount.cifs.c index 96f0c1c834..9044184ed2 100644 --- a/client/mount.cifs.c +++ b/client/mount.cifs.c @@ -43,7 +43,7 @@ #include "mount.h" #define MOUNT_CIFS_VERSION_MAJOR "1" -#define MOUNT_CIFS_VERSION_MINOR "13" +#define MOUNT_CIFS_VERSION_MINOR "14" #ifndef MOUNT_CIFS_VENDOR_SUFFIX #ifdef _SAMBA_BUILD_ @@ -87,6 +87,17 @@ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN /* + * mount.cifs has been the subject of many "security" bugs that have arisen + * because of users and distributions installing it as a setuid root program. + * mount.cifs has not been audited for security. Thus, we strongly recommend + * that it not be installed setuid root. To make that abundantly clear, + * mount.cifs now check whether it's running setuid root and exit with an + * error if it is. If you wish to disable this check, then set the following + * #define to 1, but please realize that you do so at your own peril. + */ +#define CIFS_DISABLE_SETUID_CHECK 0 + +/* * By default, mount.cifs follows the conventions set forth by /bin/mount * for user mounts. That is, it requires that the mount be listed in * /etc/fstab with the "user" option when run as an unprivileged user and @@ -212,6 +223,29 @@ check_mountpoint(const char *progname, char *mountpoint) return 0; } +#if CIFS_DISABLE_SETUID_CHECK +static int +check_setuid(void) +{ + return 0; +} +#else /* CIFS_DISABLE_SETUID_CHECK */ +static int +check_setuid(void) +{ + if (getuid() && !geteuid()) { + printf("This mount.cifs program has been built with the " + "ability to run as a setuid root program disabled.\n" + "mount.cifs has not been well audited for security " + "holes. Therefore the Samba team does not recommend " + "installing it as a setuid root program.\n"); + return 1; + } + + return 0; +} +#endif /* CIFS_DISABLE_SETUID_CHECK */ + #if CIFS_LEGACY_SETUID_CHECK static int check_fstab(const char *progname, char *mountpoint, char *devname, @@ -1226,6 +1260,9 @@ int main(int argc, char ** argv) struct sockaddr_in6 *addr6; FILE * pmntfile; + if (check_setuid()) + return EX_USAGE; + /* setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); */ |