ANNOUNCE: cifs-utils release 4.2 available for download
Jeff Layton
jlayton at samba.org
Fri Apr 2 06:23:58 MDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This release contains a significant overhaul of mount.cifs that is
intended to make it safer to install setuid root. With this release,
setuid capability is no longer disabled by default. Among the changes
are:
- - mount.cifs now does privilege separation. It forks very early and the
child drops privileges. Most of the mount option processing is handled
by the child. The parent simply waits for the child to exit and
proceeds with the mount and mtab update based on the child's exit
status.
- - mount.cifs uses libcap if it is available to prune its capability set
- - mount.cifs is more careful about signal handling during mtab updates
This should not however be construed as a recommendation to install
mount.cifs setuid root. As always, distributions and administrators
should weigh carefully whether they should install it that way in their
own packages and environments.
There are also a couple of patches in this release that should make
cifs.upcall work with the heimdal kerberos implementation. The git tag
for this release is also annotated and signed.
Note that the webpage URL below has changed:
webpage: http://linux-cifs.samba.org/cifs-utils/
tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git: git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary
Detailed changelog:
commit 9e2c2536f5a49ff7385ff17f0866ef1489bed671
Author: Jeff Layton <jlayton at samba.org>
Date: Fri Apr 2 06:42:20 2010 -0400
cifs-utils: bump version to 4.2
- fix URL's and email addresses
- update copyright notices
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit d52478ee762d88aa23db476639cdcb5379dddfa4
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 22:05:47 2010 -0400
cifs.upcall: run it through Lindent
...coding style cleanup.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit d946beecf6e9cc7cf6897368bed8f43b0ec61ed1
Author: Torsten Kurbad <torsten at tk-webart.de>
Date: Thu Apr 1 21:47:25 2010 -0400
cifs-upcall: krb5.h inclusion quick fix
...eventually it might be better to make autoconf set -I/usr/include/krb5
or whatever and get rid of the #ifdef's here. It's a little tricky to
figure out the include dir however, so this will do for now.
Signed-off-by: Torsten Kurbad <torsten at tk-webart.de>
commit f5b79b44f25cdf4ba4363c7c05892af2865ce890
Author: Torsten Kurbad <torsten at tk-webart.de>
Date: Thu Apr 1 21:47:18 2010 -0400
cifs-upcall: heimdal fixes
Signed-off-by: Torsten Kurbad <torsten at tk-webart.de>
commit 20a5ec8bd8ea3edb943adb517f378938e31f1c41
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:29:59 2010 -0400
mount.cifs: re-enable setuid usage
Now that mount.cifs is safe(r) we don't need to disable setuid
capability by default.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit da54228cd9e6fe144efcb2d6da87e3cbb5db5b4c
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:28:57 2010 -0400
mount.cifs: drop capabilities if libcap is available
Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 810f7e4e0f2dbcbee0294d9b371071cb08268200
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:28:54 2010 -0400
mount.cifs: guard against signals by unprivileged users
If mount.cifs is setuid root, then the unprivileged user who runs the
program can send the mount.cifs process a signal and kill it. This is
not a huge problem unless we happen to be updating the mtab at the
time, in which case the mtab lockfiles might not get cleaned up.
To remedy this, have the privileged mount.cifs process set its real
uid to the effective uid (usually, root). This prevents unprivileged
users from being able to signal the process.
