summaryrefslogtreecommitdiff
path: root/client
AgeCommit message (Collapse)AuthorFilesLines
2010-01-26mount.cifs: don't allow it to be run as setuid root programJeff Layton1-1/+38
mount.cifs has been the subject of several "security" fire drills due to distributions installing it as a setuid root program. This program has not been properly audited for security and the Samba team highly recommends that it not be installed as a setuid root program at this time. To make that abundantly clear, this patch forcibly disables the ability for mount.cifs to run as a setuid root program. People are welcome to trivially patch this out, but they do so at their own peril. A security audit and redesign of this program is in progress and we hope that we'll be able to remove this in the near future. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2010-01-26mount.cifs: check for invalid characters in device name and mountpointJeff Layton1-0/+34
It's apparently possible to corrupt the mtab if you pass embedded newlines to addmntent. Apparently tabs are also a problem with certain earlier glibc versions. Backslashes are also a minor issue apparently, but we can't reasonably filter those. Make sure that neither the devname or mountpoint contain any problematic characters before allowing the mount to proceed. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2010-01-26mount.cifs: take extra care that mountpoint isn't changed during mountJeff Layton1-8/+26
It's possible to trick mount.cifs into mounting onto the wrong directory by replacing the mountpoint with a symlink to a directory. mount.cifs attempts to check the validity of the mountpoint, but there's still a possible race between those checks and the mount(2) syscall. To guard against this, chdir to the mountpoint very early, and only deal with it as "." from then on out. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-11-27s3-kerberos: only use krb5 headers where required.Günther Deschner1-0/+1
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
2009-11-25cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we ↵Günther Deschner1-0/+2
well as with MIT. Guenther
2009-11-21mount.cifs: Fix a const errorVolker Lendecke1-2/+2
2009-11-12cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT.Günther Deschner1-18/+16
Guenther
2009-11-11mount.cifs: get rid of CONST_DISCARDJeff Layton1-4/+3
Apparently, we need to strip the "const" attribute off of the mnt_fstype before passing it to addmntent to prevent a (somewhat bogus) compiler warning. Rather than just stripping off the "const" attribute, clarify the code by declaring a new non-const char pointer that points to the same string. We can also use that same pointer in the mount(2) call too. Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2009-11-06s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.Günther Deschner1-1/+1
Guenther
2009-10-01mount.cifs: don't leak passwords with verbose optionJeff Layton1-16/+30
When running mount.cifs with the --verbose option, it'll print out the option string that it passes to the kernel...including the mount password if there is one. Print a placeholder string instead to help ensure that this info can't be used for nefarious purposes. Also, the --verbose option printed the option string before it was completely assembled anyway. This patch should also make sure that the complete option string is printed out. Finally, strndup passwords passed in on the command line to ensure that they aren't shown by --verbose as well. Passwords used this way can never be truly kept private from other users on the machine of course, but it's simple enough to do it this way for completeness sake. Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com>
2009-10-01mount.cifs: check access of credential files before openingJeff Layton1-0/+11
It's possible for an unprivileged user to pass a setuid mount.cifs a credential or password file to which he does not have access. This can cause mount.cifs to open the file on his behalf and possibly leak the info in the first few lines of the file. Check the access permissions of the file before opening it. Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com>
2009-09-24mount.cifs: print output to stderrJeff Layton1-108/+101
When a mount fails, mount.cifs often prints an error message. In most cases, this error goes to stdout instead of stderr like it should. Fix it to print errors to stderr instead. Reported-by: Jan Engelhardt <jengelh@gmx.de> Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-09-17cifs-upcall: fix the build after spnego merge.Günther Deschner1-0/+1
Guenther
2009-09-04cifs.upcall: do a brute-force search for KRB5 credcacheJeff Layton1-46/+138
A few weeks ago, I added some code to cifs.upcall to take the pid sent by the kernel and use that to get the value of the $KRB5CCNAME environment var for the process. That works fine on the initial mount, but could be problematic on reconnect. There's no guarantee on a reconnect that the process that initiates the upcall will have $KRB5CCNAME pointed at the correct credcache. Because of this, the current scheme isn't going to be reliable enough and we need to use something different. This patch replaces that scheme with one very similar to the one used by rpc.gssd in nfs-utils. It searches the credcache dir (currently hardcoded to /tmp) for a valid credcache for the given uid. If it finds one then it uses that as the credentials cache. If it finds more than one, it uses the one with the latest TGT expiration. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26cifs.upcall: make using ip address conditional on new optionJeff Layton1-22/+40
