search for: get_cachename_from_process_env

...l: sec=1 > Jan 7 17:11:36 memberserver-45 cifs.upcall: uid=2028 > Jan 7 17:11:36 memberserver-45 cifs.upcall: creduid=2028 > Jan 7 17:11:36 memberserver-45 cifs.upcall: user=root > Jan 7 17:11:36 memberserver-45 cifs.upcall: pid=2162 > Jan 7 17:11:36 memberserver-45 cifs.upcall: get_cachename_from_process_env: pathname=/proc/2162/environ > Jan 7 17:11:36 memberserver-45 cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_2028 > Jan 7 17:11:36 memberserver-45 cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_2028 > Jan 7 17:11:36 memberserver-45 cifs.upcal...

...m cifs.upcall: ip=192.168.0.36 Oct 11 22:45:32 pc-jm cifs.upcall: sec=1 Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: user=tester Oct 11 22:45:32 pc-jm cifs.upcall: pid=2728 Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: pathname=/proc/2728/environ Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm kernel: [ 13.764725] CIFS: VFS: Verify user...

...} +#define ENV_PATH_FMT "/proc/%d/environ" +#define ENV_PATH_MAXLEN (6 + 10 + 8 + 1) + +#define ENV_NAME "KRB5CCNAME" +#define ENV_PREFIX "KRB5CCNAME=" +#define ENV_PREFIX_LEN 11 + +#define ENV_BUF_START (4096) +#define ENV_BUF_MAX (131072) + +/** + * get_cachename_from_process_env - scrape value of $KRB5CCNAME out of the + * initiating process' environment. + * @pid: initiating pid value from the upcall string + * + * Open the /proc/<pid>/environ file for the given pid, and scrape it for + * KRB5CCNAME entries. + * + * We start with a page-size buffer, and...

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

...UPCALL_ENV_PATH_FMT "/proc/%d/environ" +#define CIFS_UPCALL_ENV_PATH_MAXLEN (6 + 10 + 8 + 1) + +#define ENV_NAME "KRB5CCNAME" +#define ENV_PREFIX "KRB5CCNAME=" +#define ENV_PREFIX_LEN 11 + +#define ENV_BUF_START (4096) +#define ENV_BUF_MAX (131072) + +/** + * get_cachename_from_process_env - scrape value of $KRB5CCNAME out of the + * initiating process' environment. + * @pid: initiating pid value from the upcall string + * + * Open the /proc/<pid>/environ file for the given pid, and scrape it for + * KRB5CCNAME entries. + * + * We start with a page-size buffer, and...

...:36 memberserver-45 cifs.upcall: uid=2028 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: creduid=2028 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: user=root > > Jan 7 17:11:36 memberserver-45 cifs.upcall: pid=2162 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: > get_cachename_from_process_env: pathname=/proc/2162/environ > > Jan 7 17:11:36 memberserver-45 cifs.upcall: > get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_2028 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: > get_existing_cc: default ccache is FILE:/tmp/krb5cc_2028 > > Jan 7 17:11:36...

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

...p=10.73.23.27 Mar 9 15:06:23 testlinux cifs.upcall: sec=1 Mar 9 15:06:23 testlinux cifs.upcall: uid=0 Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 Mar 9 15:06:23 testlinux cifs.upcall: get_cachename_from_process_env: pathname=/proc/4636/environ Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11275 Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: getting service ticket for ad.foo.bar.local Mar 9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: unable to g...

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote: > I am getting a permission denied when trying to ls as a domain user a > samba mount with windows ACLs (sigh I thought I had this figured > out). I tried to include self descriptive server names and include > them in the info below (fs1: file server, nc: addc, u2gui: ubuntu >

...rrent creds. + */ + pw = getpwuid(uid); + if (!pw) { + syslog(LOG_ERR, "Unable to find pw entry for uid %d: %s\n", + uid, strerror(errno)); + rc = 1; + goto out; + } + + /* * Must do this before setuid, as we need ptrace perms to look at * environ file. */ env_cachename = get_cachename_from_process_env(env_probe ? arg.pid : 0); + /* + * The kernel should send down a zero-length grouplist already, but + * just to be on the safe side... + */ + rc = setgroups(0, NULL); + if (rc == -1) { + syslog(LOG_ERR, "setgroups: %s", strerror(errno)); + rc = 1; + goto out; + } + + rc = setgid(p...

