From a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Tue, 26 Jan 2010 08:15:41 -0500 Subject: mount.cifs: don't allow it to be run as setuid root program mount.cifs has been the subject of several "security" fire drills due to distributions installing it as a setuid root program. This program has not been properly audited for security and the Samba team highly recommends that it not be installed as a setuid root program at this time. To make that abundantly clear, this patch forcibly disables the ability for mount.cifs to run as a setuid root program. People are welcome to trivially patch this out, but they do so at their own peril. A security audit and redesign of this program is in progress and we hope that we'll be able to remove this in the near future. Signed-off-by: Jeff Layton --- client/mount.cifs.c | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) (limited to 'client/mount.cifs.c') diff --git a/client/mount.cifs.c b/client/mount.cifs.c index 96f0c1c834..9044184ed2 100644 --- a/client/mount.cifs.c +++ b/client/mount.cifs.c @@ -43,7 +43,7 @@ #include "mount.h" #define MOUNT_CIFS_VERSION_MAJOR "1" -#define MOUNT_CIFS_VERSION_MINOR "13" +#define MOUNT_CIFS_VERSION_MINOR "14" #ifndef MOUNT_CIFS_VENDOR_SUFFIX #ifdef _SAMBA_BUILD_ @@ -86,6 +86,17 @@ /* currently maximum length of IPv6 address string */ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN +/* + * mount.cifs has been the subject of many "security" bugs that have arisen + * because of users and distributions installing it as a setuid root program. + * mount.cifs has not been audited for security. Thus, we strongly recommend + * that it not be installed setuid root. To make that abundantly clear, + * mount.cifs now check whether it's running setuid root and exit with an + * error if it is. If you wish to disable this check, then set the following + * #define to 1, but please realize that you do so at your own peril. + */ +#define CIFS_DISABLE_SETUID_CHECK 0 + /* * By default, mount.cifs follows the conventions set forth by /bin/mount * for user mounts. That is, it requires that the mount be listed in @@ -212,6 +223,29 @@ check_mountpoint(const char *progname, char *mountpoint) return 0; } +#if CIFS_DISABLE_SETUID_CHECK +static int +check_setuid(void) +{ + return 0; +} +#else /* CIFS_DISABLE_SETUID_CHECK */ +static int +check_setuid(void) +{ + if (getuid() && !geteuid()) { + printf("This mount.cifs program has been built with the " + "ability to run as a setuid root program disabled.\n" + "mount.cifs has not been well audited for security " + "holes. Therefore the Samba team does not recommend " + "installing it as a setuid root program.\n"); + return 1; + } + + return 0; +} +#endif /* CIFS_DISABLE_SETUID_CHECK */ + #if CIFS_LEGACY_SETUID_CHECK static int check_fstab(const char *progname, char *mountpoint, char *devname, @@ -1226,6 +1260,9 @@ int main(int argc, char ** argv) struct sockaddr_in6 *addr6; FILE * pmntfile; + if (check_setuid()) + return EX_USAGE; + /* setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); */ -- cgit