1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00

33 Commits

Author SHA1 Message Date
Jeff Layton
a8cc2fa09e cifs.upcall: allocate a talloc context for smb_krb5_unparse_name
cifs.upcall calls smb_krb5_unparse_name with a NULL talloc context.
Older versions of this function though will conditionally use
SMB_REALLOC instead of TALLOC_REALLOC when a NULL context is passed
in. To make it more consistent, just spawn a talloc context that
we can pass into this function.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=565446
https://bugzilla.samba.org/show_bug.cgi?id=6868

Reported-by: Ludek Finstrle <luf@seznam.cz>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Günther Deschner <gd@samba.org>
2010-02-17 12:15:50 +01:00
Jeremy Allison
ce73f91ee2 Fix const warning.
Jeremy
2010-01-29 14:36:36 -08:00
Jeff Layton
a0c31ec1c8 mount.cifs: don't allow it to be run as setuid root program
mount.cifs has been the subject of several "security" fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.

To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.

A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2010-01-26 08:15:41 -05:00
Jeff Layton
a065c177df mount.cifs: check for invalid characters in device name and mountpoint
It's apparently possible to corrupt the mtab if you pass embedded
newlines to addmntent. Apparently tabs are also a problem with certain
earlier glibc versions. Backslashes are also a minor issue apparently,
but we can't reasonably filter those.

Make sure that neither the devname or mountpoint contain any problematic
characters before allowing the mount to proceed.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2010-01-26 08:15:41 -05:00
Jeff Layton
3ae5dac462 mount.cifs: take extra care that mountpoint isn't changed during mount
It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.

To guard against this, chdir to the mountpoint very early, and only deal
with it as "." from then on out.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2010-01-26 08:15:41 -05:00
Günther Deschner
04f8c229de s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther
2009-11-27 16:36:00 +01:00
Günther Deschner
660ee2e745 cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we well as with MIT.
Guenther
2009-11-25 17:58:52 +01:00
Volker Lendecke
b2db4c5162 mount.cifs: Fix a const error 2009-11-21 20:49:16 +01:00
Günther Deschner
b29eed492f cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT.
Guenther
2009-11-12 10:22:39 +01:00
Jeff Layton
b11e11a973 mount.cifs: get rid of CONST_DISCARD
Apparently, we need to strip the "const" attribute off of the mnt_fstype
before passing it to addmntent to prevent a (somewhat bogus) compiler
warning.

Rather than just stripping off the "const" attribute, clarify the code
by declaring a new non-const char pointer that points to the same
string. We can also use that same pointer in the mount(2) call too.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2009-11-11 14:04:54 -05:00
Günther Deschner
60bf0eb607 s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.
Guenther
2009-11-06 13:31:17 +01:00
Jeff Layton
0597b97d15 mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.

Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.

Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.

Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
2009-10-01 14:29:22 +02:00
Jeff Layton
e3dd6f99a4 mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.

Check the access permissions of the file before opening it.

Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
2009-10-01 14:29:18 +02:00
Jeff Layton
3aa147f8d2 mount.cifs: print output to stderr
When a mount fails, mount.cifs often prints an error message. In most
cases, this error goes to stdout instead of stderr like it should. Fix
it to print errors to stderr instead.

Reported-by: Jan Engelhardt <jengelh@gmx.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-09-24 20:55:43 -04:00
Günther Deschner
c708338682 cifs-upcall: fix the build after spnego merge.
Guenther
2009-09-17 08:53:29 +02:00
Jeff Layton
704b739ad8 cifs.upcall: do a brute-force search for KRB5 credcache
A few weeks ago, I added some code to cifs.upcall to take the pid sent
by the kernel and use that to get the value of the $KRB5CCNAME
environment var for the process. That works fine on the initial mount,
but could be problematic on reconnect.

There's no guarantee on a reconnect that the process that initiates the
upcall will have $KRB5CCNAME pointed at the correct credcache. Because
of this, the current scheme isn't going to be reliable enough and we
need to use something different.

This patch replaces that scheme with one very similar to the one used by
rpc.gssd in nfs-utils. It searches the credcache dir (currently
hardcoded to /tmp) for a valid credcache for the given uid. If it finds
one then it uses that as the credentials cache. If it finds more than
one, it uses the one with the latest TGT expiration.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-09-04 06:29:44 -04:00
Jeff Layton
da99e3a724 cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).

