[cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment

Jeff Layton jlayton at samba.org
Wed Feb 15 16:15:18 UTC 2017


Apologies for v3 series, I had some extra patches in there. This is
the one that should have been sent. Relabeled as v4 for clarity.

Third respin of this series. Reordered for better safety for bisecting.
The environment scraping is now on by default, but can be disabled with
"-E" in environments where it's not needed.

Also, I've added a patch to make cifs.upcall drop capabilities before
doing most of its work. This may help reduce the attack surface of the
program.

Jeff Layton (4):
  cifs.upcall: convert two flags from int to bool
  cifs.upcall: switch group IDs when handling an upcall
  cifs.upcall: drop capabilities early in program
  cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's
    /proc/<pid>/environ file

 Makefile.am      |   2 +-
 cifs.upcall.8.in |   9 ++
 cifs.upcall.c    | 255 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 256 insertions(+), 10 deletions(-)

-- 
2.9.3




More information about the samba-technical mailing list