cifs-utils release 6.7 ready for download

Jeff Layton jlayton at
Thu Mar 2 18:44:57 UTC 2017

The main change in this release is to address some regressions that
crept in when we switched to a scheme that does not rely on walking /tmp
to look for credcaches.

We now will use the information from the kernel about the initiating
pid, reach into that task's environment and scrape out the $KRB5CCNAME
variable. This can be problematic in setuid situations, so we avoid
doing that for the root user. It's not a perfect scheme but it's
certainly better than what was there before.

There are also some mount.cifs cleanups and fixes from Germano Percossi.

git:        git://

Detailed list of changes since 6.6 was released:

commit c4e51e4dcbd3169638fa3fb13df61fa1fee525a8
Author: Jeff Layton <jlayton at>
Date:   Sun Nov 27 06:28:29 2016 -0500

    cifs-utils: bump version to 6.6.1 for pre-release builds
    Signed-off-by: Jeff Layton <jlayton at>

commit 76da9405575d484b33eb4e56466366c8dbe87046
Author: Germano Percossi <germano.percossi at>
Date:   Fri Nov 18 18:54:49 2016 +0000

    mount.cifs: Removed extra comma in front of domain
    Signed-off-by: Germano Percossi <germano.percossi at>

commit 57e4e22de7ea79f56471e7eb8cec9db926087f8d
Author: Germano Percossi <germano.percossi at>
Date:   Fri Nov 18 18:54:50 2016 +0000

    mount.cifs: Accept empty domains on the command line
    If we do not allow empty domains on the command line we are preventing
    the kernel module from taking different actions if the domain has not
    been specified at all or just passed empty.
    In fact, with this fix the cifs module behaves differently once an empty
    domain is passed: the find_domain_name function is not invoked when an
    empty domain is passed.
    It is possible to pass both 'domain=' or 'domain=""' even though the
    kernel module will accept the former only when associated with the
    sloppy option.
    Signed-off-by: Germano Percossi <germano.percossi at>

commit a1f3acd40b265f134a97a739a6898b3958d206b9
Author: Germano Percossi <germano.percossi at>
Date:   Fri Nov 18 18:54:51 2016 +0000

    mount.cifs: Fixed command line parsing and aligned with kernel
    The way token matching was done was consuming the parameters namespace
    quickly.  For example, anything starting with "dom" was interpreted with
    domain, while it could have been a completely different word.  The same
    is true even for "ro".
    Moreover, many perfectly valid options like "addr" where not accepted.
    The cifs  kernel module is very strict when it comes to names: 'dom' and
    'domain' are valid while 'domai' is not, so the userspace tool needs to
    comply otherwise it becomes very difficult to come up with new names for
    Now, checking is strict and as close as possible to kernel.  When it is
    not, it is just to avoid breaking compatibility with some users.
    However, workg has been removed because it is too lazy and undocumented.
    The only variable left without strict checking is 'x-' because the
    intent is to ignore anything starting in that way
    Signed-off-by: Germano Percossi <germano.percossi at>

commit 743301da5bf502197beb1f91f98e11eea9070e4e
Author: Germano Percossi <germano.percossi at>
Date:   Fri Nov 18 18:54:52 2016 +0000

    mount.cifs: Remove unneeded stdbool header include
    Signed-off-by: Germano Percossi <germano.percossi at>

commit d73a52e50d43f07638f34cb860e9824a932508b8
Author: Sachin Prabhu <sprabhu at>
Date:   Wed Jan 4 07:45:17 2017 -0500

    manpage: document mfsymlinks in the mount.cifs man page
    Information from the cifs README in the kernel sources is used.
    Signed-off-by: Sachin Prabhu <sprabhu at>

commit fb7693c50e99f2153500bb3590602993016051b4
Author: Jeff Layton <jlayton at>
Date:   Sun Feb 12 09:36:12 2017 -0500

    cifs.upcall: convert two flags from int to bool
    Signed-off-by: Jeff Layton <jlayton at>

commit a6662edb12b267e12bd67424e485ca081a97beb3
Author: Jeff Layton <jlayton at>
Date:   Mon Feb 13 08:33:02 2017 -0500

    cifs.upcall: switch group IDs when handling an upcall
    Currently, we leave the group ID alone, but in a later patch we'll be
    changing cifs.upcall to scrape $KRB5CCNAME out of the originating
    process. At that point, we want to be a little more careful with the
    process credentials we'll be using.
    After we get the uid, do a getpwuid and grab the default gid for the
    user. Then use setgid to set it before calling setuid.
    Signed-off-by: Jeff Layton <jlayton at>

commit 109c189bf4720b0d7ed43113e1e26c89c8b15ada
Author: Jeff Layton <jlayton at>
Date:   Wed Feb 15 10:00:45 2017 -0500

    cifs.upcall: drop capabilities early in program
    Much of cifs.upcall can and should be run without elevated privileges.
    On entry into the program, drop as many capabilities as we can get away
    with, and then always drop any remaining caps after calling setuid().
    Signed-off-by: Jeff Layton <jlayton at>