That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26 06:26:02 -04:00
Jeff Layton
3544e685ad cifs.upcall: switch to getopt_long
...to allow long option names.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26 06:15:42 -04:00
Jeff Layton
19553e1552 cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimiters
Current kernels don't send IPv6 addresses with the colon delimiters, add
a routine to add them when they're not present.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:51 -04:00
Jeff Layton
2f95ccc1e2 cifs.upcall: use ip address passed by kernel to get server's hostname
Instead of using the hostname given by the upcall to get the server's
principal, take the IP address given in the upcall and reverse resolve
it to a hostname.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:50 -04:00
Jeff Layton
acbf026012 cifs.upcall: clean up flag handling
Add a new stack var to hold the flags returned by the decoder routine
so that we don't need to worry so much about preserving "rc".

With this, we can drop privs before trying to find the location of
the credcache.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:50 -04:00
Jeff Layton
b10bdef4e7 cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.

Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:50 -04:00
Jeff Layton
750ceb8239 cifs.upcall: declare a structure for holding decoded args
The argument list for the decoder is becoming rather long. Declare an
args structure and use that for holding the args. This also simplifies
pointer handling a bit.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:49 -04:00
Jeff Layton
685fdc33d7 cifs.upcall: formatting cleanup
Clean up some unneeded curly braces, and fix some indentation.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:49 -04:00
Jeff Layton
378a2d9aa5 cifs.upcall: clean up logging and add debug messages
Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.

Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14 07:59:49 -04:00
Shirish Pargaonkar
a869e4253a umount.cifs: do not attempt to update /etc/mtab if it is symbolic link
If /etc/mtab is a symbolic link to e.g. /proc/mounts, do not update it.

This is a fix for a bug reported in 4675 on samba bugzilla

Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
2009-07-27 12:02:35 -04:00
Volker Lendecke
db1e582568 Attempt to fix the build -- jlayton, please check! 2009-07-10 12:00:11 +02:00
Jeff Layton
8d1b061b51 cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
If the kernel sends the upcall a pid of the requesting process, we can
open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME
value out of it.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-07-09 21:04:08 -04:00
Jeff Layton
595d07d0ab mount.cifs: don't pass text ro/rw options to kernel
/bin/mount strips off the ro/rw options after setting the MS_RDONLY
flag appropriately. Make mount.cifs do the same thing.

Signed-off-by: Jeff Layton <jlayton@samba.org>
2009-06-29 06:16:38 -04:00
Jeff Layton
2032a1914d mount.cifs: add support for sending IPv6 scope ID to kernel
When getaddrinfo returns an IPv6 address with a non-zero scope_id, send
that to the kernel appended to the address with a '%' delimiter. This
allows people to mount servers via their link-local IPv6 addresses
(given a kernel that understands this address format, of course).

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-25 07:27:25 -04:00
Jeff Layton
ddad58fc41 mount.cifs: explicitly handle non AF_INET/AF_INET6 addresses
If we get a non-AF_INET(6) address, then just skip it and try the next
one in the list.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-10 09:00:21 -04:00
Jeff Layton
cc7b62269e mount.cifs: properly check for mount being in fstab when running setuid root (try#3)
This is the third attempt to clean up the checks when a setuid
mount.cifs is run by an unprivileged user. The main difference in this
patch from the last one is that it fixes a bug where the mount might
have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.

When mount.cifs is installed setuid root and run as an unprivileged
user, it does some checks to limit how the mount is used. It checks that
the mountpoint is owned by the user doing the mount.

These checks however do not match those that /bin/mount does when it is
called by an unprivileged user. When /bin/mount is called by an
unprivileged user to do a mount, it checks that the mount in question is
in /etc/fstab, that it has the "user" option set, etc.

This means that it's currently not possible to set up user mounts the
standard way (by the admin, in /etc/fstab) and simultaneously protect
from an unprivileged user calling mount.cifs directly to mount a share
on any directory that that user owns.

Fix this by making the checks in mount.cifs match those of /bin/mount
itself. This is a necessary step to make mount.cifs safe to be installed
as a setuid binary, but not sufficient. For that, we'd need to give
mount.cifs a proper security audit.

Since some users may be depending on the legacy behavior, this patch
also adds the ability to build mount.cifs with the older behavior.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-06 19:46:24 -04:00
Jelmer Vernooij
8d033ec0d1 Move mount.cifs/umount.cifs to the top level and remove the outdated copy
in Samba 4.
2009-06-02 23:24:33 +02:00