ANNOUNCE: cifs-utils release 4.3 available for download

Jeff Layton jlayton at samba.org
Fri Apr 9 07:30:38 MDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This release is primarily to fix a few bugs that were introduced with
the mount.cifs overhaul in the last release. Most of the problems were
issues with the handling of capabilities that prevented credential files
from being accessed when mount.cifs was run by root.

There are a few other changes:

- - credential files accept parameter names consistent with mount options

- - some problems with linking are fixed

- - libcap-ng is used if it's available -- in the future, I may remove
  the older libcap code as it's far more difficult to work with. Distros
  should consider making their cifs-utils packages depend on libcap-ng
  and building against that.

- - the capability bounding set is zeroed out for greater security

- - CAP_DAC_OVERRIDE is only enabled when updating the mtab

webpage:    http://linux-cifs.samba.org/cifs-utils/
tarball:    ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:        git://git.samba.org/cifs-utils.git
gitweb:     http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit e4593787a6488573fbec99e5ee604a2e25bc1e5c
Author: Jeff Layton <jlayton at samba.org>
Date:   Fri Apr 9 09:08:08 2010 -0400

    cifs-utils: bump version number to 4.3
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

commit 8d08f2b352e3521674465c21bbbd2a2a991781bd
Author: Jeff Layton <jlayton at samba.org>
Date:   Fri Apr 9 08:47:11 2010 -0400

    autoconf: remove explicit check for prctl
    
    ...it's already checked in AC_LIBCAP
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

commit c3fb3cb1376065734f1b238843d9614d1b9631f0
Author: Jeff Layton <jlayton at samba.org>
Date:   Tue Apr 6 15:45:00 2010 -0400

    autotools: add --with-libcap autoconf option
    
    ...it's rather confusing since we can compile against libcap or libcap-ng
    but this is helpful for testing.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit cad70a330c0f8db02af112d42be0b645b0ceaba2
Author: Jeff Layton <jlayton at samba.org>
Date:   Tue Apr 6 15:22:05 2010 -0400

    mount.cifs: fix capability issues when libcap isn't present
    
    ...some #defines are missing in that case. This fixes the build for
    all possible libcap/libcap-ng availability scenarios.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit aeba78abbe4f25ae77328e4ca6a67360dd4ea344
Author: Scott Lovenberg <scott.lovenberg at gmail.com>
Date:   Tue Apr 6 14:52:07 2010 -0400

    mount.cifs: make credentials file parameters consistent with mount options
    
    This patch makes the mount.cifs credentials file parameters consistent with
    the command line parameters to remove ambiguity between the command line
    parameter format and the credentials file format. That is, it parses for
    both short and long form of the 'username', 'password', and 'domain'
    parameters.  This patch is against the current cifs-utils-4.2.
    
    I'm also thinking of adding a second patch that allows for parsing a
    "domain/user", "domain%user" and "domain/user%password" formats as allowed
    from the command line.
    
    Signed-off-by: Scott Lovenberg <scott.lovenberg at gmail.com>

commit 2a78385bbf879c16c538b0c78ff4e939724fafd4
Author: Jeff Layton <jlayton at samba.org>
Date:   Mon Apr 5 11:23:37 2010 -0400

    mount.cifs: restrict capabilities further
    
    Only the parent process will ever need CAP_DAC_OVERRIDE. The child can
    get by with CAP_DAC_READ_SEARCH.
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

commit da77c1b3ae934e29025d05b50eebecdbf569bfa4
Author: Jeff Layton <jlayton at samba.org>
Date:   Mon Apr 5 11:23:32 2010 -0400

    mount.cifs: properly prune the capabilities bounding set
    
    ...libcap-ng does this in a much easier fashion. If that's not
    available, then we have to do it manually.
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

commit 4b52d2fdea00107f3c23388891467bbb7f2711eb
Author: Jeff Layton <jlayton at samba.org>
Date:   Sun Apr 4 10:09:38 2010 -0400

    mount.cifs: use libcap-ng to manage capabilities
    
    ...in preference to libcap if it's available.
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

commit 0c287aa5ce5def56d901716e58943f3e9825e3a3
Author: Jeff Layton <jlayton at samba.org>
Date:   Sun Apr 4 09:51:31 2010 -0400

    autotools: don't link mount.cifs against krb5 library
    
    mount.cifs is being linked against the krb5 library. Fix it so that
    that doesn't happen.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 16c29a1920e48e7480595edd0ae96094d6e220c8
Author: Jeff Layton <jlayton at samba.org>
Date:   Sat Apr 3 07:12:06 2010 -0400

    mount.cifs: fix toggle_cap_dac_override
    
    ...it clears the capability set completely, which it shouldn't do. It
    also doesn't call cap_set_proc to make the new capability set active.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 55c00c67ced28102209e640fd50bcab9d0332a7f
Author: Jeff Layton <jlayton at samba.org>
Date:   Sat Apr 3 06:49:43 2010 -0400

    mount.cifs: only enable CAP_DAC_OVERRIDE when needed
    
    When dropping capabilities, drop CAP_DAC_OVERRIDE from the effective set
    but not the permitted. When we need to open credential or password
    files, make it effective again and drop it after the open completes.
    This reduces CAP_DAC_OVERRIDE exposure.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit d652b86adc7e9c62ba71b315e91fdd24af0063d8
Author: Jeff Layton <jlayton at samba.org>
Date:   Fri Apr 2 16:02:37 2010 -0400

    mount.cifs: if real uid is 0, child must keep CAP_DAC_OVERRIDE
    
    ...otherwise, root may not be able to read credential files. The ideal
    thing would be to remove it from the effective set, and only turn it
    on when needed, but for now this should fix the immediate problem.
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

- -- 
Jeff Layton <jlayton at samba.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAku/LAgACgkQyP0gxQMdzIARMQCgsRW1MEtXsJAKl6So9CfOGxy1
ofIAn06HkxKT/lAfDZcIHjovmgNPgyKQ
=LfFI
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list