While we're at it, also mask off signals while we're updating the
mtab. This leaves a SIGKILL by root as the only way to interrupt the
mtab update, but there's really nothing we can do about that.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 294215ef969ce3ecb91063fbbb8a8c075272cc8d
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:17 2010 -0400
mount.cifs: introduce privilege separation
Much of the mount option parsing and other activities can be done by an
unprivileged process. Allocate the parsed_mount_info struct as an
anonymous mmap() segment and then fork to do the actual mount option
parsing. The child can then drop root privileges before populating the
parsed_mount_info struct. The parent waits for the child to exit and
then continues the mount process based on the child's exit status.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit e87a203fbaf059831292f2cb9a0692ef7a78a267
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: move nomtab, fakemnt, and verboseflag flags to parsed_mount_info
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit cda27cf80dc118e9aaafbaeaa7194c96a6b63d71
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: move assembly of parsed_mount_info to separate function
...later, we'll want to introduce privilege separation so make this
a separate function to facilitate that.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 6749397938642ed212ec92a194dda08546bf838b
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: run mount.cifs through Lindent
...code cleanup
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 860e2b63a872d9a89ea4d79465cf3321109094b2
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: move mtab adding code to separate function
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit f81576e724f78f8a952555d889c81ca75ac64fee
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: clean up command-line options
The mount.cifs command apparently tries to take a ton of command-line
options. Many of these will never be passed to mount.cifs by /bin/mount.
Others are more appropriately specified as mount options.
In both cases, there are a lot of options in the switch statement that
are not listed in the optstring, and there are characters in the
optstring that are not dealt with by the switch statement. Other options
are poorly wired to the rest of the code and don't actually do anything.
Clean it up by removing all but the ones that are likely to ever be
used.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 0f42bd90d13afb3e6cf1c842f0b70f8b65960d1f
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: reassemble device name from pieces
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit d597054e8bb28a2f30c73a01a0ebcab502c1068d
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: clean up setting of password field
Add a function to set and escape the password properly.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 39bc2781515be2528bd85e41f00f34f7249f0383
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: eliminate "legacy" setuid behavior
This behavior is demonstrably unsafe and not something we want to support
going forward.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 5f153f6a0e488f7d974071679c2201eb0c18d42c
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: eliminate some unneeded flags in parsed_mount_info
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit ffda61e25cd8e10dda9fb4b2c3fad7b96c943c4d
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: parse unc into separate fields
The UNC is currently handled as a single string and mount.cifs will
just munge it whenever it needs to change the delimiter type or
uppercase it, etc. This is tricky to handle correctly and means that
we often need to keep track of what's already been changed. Instead
of doing this, just track the pieces of the UNC in separate fields
in the parsed_mount_info, and then use those pieces to build strings
as needed.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit c610039ef674770ec92ff36d1f3c7a494bc3962c
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: add username and domain fields to parsed_mount_info
...and fill and use them accordingly.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 0f4753b828e71b437924b48d168308884928fa6f
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: make mountpassword a field in parsed_info
...rather than a buffer pointed to by a global var
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 0ec6dc3c89ccc48d9f4a4edb9865502cf3759d03
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: make parse_options return proper mount error codes
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit c9b5372277c3ab046d09508d90c1c3f8137b3a11
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: have parse_options fill parsed_mount_info
Allocate a zeroed out parsed_mount_info struct and have parse_options
put its info into that instead. realloc() is no longer used here and
instead we just have the option parser carefully check that the result
will fit in the buffer before copying it.
We also no longer use snprintf to stuff info directly into the buffer.
It may not be possible given the other checks, but snprintf can leave a
non-NULL terminated string. Use strlcat everywhere instead to ensure
that doesn't occur.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit bda33540ab300dd9a996580d9f60ef3527490833
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:19:16 2010 -0400
mount.cifs: declare new struct for holding parsed mount info
Currently mount.cifs puts mount info into a disparate series of
dynamically sized buffers. Declate a new struct that holds a set of
fixed-size buffers. The option and UNC parsing routines can place their
results in this struct.
This should make it easier to implement privilege separation using
shared memory to pass data between processes.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
- --
Jeff Layton <jlayton at samba.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAku14ecACgkQyP0gxQMdzIAnhgCfcQt/8Ctf6JFVdkvQ8xDo89Ip
WskAoI9rdmVyBwr9H/ohEfJ1qzfGDOkt
=96RB
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list