Jeff Layton
2010-Apr-02 12:23 UTC
[Samba] ANNOUNCE: cifs-utils release 4.2 available for download
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This release contains a significant overhaul of mount.cifs that is intended to make it safer to install setuid root. With this release, setuid capability is no longer disabled by default. Among the changes are: - - mount.cifs now does privilege separation. It forks very early and the child drops privileges. Most of the mount option processing is handled by the child. The parent simply waits for the child to exit and proceeds with the mount and mtab update based on the child's exit status. - - mount.cifs uses libcap if it is available to prune its capability set - - mount.cifs is more careful about signal handling during mtab updates This should not however be construed as a recommendation to install mount.cifs setuid root. As always, distributions and administrators should weigh carefully whether they should install it that way in their own packages and environments. There are also a couple of patches in this release that should make cifs.upcall work with the heimdal kerberos implementation. The git tag for this release is also annotated and signed. Note that the webpage URL below has changed: webpage: linux-cifs.samba.org/cifs-utils tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils git: git://git.samba.org/cifs-utils.git gitweb: git.samba.org/?p=cifs-utils.git;a=summary Detailed changelog: commit 9e2c2536f5a49ff7385ff17f0866ef1489bed671 Author: Jeff Layton <jlayton at samba.org> Date: Fri Apr 2 06:42:20 2010 -0400 cifs-utils: bump version to 4.2 - fix URL's and email addresses - update copyright notices Signed-off-by: Jeff Layton <jlayton at samba.org> commit d52478ee762d88aa23db476639cdcb5379dddfa4 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 22:05:47 2010 -0400 cifs.upcall: run it through Lindent ...coding style cleanup. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit d946beecf6e9cc7cf6897368bed8f43b0ec61ed1 Author: Torsten Kurbad <torsten at tk-webart.de> Date: Thu Apr 1 21:47:25 2010 -0400 cifs-upcall: krb5.h inclusion quick fix ...eventually it might be better to make autoconf set -I/usr/include/krb5 or whatever and get rid of the #ifdef's here. It's a little tricky to figure out the include dir however, so this will do for now. Signed-off-by: Torsten Kurbad <torsten at tk-webart.de> commit f5b79b44f25cdf4ba4363c7c05892af2865ce890 Author: Torsten Kurbad <torsten at tk-webart.de> Date: Thu Apr 1 21:47:18 2010 -0400 cifs-upcall: heimdal fixes Signed-off-by: Torsten Kurbad <torsten at tk-webart.de> commit 20a5ec8bd8ea3edb943adb517f378938e31f1c41 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:29:59 2010 -0400 mount.cifs: re-enable setuid usage Now that mount.cifs is safe(r) we don't need to disable setuid capability by default. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit da54228cd9e6fe144efcb2d6da87e3cbb5db5b4c Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:28:57 2010 -0400 mount.cifs: drop capabilities if libcap is available Might as well be as safe as possible. Have child drop all capabilities, and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might even eventually consider being clever and dropping CAP_DAC_OVERRIDE when root has access to the mtab. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 810f7e4e0f2dbcbee0294d9b371071cb08268200 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:28:54 2010 -0400 mount.cifs: guard against signals by unprivileged users If mount.cifs is setuid root, then the unprivileged user who runs the program can send the mount.cifs process a signal and kill it. This is not a huge problem unless we happen to be updating the mtab at the time, in which case the mtab lockfiles might not get cleaned up. To remedy this, have the privileged mount.cifs process set its real uid to the effective uid (usually, root). This prevents unprivileged users from being able to signal the process. While we're at it, also mask off signals while we're updating the mtab. This leaves a SIGKILL by root as the only way to interrupt the mtab update, but there's really nothing we can do about that. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 294215ef969ce3ecb91063fbbb8a8c075272cc8d Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:17 2010 -0400 mount.cifs: introduce privilege separation Much of the mount option parsing and other activities can be done by an unprivileged process. Allocate the parsed_mount_info struct as an anonymous mmap() segment and then fork to do the actual mount option parsing. The child can then drop root privileges before populating the parsed_mount_info struct. The parent waits for the child to exit and then continues the mount process based on the child's exit status. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit e87a203fbaf059831292f2cb9a0692ef7a78a267 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: move nomtab, fakemnt, and verboseflag flags to parsed_mount_info Signed-off-by: Jeff Layton <jlayton at redhat.com> commit cda27cf80dc118e9aaafbaeaa7194c96a6b63d71 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: move assembly of parsed_mount_info to separate function ...later, we'll want to introduce privilege separation so make this a separate function to facilitate that. