[linux-cifs-client] Re: [PATCH] cifs: show per mount security
mode in /proc/mounts (try #2)
Suresh Jayaraman
sjayaraman at suse.de
Wed Mar 11 12:18:29 GMT 2009
Steve French wrote:
> On Tue, Mar 10, 2009 at 6:18 AM, Suresh Jayaraman <sjayaraman at suse.de> wrote:
>> Currently, /proc/mounts does not display security mode of the cifs
>> mounts. With the availability multiple security modes including
>> kerberos security, it might be vital to display security mode as well.
>
> The actual security used is not per superblock but per session, and it
> would be misleading to leave out the global settings for extended
> security flags. The actual security flags that are used during negotiation
> are the default flags (set in proc) and flags which are overridden on mount
Ah, ok. Thanks for explaining this.
> negotiated with the server - for this you need secType and secMode out
> of the session structure to be displayed instead of a per-mount new variable.
I see struct cifsSesInfo already has a pointer to struct TCP_Server_Info
that has secMode and secType for that session. My try #2 at this patch
below tries to use them.
> We do display secMode in /proc (which indicates whether signing is required)
We display secMode as part of /proc/fs/cifs/SecurityFlags, however when
they are overriden during mount, SecurityFlags is not being updated to
reflect overriden flags. For e.g. default setting is 0x7 and after mount
using 'sec=ntlmv2i' succeeds I still see 0x7.
> but might be useful to display this more clearly, and it would be useful to
> display secType (which indicates what authentication mechanism was negotiated)
>
Here's a second try.. I have done minimal testing and found it to be
working fine. Let me know whether this make sense?
---
Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
fs/cifs/cifsfs.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 47 insertions(+), 0 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 13ea532..a96e075 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -331,6 +331,50 @@ cifs_destroy_inode(struct inode *inode)
}
/*
+ * Map auth info
+ */
+static const char *map_auth_info(enum securityEnum type, char mode)
+{
+ unsigned int flag = 0;
+ static const struct {
+ unsigned int sec;
+ const char *flavor;
+ } sec_flags[] = {
+ { CIFSSEC_MAY_KRB5 | CIFSSEC_MUST_SIGN, "krb5i"},
+ { CIFSSEC_MAY_KRB5, "krb5"},
+ { CIFSSEC_MAY_NTLMV2 | CIFSSEC_MUST_SIGN, "ntlmv2i"},
+ { CIFSSEC_MAY_NTLMV2, "ntlmv2"},
+ { CIFSSEC_MAY_NTLM | CIFSSEC_MUST_SIGN, "ntlmi"},
+ { CIFSSEC_MAY_NTLM, "ntlm"},
+ { CIFSSEC_MAY_LANMAN, "lanman"}
+ };
+ int i;
+
+ cFYI(1, ("secType=%d secMode=0x%x\n", type, mode));
+ if (type == NTLMv2)
+ flag |= CIFSSEC_MAY_NTLMV2;
+ else if (type == NTLM)
+ flag |= CIFSSEC_MAY_NTLM;
+ else if (type == Kerberos || type == MSKerberos)
+ flag |= CIFSSEC_MAY_KRB5;
+ else if (type == LANMAN)
+ flag |= CIFSSEC_MAY_LANMAN;
+
+ if (mode & SECMODE_SIGN_REQUIRED)
+ flag |= CIFSSEC_MUST_SIGN;
+ else if (mode & SECMODE_SIGN_ENABLED)
+ flag |= CIFSSEC_MAY_SIGN;
+
+
+ for (i = 0; i < ARRAY_SIZE(sec_flags); i++) {
+ if (sec_flags[i].sec == flag)
+ break;
+ }
+
+ return sec_flags[i].flavor;
+}
+
+/*
* cifs_show_options() is for displaying mount options in /proc/mounts.
* Not all settable options are displayed but most of the important
* ones are.
@@ -369,6 +413,9 @@ cifs_show_options(struct seq_file *s, struct vfsmount *m)
&server->addr.sockAddr.sin_addr.s_addr);
break;
}
+ seq_printf(s, ",sec=%s",
+ map_auth_info(server->secType,
+ server->secMode));
}
}
if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_OVERR_UID) ||
More information about the linux-cifs-client
mailing list