samba - Apr 2010 - ANNOUNCE: cifs-utils release 4.2 available for download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This release contains a significant overhaul of mount.cifs that is
intended to make it safer to install setuid root. With this release,
setuid capability is no longer disabled by default. Among the changes
are:

- - mount.cifs now does privilege separation. It forks very early and the
child drops privileges. Most of the mount option processing is handled
by the child. The parent simply waits for the child to exit and
proceeds with the mount and mtab update based on the child's exit
status.

- - mount.cifs uses libcap if it is available to prune its capability set

- - mount.cifs is more careful about signal handling during mtab updates

This should not however be construed as a recommendation to install
mount.cifs setuid root. As always, distributions and administrators
should weigh carefully whether they should install it that way in their
own packages and environments.

There are also a couple of patches in this release that should make
cifs.upcall work with the heimdal kerberos implementation. The git tag
for this release is also annotated and signed.

Note that the webpage URL below has changed:

webpage:    http://linux-cifs.samba.org/cifs-utils/
tarball:    ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:        git://git.samba.org/cifs-utils.git
gitweb:     http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit 9e2c2536f5a49ff7385ff17f0866ef1489bed671
Author: Jeff Layton <jlayton at samba.org>
Date:   Fri Apr 2 06:42:20 2010 -0400

    cifs-utils: bump version to 4.2
    
    - fix URL's and email addresses
    - update copyright notices
    
    Signed-off-by: Jeff Layton <jlayton at samba.org>

commit d52478ee762d88aa23db476639cdcb5379dddfa4
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 22:05:47 2010 -0400

    cifs.upcall: run it through Lindent
    
    ...coding style cleanup.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit d946beecf6e9cc7cf6897368bed8f43b0ec61ed1
Author: Torsten Kurbad <torsten at tk-webart.de>
Date:   Thu Apr 1 21:47:25 2010 -0400

    cifs-upcall: krb5.h inclusion quick fix
    
    ...eventually it might be better to make autoconf set -I/usr/include/krb5
    or whatever and get rid of the #ifdef's here. It's a little tricky
to
    figure out the include dir however, so this will do for now.
    
    Signed-off-by: Torsten Kurbad <torsten at tk-webart.de>

commit f5b79b44f25cdf4ba4363c7c05892af2865ce890
Author: Torsten Kurbad <torsten at tk-webart.de>
Date:   Thu Apr 1 21:47:18 2010 -0400

    cifs-upcall: heimdal fixes
    
    Signed-off-by: Torsten Kurbad <torsten at tk-webart.de>

commit 20a5ec8bd8ea3edb943adb517f378938e31f1c41
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:29:59 2010 -0400

    mount.cifs: re-enable setuid usage
    
    Now that mount.cifs is safe(r) we don't need to disable setuid
    capability by default.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit da54228cd9e6fe144efcb2d6da87e3cbb5db5b4c
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:28:57 2010 -0400

    mount.cifs: drop capabilities if libcap is available
    
    Might as well be as safe as possible. Have child drop all capabilities,
    and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
    CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
    even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
    root has access to the mtab.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 810f7e4e0f2dbcbee0294d9b371071cb08268200
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:28:54 2010 -0400

    mount.cifs: guard against signals by unprivileged users
    
    If mount.cifs is setuid root, then the unprivileged user who runs the
    program can send the mount.cifs process a signal and kill it. This is
    not a huge problem unless we happen to be updating the mtab at the
    time, in which case the mtab lockfiles might not get cleaned up.
    
    To remedy this, have the privileged mount.cifs process set its real
    uid to the effective uid (usually, root). This prevents unprivileged
    users from being able to signal the process.
    