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 6749397938642ed212ec92a194dda08546bf838b Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: run mount.cifs through Lindent ...code cleanup Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 860e2b63a872d9a89ea4d79465cf3321109094b2 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: move mtab adding code to separate function Signed-off-by: Jeff Layton <jlayton at redhat.com> commit f81576e724f78f8a952555d889c81ca75ac64fee Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: clean up command-line options The mount.cifs command apparently tries to take a ton of command-line options. Many of these will never be passed to mount.cifs by /bin/mount. Others are more appropriately specified as mount options. In both cases, there are a lot of options in the switch statement that are not listed in the optstring, and there are characters in the optstring that are not dealt with by the switch statement. Other options are poorly wired to the rest of the code and don't actually do anything. Clean it up by removing all but the ones that are likely to ever be used. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 0f42bd90d13afb3e6cf1c842f0b70f8b65960d1f Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: reassemble device name from pieces Signed-off-by: Jeff Layton <jlayton at redhat.com> commit d597054e8bb28a2f30c73a01a0ebcab502c1068d Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: clean up setting of password field Add a function to set and escape the password properly. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 39bc2781515be2528bd85e41f00f34f7249f0383 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: eliminate "legacy" setuid behavior This behavior is demonstrably unsafe and not something we want to support going forward. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 5f153f6a0e488f7d974071679c2201eb0c18d42c Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: eliminate some unneeded flags in parsed_mount_info Signed-off-by: Jeff Layton <jlayton at redhat.com> commit ffda61e25cd8e10dda9fb4b2c3fad7b96c943c4d Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: parse unc into separate fields The UNC is currently handled as a single string and mount.cifs will just munge it whenever it needs to change the delimiter type or uppercase it, etc. This is tricky to handle correctly and means that we often need to keep track of what's already been changed. Instead of doing this, just track the pieces of the UNC in separate fields in the parsed_mount_info, and then use those pieces to build strings as needed. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit c610039ef674770ec92ff36d1f3c7a494bc3962c Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: add username and domain fields to parsed_mount_info ...and fill and use them accordingly. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 0f4753b828e71b437924b48d168308884928fa6f Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: make mountpassword a field in parsed_info ...rather than a buffer pointed to by a global var Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 0ec6dc3c89ccc48d9f4a4edb9865502cf3759d03 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: make parse_options return proper mount error codes Signed-off-by: Jeff Layton <jlayton at redhat.com> commit c9b5372277c3ab046d09508d90c1c3f8137b3a11 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: have parse_options fill parsed_mount_info Allocate a zeroed out parsed_mount_info struct and have parse_options put its info into that instead. realloc() is no longer used here and instead we just have the option parser carefully check that the result will fit in the buffer before copying it. We also no longer use snprintf to stuff info directly into the buffer. It may not be possible given the other checks, but snprintf can leave a non-NULL terminated string. Use strlcat everywhere instead to ensure that doesn't occur. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit bda33540ab300dd9a996580d9f60ef3527490833 Author: Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:19:16 2010 -0400 mount.cifs: declare new struct for holding parsed mount info Currently mount.cifs puts mount info into a disparate series of dynamically sized buffers. Declate a new struct that holds a set of fixed-size buffers. The option and UNC parsing routines can place their results in this struct. This should make it easier to implement privilege separation using shared memory to pass data between processes. Signed-off-by: Jeff Layton <jlayton at redhat.com> - -- Jeff Layton <jlayton at samba.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAku14ecACgkQyP0gxQMdzIAnhgCfcQt/8Ctf6JFVdkvQ8xDo89Ip WskAoI9rdmVyBwr9H/ohEfJ1qzfGDOkt =96RB -----END PGP SIGNATURE-----
Maybe Matching Threads
- ANNOUNCE: cifs-utils release 4.5 available for download
- ANNOUNCE: cifs-utils release 4.6 available for download
- ANNOUNCE: cifs-utils release 5.3 is ready for download
- ANNOUNCE: cifs-utils release 5.1 available for download
- ANNOUNCE: cifs-utils release 4.9 available for download