Igor Mammedov pointed out that reverse resolving an IP address to get the hostname portion of a principal could open a possible attack vector. If an attacker were to gain control of DNS, then he could redirect the mount to a server of his choosing, and fix the reverse resolution to point to a hostname of his choosing (one where he has the key for the corresponding cifs/ or host/ principal). That said, we often trust DNS for other reasons and it can be useful to do so. Make the code that allows trusting DNS to be enabled by adding --trust-dns to the cifs.upcall invocation. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26cifs.upcall: switch to getopt_longJeff Layton1-1/+7
...to allow long option names. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimitersJeff Layton1-4/+29
Current kernels don't send IPv6 addresses with the colon delimiters, add a routine to add them when they're not present. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: use ip address passed by kernel to get server's hostnameJeff Layton1-12/+56
Instead of using the hostname given by the upcall to get the server's principal, take the IP address given in the upcall and reverse resolve it to a hostname. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: clean up flag handlingJeff Layton1-10/+10
Add a new stack var to hold the flags returned by the decoder routine so that we don't need to worry so much about preserving "rc". With this, we can drop privs before trying to find the location of the credcache. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: try getting a "cifs/" principal and fall back to "host/"Jeff Layton1-12/+16
cifs.upcall takes a "-c" flag that tells the upcall to get a principal in the form of "cifs/hostname.example.com@REALM" instead of "host/hostname.example.com@REALM". This has turned out to be a source of great confusion for users. Instead of requiring this flag, have the upcall try to get a "cifs/" principal first. If that fails, fall back to getting a "host/" principal. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: declare a structure for holding decoded argsJeff Layton1-30/+33
The argument list for the decoder is becoming rather long. Declare an args structure and use that for holding the args. This also simplifies pointer handling a bit. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: formatting cleanupJeff Layton1-47/+37
Clean up some unneeded curly braces, and fix some indentation. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: clean up logging and add debug messagesJeff Layton1-32/+47
Change the log levels to be more appropriate to the messages being logged. Error messages should be LOG_ERR and not LOG_WARNING, for instance. Add some LOG_DEBUG messages that we can use to diagnose problems with krb5 upcalls. With these, someone can set up syslog to log daemon.debug and should be able to get more info when things aren't working. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-07-27umount.cifs: do not attempt to update /etc/mtab if it is symbolic linkShirish Pargaonkar1-3/+4
If /etc/mtab is a symbolic link to e.g. /proc/mounts, do not update it. This is a fix for a bug reported in 4675 on samba bugzilla Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
2009-07-10Attempt to fix the build -- jlayton, please check!Volker Lendecke1-1/+1
2009-07-09cifs.upcall: use pid value from kernel to determine KRB5CCNAME to useJeff Layton1-12/+75
If the kernel sends the upcall a pid of the requesting process, we can open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME value out of it. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-29mount.cifs: don't pass text ro/rw options to kernelJeff Layton1-0/+2
/bin/mount strips off the ro/rw options after setting the MS_RDONLY flag appropriately. Make mount.cifs do the same thing. Signed-off-by: Jeff Layton <jlayton@samba.org>
2009-06-25mount.cifs: add support for sending IPv6 scope ID to kernelJeff Layton1-0/+8
When getaddrinfo returns an IPv6 address with a non-zero scope_id, send that to the kernel appended to the address with a '%' delimiter. This allows people to mount servers via their link-local IPv6 addresses (given a kernel that understands this address format, of course). Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-10mount.cifs: explicitly handle non AF_INET/AF_INET6 addressesJeff Layton1-0/+2
If we get a non-AF_INET(6) address, then just skip it and try the next one in the list. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-06mount.cifs: properly check for mount being in fstab when running setuid root ↵Jeff Layton1-40/+162
(try#3) This is the third attempt to clean up the checks when a setuid mount.cifs is run by an unprivileged user. The main difference in this patch from the last one is that it fixes a bug where the mount might have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set. When mount.cifs is installed setuid root and run as an unprivileged user, it does some checks to limit how the mount is used. It checks that the mountpoint is owned by the user doing the mount. These checks however do not match those that /bin/mount does when it is called by an unprivileged user. When /bin/mount is called by an unprivileged user to do a mount, it checks that the mount in question is in /etc/fstab, that it has the "user" option set, etc. This means that it's currently not possible to set up user mounts the standard way (by the admin, in /etc/fstab) and simultaneously protect from an unprivileged user calling mount.cifs directly to mount a share on any directory that that user owns. Fix this by making the checks in mount.cifs match those of /bin/mount itself. This is a necessary step to make mount.cifs safe to be installed as a setuid binary, but not sufficient. For that, we'd need to give mount.cifs a proper security audit. Since some users may be depending on the legacy behavior, this patch also adds the ability to build mount.cifs with the older behavior. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-02Move mount.cifs/umount.cifs to the top level and remove the outdated copyJelmer Vernooij6-0/+2639
in Samba 4.