    While we're at it, also mask off signals while we're updating the
    mtab. This leaves a SIGKILL by root as the only way to interrupt the
    mtab update, but there's really nothing we can do about that.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 294215ef969ce3ecb91063fbbb8a8c075272cc8d
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:17 2010 -0400

    mount.cifs: introduce privilege separation
    
    Much of the mount option parsing and other activities can be done by an
    unprivileged process. Allocate the parsed_mount_info struct as an
    anonymous mmap() segment and then fork to do the actual mount option
    parsing. The child can then drop root privileges before populating the
    parsed_mount_info struct. The parent waits for the child to exit and
    then continues the mount process based on the child's exit status.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit e87a203fbaf059831292f2cb9a0692ef7a78a267
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: move nomtab, fakemnt, and verboseflag flags to parsed_mount_info
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit cda27cf80dc118e9aaafbaeaa7194c96a6b63d71
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: move assembly of parsed_mount_info to separate function
    
    ...later, we'll want to introduce privilege separation so make this
    a separate function to facilitate that.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 6749397938642ed212ec92a194dda08546bf838b
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: run mount.cifs through Lindent
    
    ...code cleanup
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 860e2b63a872d9a89ea4d79465cf3321109094b2
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: move mtab adding code to separate function
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit f81576e724f78f8a952555d889c81ca75ac64fee
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: clean up command-line options
    
    The mount.cifs command apparently tries to take a ton of command-line
    options. Many of these will never be passed to mount.cifs by /bin/mount.
    Others are more appropriately specified as mount options.
    
    In both cases, there are a lot of options in the switch statement that
    are not listed in the optstring, and there are characters in the
    optstring that are not dealt with by the switch statement. Other options
    are poorly wired to the rest of the code and don't actually do anything.
    
    Clean it up by removing all but the ones that are likely to ever be
    used.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 0f42bd90d13afb3e6cf1c842f0b70f8b65960d1f
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: reassemble device name from pieces
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit d597054e8bb28a2f30c73a01a0ebcab502c1068d
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: clean up setting of password field
    
    Add a function to set and escape the password properly.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 39bc2781515be2528bd85e41f00f34f7249f0383
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: eliminate "legacy" setuid behavior
    
    This behavior is demonstrably unsafe and not something we want to support
    going forward.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 5f153f6a0e488f7d974071679c2201eb0c18d42c
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: eliminate some unneeded flags in parsed_mount_info
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit ffda61e25cd8e10dda9fb4b2c3fad7b96c943c4d
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: parse unc into separate fields
    
    The UNC is currently handled as a single string and mount.cifs will
    just munge it whenever it needs to change the delimiter type or
    uppercase it, etc. This is tricky to handle correctly and means that
    we often need to keep track of what's already been changed. Instead
    of doing this, just track the pieces of the UNC in separate fields
    in the parsed_mount_info, and then use those pieces to build strings
    as needed.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit c610039ef674770ec92ff36d1f3c7a494bc3962c
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: add username and domain fields to parsed_mount_info
    
    ...and fill and use them accordingly.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 0f4753b828e71b437924b48d168308884928fa6f
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: make mountpassword a field in parsed_info
    
    ...rather than a buffer pointed to by a global var
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit 0ec6dc3c89ccc48d9f4a4edb9865502cf3759d03
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: make parse_options return proper mount error codes
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit c9b5372277c3ab046d09508d90c1c3f8137b3a11
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: have parse_options fill parsed_mount_info
    
    Allocate a zeroed out parsed_mount_info struct and have parse_options
    put its info into that instead. realloc() is no longer used here and
    instead we just have the option parser carefully check that the result
    will fit in the buffer before copying it.
    
    We also no longer use snprintf to stuff info directly into the buffer.
    It may not be possible given the other checks, but snprintf can leave a
    non-NULL terminated string. Use strlcat everywhere instead to ensure
    that doesn't occur.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

commit bda33540ab300dd9a996580d9f60ef3527490833
Author: Jeff Layton <jlayton at redhat.com>
Date:   Thu Apr 1 15:19:16 2010 -0400

    mount.cifs: declare new struct for holding parsed mount info
    
    Currently mount.cifs puts mount info into a disparate series of
    dynamically sized buffers. Declate a new struct that holds a set of
    fixed-size buffers.  The option and UNC parsing routines can place their
    results in this struct.
    
    This should make it easier to implement privilege separation using
    shared memory to pass data between processes.
    
    Signed-off-by: Jeff Layton <jlayton at redhat.com>

- -- 
Jeff Layton <jlayton at samba.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAku14ecACgkQyP0gxQMdzIAnhgCfcQt/8Ctf6JFVdkvQ8xDo89Ip
WskAoI9rdmVyBwr9H/ohEfJ1qzfGDOkt
=96RB
-----END PGP SIGNATURE-----