Merge pull request #20592 from poettering/homed-fix-smb

various fixes to make homed's smb backend work correctly again
2024-11-01 17:51:22 +03:00 · 2021-08-31 14:20:53 +02:00 · 2021-08-31 14:20:53 +02:00 · 37b3e1394a
commit 37b3e1394a
parent 08111c7841 67f9bf897c
3 changed files with 9 additions and 8 deletions
--- a/src/home/homework-cifs.c
+++ b/src/home/homework-cifs.c
@ -58,8 +58,8 @@ int home_prepare_cifs(

                        f = safe_fclose(f);

-                        if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" UID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o",
-                                     p, h->uid, h->uid, h->access_mode, h->access_mode) < 0)
+                        if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o",
+                                     p, h->uid, user_record_gid(h), user_record_access_mode(h), user_record_access_mode(h)) < 0)
                                return log_oom();

                        r = safe_fork("(mount)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR, &mount_pid);
@ -71,7 +71,7 @@ int home_prepare_cifs(
                                      h->cifs_service, "/run/systemd/user-home-mount",
                                      "-o", options, NULL);

-                                log_error_errno(errno, "Failed to execute fsck: %m");
+                                log_error_errno(errno, "Failed to execute mount: %m");
                                _exit(EXIT_FAILURE);
                        }

@ -86,7 +86,8 @@ int home_prepare_cifs(
                }

                if (!mounted)
-                        return log_error_errno(ENOKEY, "Failed to mount home directory with supplied password.");
+                        return log_error_errno(SYNTHETIC_ERRNO(ENOKEY),
+                                               "Failed to mount home directory with supplied password.");

                setup->root_fd = open("/run/systemd/user-home-mount", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
        }
--- a/src/home/homework-mount.c
+++ b/src/home/homework-mount.c
@ -69,9 +69,10 @@ int home_move_mount(const char *user_name_and_realm, const char *target) {
        const char *d;
        int r;

-        assert(user_name_and_realm);
        assert(target);

+        /* If user_name_and_realm is set, then we'll mount a subdir of the source mount into the host. If
+         * it's NULL we'll move the mount itself */
        if (user_name_and_realm) {
                subdir = path_join("/run/systemd/user-home-mount/", user_name_and_realm);
                if (!subdir)
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@ -16,19 +16,18 @@ After=home.mount

 [Service]
 BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-* rw
 DeviceAllow=char-hidraw rw
 ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
-IPAddressDeny=any
 KillMode=mixed
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
 RestrictNamespaces=mnt
 RestrictRealtime=yes
 StateDirectory=systemd/home