Age | Commit message (Collapse) | Author | Files | Lines |
|
mount.cifs has been the subject of several "security" fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.
To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.
A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
It's apparently possible to corrupt the mtab if you pass embedded
newlines to addmntent. Apparently tabs are also a problem with certain
earlier glibc versions. Backslashes are also a minor issue apparently,
but we can't reasonably filter those.
Make sure that neither the devname or mountpoint contain any problematic
characters before allowing the mount to proceed.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.
To guard against this, chdir to the mountpoint very early, and only deal
with it as "." from then on out.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
|
|
Apparently, we need to strip the "const" attribute off of the mnt_fstype
before passing it to addmntent to prevent a (somewhat bogus) compiler
warning.
Rather than just stripping off the "const" attribute, clarify the code
by declaring a new non-const char pointer that points to the same
string. We can also use that same pointer in the mount(2) call too.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
|
|
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
|
|
When a mount fails, mount.cifs often prints an error message. In most
cases, this error goes to stdout instead of stderr like it should. Fix
it to print errors to stderr instead.
Reported-by: Jan Engelhardt <jengelh@gmx.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
/bin/mount strips off the ro/rw options after setting the MS_RDONLY
flag appropriately. Make mount.cifs do the same thing.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
When getaddrinfo returns an IPv6 address with a non-zero scope_id, send
that to the kernel appended to the address with a '%' delimiter. This
allows people to mount servers via their link-local IPv6 addresses
(given a kernel that understands this address format, of course).
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
If we get a non-AF_INET(6) address, then just skip it and try the next
one in the list.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
(try#3)
This is the third attempt to clean up the checks when a setuid
mount.cifs is run by an unprivileged user. The main difference in this
patch from the last one is that it fixes a bug where the mount might
have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.
When mount.cifs is installed setuid root and run as an unprivileged
user, it does some checks to limit how the mount is used. It checks that
the mountpoint is owned by the user doing the mount.
These checks however do not match those that /bin/mount does when it is
called by an unprivileged user. When /bin/mount is called by an
unprivileged user to do a mount, it checks that the mount in question is
in /etc/fstab, that it has the "user" option set, etc.
This means that it's currently not possible to set up user mounts the
standard way (by the admin, in /etc/fstab) and simultaneously protect
from an unprivileged user calling mount.cifs directly to mount a share
on any directory that that user owns.
Fix this by making the checks in mount.cifs match those of /bin/mount
itself. This is a necessary step to make mount.cifs safe to be installed
as a setuid binary, but not sufficient. For that, we'd need to give
mount.cifs a proper security audit.
Since some users may be depending on the legacy behavior, this patch
also adds the ability to build mount.cifs with the older behavior.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
in Samba 4.
|