[linux-cifs-client] [PATCH 00/19] mount.cifs: make it safer to be used as a setuid program

Jeff Layton jlayton at samba.org
Fri Mar 26 08:25:23 MDT 2010 

From: Jeff Layton <jlayton at redhat.com>

This patchset is a first stab at making setuid usage and installation
safer than it is today. It takes a multi-pronged approach to make
mount.cifs take more care:

1) it introduces privilege separation. It forks and has the child setuid
to the real uid to drop privileges. The child then fills out an anonymous
mmap'ed area with mount info. This allows the child to do the bulk of the
work for parsing mount info and has the parent just do the pieces that
need privileges.

2) if libcap is available, the program will use it to prune its capability
set. I think I've done this correctly, but we may need to tweak this
some in the event that mount.cifs is being run by root and it needs to
access files that aren't readable without CAP_DAC_OVERRIDE.

3) more care is taken with signals when handling the mtab. This prevents
DoS of mtab locking.

The set is admittedly huge. It essentially rewrites a large swath of the
mount.cifs code. The good news is that it's an overall reduction in the
amount of code and I think the resulting code is better organized and
easier to follow. It might be easiest to review the final result of the
code instead of reviewing each individual piece.

I'd like to see this set go into cifs-utils-4.2.

Jeff Layton (19):
  mount.cifs: declare new struct for holding parsed mount info
  mount.cifs: have parse_options fill parsed_mount_info
  mount.cifs: make parse_options return proper mount error codes
  mount.cifs: make mountpassword a field in parsed_info
  mount.cifs: add username and domain fields to parsed_mount_info
  mount.cifs: parse unc into separate fields
  mount.cifs: eliminate some unneeded flags in parsed_mount_info
  mount.cifs: eliminate "legacy" setuid behavior
  mount.cifs: clean up setting of password field
  mount.cifs: reassemble device name from pieces
  mount.cifs: clean up command-line options
  mount.cifs: move mtab adding code to separate function
  mount.cifs: run mount.cifs through Lindent
  mount.cifs: move assembly of parsed_mount_info to separate function
  mount.cifs: move nomtab, fakemnt, and verboseflag flags to
    parsed_mount_info
  mount.cifs: introduce privilege separation
  mount.cifs: guard against signals by unprivileged users
  mount.cifs: drop capabilities if libcap is available
  mount.cifs: re-enable setuid usage

 Makefile.am       |    3 +
 aclocal/libcap.m4 |   20 +
 configure.ac      |    3 +
 mount.cifs.c      | 2139 +++++++++++++++++++++++++---------------------------
 4 files changed, 1054 insertions(+), 1111 deletions(-)
 create mode 100644 aclocal/libcap.m4

More information about the linux-cifs-client mailing list