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier

...26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52 Jan 26 09:24:56 u2gui cifs.upcall: sec=1 Jan 26 09:24:56 u2gui cifs.upcall: uid=0 Jan 26 09:24:56 u2gui cifs.upcall: creduid=0 Jan 26 09:24:56 u2gui cifs.upcall: user=root Jan 26 09:24:56 u2gui cifs.upcall: pid=151139 Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pid == 0 Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: getting service ticket for fs.carlson.lab Jan 26 09:24:56 u2gui cifs.upcall: cifs_krb5_get_req: unable to get credentials for fs.carlson.lab Jan...

...6:23 testlinux cifs.upcall: uid=0 > >> Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 > >> Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson > >> Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 > >> Mar 9 15:06:23 testlinux cifs.upcall: > >> get_cachename_from_process_env: > >> pathname=/proc/4636/environ > >> Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: > >> default ccache > >> is FILE:/tmp/krb5cc_11275 > >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: > >> getting service > >> ti...

...estlinux cifs.upcall: sec=1 > Mar 9 15:06:23 testlinux cifs.upcall: uid=0 > Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 > Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson > Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 > Mar 9 15:06:23 testlinux cifs.upcall: > get_cachename_from_process_env: > pathname=/proc/4636/environ > Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: > default ccache > is FILE:/tmp/krb5cc_11275 > Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: > getting service > ticket for ad.foo.bar.local > Mar 9 15:06:23 testlinux c...

...ec=1 >> Mar 9 15:06:23 testlinux cifs.upcall: uid=0 >> Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 >> Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson >> Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 >> Mar 9 15:06:23 testlinux cifs.upcall: >> get_cachename_from_process_env: >> pathname=/proc/4636/environ >> Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: >> default ccache >> is FILE:/tmp/krb5cc_11275 >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: >> getting service >> ticket for ad.foo.bar.local >>...

...s. (ips edited) cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=1x.1xx.1.3x;ip4=1x.1xx.1.3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba cifs.upcall: ver=2 cifs.upcall: host=1x.1xx.1.3x cifs.upcall: ip=1x.1xx.1.3x cifs.upcall: sec=1 uid=10109 creduid=0 user=test pid=1210 get_cachename_from_process_env: pid == 0 get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall: get_tgt_time: unable to get principal cifs.upcall: krb5_get_init_creds_keytab: -1765328203 cifs.upcall: Exit status 1 lightdm[830]: (mount.c:72): Messages from underlying mount program: lightdm[830]: (mount.c:76): mount er...

...s. (ips edited) cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=1x.1xx.1.3x;ip4=1x.1xx.1.3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba cifs.upcall: ver=2 cifs.upcall: host=1x.1xx.1.3x cifs.upcall: ip=1x.1xx.1.3x cifs.upcall: sec=1 uid=10109 creduid=0 user=test pid=1210 get_cachename_from_process_env: pid == 0 get_existing_cc: default ccache isFILE:/tmp/krb5cc_0 cifs.upcall: get_tgt_time: unable to get principal cifs.upcall: krb5_get_init_creds_keytab: -1765328203 cifs.upcall: Exit status 1 lightdm[830]: (mount.c:72): Messages from underlying mount program: lightdm[830]: (mount.c:76): mount err...

Rowland, How would I find this info? Check if 'Rachel Jones' has a 'gecos' attribute in AD. You seem to be being denied access to '.Xauthority', was it created on another machine ? No However, I am sure '-13' usually means incorrect password. I am sure the password is correct, the /mnt/home/rachel folder is created but the user files are not created because