Re: Upgrading security default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 23 Nov 2012 20:48:40 -0600
Steve French <smfrench@xxxxxxxxx> wrote:

> it doesn't change security flags - but it seemed the smallest and
> safest since it basically says:
> 1) if you pass in "sec=" then use that
> 2) otherwise use ntlmssp (with ntlmv2)
> 
> so shouldn't have any unintended consequences (and the sign mount
> option should work as expected as well)
> 

Umm...I think it would. The story for people who need to mount using
cleartext passwords has always been "Set SecurityFlags to a magic value
and mount without a sec= option". With your original patch, that would
have broken them, AFAICT.

> To be more specific: do you prefer this
> 
> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
> index f5af252..2cd5ea2 100644
> --- a/fs/cifs/cifsglob.h
> +++ b/fs/cifs/cifsglob.h
> @@ -1362,7 +1362,7 @@ require use of the stronger protocol */
>  #define   CIFSSEC_MUST_SEAL    0x40040 /* not supported yet */
>  #define   CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
> 
> -#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM |
> CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
> +#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMSSP)
>  #define   CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2)
>  #define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 |
> CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_
>  /*
> 

I think so -- that looks like it won't break existing users who need to
set SecurityFlags to mount particular servers. You should also have
this patch remove the now-bogus warning at mount time though.

As non-sensical as the SecurityFlags interface is, we're stuck with it
for now. For the longer term, I'd like to start deprecating the
SecurityFlags interface altogether. I'll plan to write up a
comprehensive proposal for doing that soon.

-- 
Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux