Jeff Layton
2017-Feb-13 14:00 UTC
[Samba] [cifs-utils PATCH] cifs.upcall: switch group IDs when handling an upcall
Currently, we leave the group ID alone, but now that we're looking at KRB5CCNAME, we need to be a little more careful with credentials. After we get the uid, do a getpwuid and grab the default gid for the user. Then use setgid to set it before calling setuid. Signed-off-by: Jeff Layton <jlayton at samba.org> --- cifs.upcall.c | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/cifs.upcall.c b/cifs.upcall.c index ee3449d4555d..3328bbdd34ca 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -47,6 +47,8 @@ #include <netdb.h> #include <arpa/inet.h> #include <ctype.h> +#include <pwd.h> +#include <grp.h> #include "replace.h" #include "data_blob.h" @@ -818,6 +820,7 @@ int main(const int argc, char *const argv[]) char *keytab_name = NULL; char *env_cachename = NULL; krb5_ccache ccache = NULL; + struct passwd *pw; hostbuf[0] = '\0'; memset(&arg, 0, sizeof(arg)); @@ -924,20 +927,54 @@ int main(const int argc, char *const argv[]) } /* + * The kernel doesn't pass down the gid, so we resort here to scraping + * one out of /etc/passwd (or the equivalent). Note that this might + * not reflect the actual gid of the process that initiated the + * upcall, but it's safer than relying on the current creds. + */ + pw = getpwuid(uid); + if (!pw) { + syslog(LOG_ERR, "Unable to find pw entry for uid %d: %s\n", + uid, strerror(errno)); + rc = 1; + goto out; + } + + /* * Must do this before setuid, as we need ptrace perms to look at * environ file. */ env_cachename = get_cachename_from_process_env(env_probe ? arg.pid : 0); + /* + * The kernel should send down a zero-length grouplist already, but + * just to be on the safe side... + */ + rc = setgroups(0, NULL); + if (rc == -1) { + syslog(LOG_ERR, "setgroups: %s", strerror(errno)); + rc = 1; + goto out; + } + + rc = setgid(pw->pw_gid); + if (rc == -1) { + syslog(LOG_ERR, "setgid: %s", strerror(errno)); + rc = 1; + goto out; + } + rc = setuid(uid); if (rc == -1) { syslog(LOG_ERR, "setuid: %s", strerror(errno)); + rc = 1; goto out; } rc = krb5_init_context(&context); if (rc) { syslog(LOG_ERR, "unable to init krb5 context: %ld", rc); + rc = 1; goto out; } -- 2.9.3
Apparently Analagous Threads
- [RFC][cifs-utils PATCH] cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
- [cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
- [cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
- [PATCH v2 0/2] cifs.upcall: allow cifs.upcall to grab $KRB5CCNAME from initiating process
- cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'