commit ed97e4ecab4e9a103c46232785fb76b3f07d0637
Author: Jeff Layton <jlayton at>
Date:   Sat Feb 11 08:38:46 2017 -0500

    cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
    Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
    to that, cifs.upcall was able to find credcaches in non-default FILE:
    locations, but with the rework of that code, that ability was lost.
    Unfortunately, the krb5 library design doesn't really take into account
    the fact that we might need to find a credcache in a process that isn't
    descended from the session.
    When the kernel does an upcall, it passes several bits of info about the
    task that initiated the upcall. One of those things is the PID (the
    tgid, in particular). We can use that info to reach into the
    /proc/<pid>/environ file for the process, and grab whatever value of
    $KRB5CCNAME is there.
    Then, after switching credentials, set $KRB5CCNAME in the environment
    to the same value before opening the credcache, to hint to the krb5
    libs where they ought to look.
    This new behavior is on by default, but can be disabled by having
    request-key pass a '-E' flag to cifs.upcall.
    Reported-by: Chad William Seys <cwseys at>
    Signed-off-by: Jeff Layton <jlayton at>

commit ec3874fdc669901f4a9e8a90a856f999cd627a3f
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 16 09:55:45 2017 -0500

    cifs.upcall: trim even more capabilities
    We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
    only when we are going to probe the environ file.
    Also, fix the non-libcap-ng trim_capabilities prototype.
    Reviewed-by: Simo Sorce <simo at>
    Signed-off-by: Jeff Layton <jlayton at>

commit 912cbe49114392bd7c375c4c37698d406eb0660e
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 18:49:59 2017 -0500

    data_blob: remove need for replace.h
    We only need ZERO_STRUCT there.
    Signed-off-by: Jeff Layton <jlayton at>

commit ebdd0a9d9745f19a13415a65914dcc9993f28e96
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 20:56:27 2017 -0500

    spengo.c/asn1.c: remove need for replace.h
    Just need stdbool.h instead.
    Signed-off-by: Jeff Layton <jlayton at>

commit 4849f9fc118bf074ce5efea94fa0c4727a430863
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 18:58:17 2017 -0500

    cifs.upcall: remove need for replace.h
    Take just what we need from replace.h and move it to cifs.upcall.c.
    Signed-off-by: Jeff Layton <jlayton at>

commit 2333c502f81c66e186123e1b739a056fb049d5e4
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 19:21:56 2017 -0500

    replace.h: remove it
    Nothing uses it now.
    Signed-off-by: Jeff Layton <jlayton at>

commit 4850d321c3ec8f1b31b162fe8a316a7638c12b94
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 19:09:12 2017 -0500

    treewide: Eliminate SAFE_FREE
    It just frees and then zeroes out the pointer. That's of dubious
    value in the places where it's currently being used. Just use
    free() instead.
    Signed-off-by: Jeff Layton <jlayton at>

commit 891d7806ac153e7d99b324ed9a33ff92699a92c6
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 19:14:07 2017 -0500

    data_blob: Eliminate _PUBLIC_
    It's defined to nothing anyway.
    Signed-off-by: Jeff Layton <jlayton at>

commit 2dcecd21262513a0866c321643fc33d3d0135915
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 18:28:24 2017 -0500

    cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab
    We don't want to trust $KRB5CCNAME when creating or updating a new
    credcache since we could be operating under the wrong credentials.
    Always create new credcaches in the default location instead.
    Reported-by: Chad William Seys <cwseys at>
    Signed-off-by: Jeff Layton <jlayton at>

commit 9eaa21ed37126d1bfcb998b4c8f6115ac77e9b5f
Author: Jeff Layton <jlayton at>
Date:   Thu Feb 23 16:50:43 2017 -0500

    cifs.upcall: don't do env scraping when uid is 0
    Setuid programs triggering upcalls could trick the program here. Also,
    the d_automount method is done with credentials overridden so if you
    can end up with mismatched creds and env vars due to that as well.
    It's a hack, but the only recourse I can see is to avoid doing this
    when the uid is 0. That means we can't rely on finding root credcaches
    in alternate locations using $KRB5CCNAME, but I think that's the best
    we can do.
    Reported-and-Tested-by: Chad William Seys <cwseys at>
    Signed-off-by: Jeff Layton <jlayton at>

commit 69949ba0086ac7a4f07ade7558fbe5c537220ebb
Author: Jeff Layton <jlayton at>
Date:   Fri Feb 24 10:48:57 2017 -0500

    cifs.upcall: use a MEMORY: ccache when instantiating from a keytab
    Using a more permanent ccache is potentially problematic when we're
    instantiating a new one. We might be operating under different creds
    than expected. Just use a MEMORY: ccache since we don't need it to
    last longer than the life of the upcall anyway.
    Reported-and-Tested-by: Chad William Seys <cwseys at>
    Signed-off-by: Jeff Layton <jlayton at>

commit 8101a07871f185c7044fa2ca221b282ab4607c8b
Author: Jeff Layton <jlayton at>
Date:   Thu Mar 2 11:51:05 2017 -0500

    cifs-utils: bump version to 6.7
    Signed-off-by: Jeff Layton <jlayton at>

Jeff Layton <jlayton at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list